DIOCESE OF PARRAMATTA PRIVACY POLICY

1.           INTRODUCTION AND PURPOSE

The Diocese of Parramatta (the Diocese) conducts a range of activities in order to fulfil its mission of proclaiming the Good News of Jesus Christ. In conducting these activities, the Diocese collects personal information. Collecting personal information enables the Diocese to minister to the faithful and to fulfil its canonical and civil law obligations under the Code of Canon Law and under the Civil Law (both State and Commonwealth).

The Diocese is committed to protecting the privacy and confidentiality of any information which is collected and stored. This policy provides guidance on legal obligations and ethical expectations in relation to privacy and confidentiality.  The Diocese is bound by the Australian Privacy Principles (APPs) contained in the Commonwealth Privacy Act 1988 (Cth) (Privacy Act), the Privacy Amendment (Private Sector) Act 2000, and the New South Wales Privacy and Personal Information Protection Act 1998. In relation to health records, the Diocese is also bound by the New South Wales Privacy Principles which are contained in the Health Records and Information Privacy Act 2002 (Health Records Act).

This document outlines the ways in which the Diocese collects, uses, manages, stores, disseminates and disposes personal information.

2.           SCOPE

2.1          People

This policy applies to the Diocese and to its agencies, ministries, parishes and organisations, which are part of that juridical person except those having their own privacy policies, which have been approved by the Trustees of the Diocese (excluding Catholic Education Diocese of Parramatta and Catholic Diocese of Parramatta Services Ltd.).

Other separate juridical persons which are subject to the authority of the Bishop of Parramatta and which are bound by the Act and the Australian Privacy Principles are requested to draft privacy policies consistent with the civil law and their own particular circumstances and to seek the advice of the Chancery Office in relation to them prior to adoption.

This policy applies to:

• Clergy;
• Employees;
• Parishioners;
• Volunteers;
• Contractors and subcontractors;
• Prospective employees of the Diocese;
• Members of the general public; and
• Any other parties to whom the Act applies.

Hereby known as “personnel” for the purposes of this policy.

2.2          Information

The types of personal information the Diocese collects and how it is collected is largely dependent upon whose information is being collected and the purpose of collection, however in general terms the legislation covers the following:

 

1. Personal information. This is information or an opinion, whether true or false and whether or not recorded in material form, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion. It includes names, addresses and other contact details, dates of birth, next of kin details, financial information, photographic images and attendance records. This policy does not apply to personal information collected prior to 21 December 2001.

2. Sensitive information. This is information or an opinion about a person’s:

• Racial or ethnic origin;
• Religious beliefs or affiliations;
• Philosophical beliefs;
• Membership of a professional or trade association;
• Sexual preferences or practices; and
• Criminal record.

3. Health information. This is information including medical records, disabilities, immunisation details, individual health care plans, counselling reports, nutrition and dietary requirements.

2.3          Records

This policy applies to all records, including electronic and digital records held by the Diocese including CCTV, voicemails and other sound encodings.

3.           RELATED DOCUMENTS

• Privacy Act 1988;
• Privacy Amendment (Notifiable Data Breaches) Act 2017;
• Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act);
• Privacy Incident and Data Breach Response Procedure;
• Privacy, Confidentiality and Information Security Policy; – should these be separated?
• Acceptable Use of Electronic Communication Systems and Devices Policy;
• Data Governance Programme and Framework;
• Collection Notice; and
• Records Management System Policy

4.           RESPONSIBILITIES

Everyone has a responsibility to ensure privacy.

The following outlines the responsibilities of the Bishop, Parish Priests, Chief of Operations and Finance, Heads, Directors, Managers and other employees relating to privacy and confidentiality:

4.1           Bishop of the Diocese of Parramatta

• Be familiar with the Diocese’s legislative requirements regarding privacy and the collection, storage and use of personal information;
• Understand the Diocese’s ethical standards with regards to the treatment of other confidential information relating to the Diocese, its parishioners, employees, clients and stakeholders;
• Ensure that the Diocese develops, implements, and maintains effective systems, policies, and procedures for achieving compliance with the relevant federal and state privacy laws; and
• Endorse and comply with this policy and associated procedures.

4.2           Parish Priests and management of the Diocese of Parramatta

• Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information;
• Understand the Diocese’s ethical standards with regards to the treatment of other confidential information relating to clergy, employees and stakeholders;
• Ensure systems are in place across the organisation to adequately protect the privacy of personal information and confidentiality of other sensitive information;
• Act in accordance with Diocesan processes in place to protect privacy, confidentiality, and information security; and
• Comply with this policy and associated procedures.

4.3           Employees of the Diocese of Parramatta

• Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information;
• Understand the organisation’s ethical standards with regards to the treatment of other confidential information relating to clergy, employees and stakeholders;
• Act in accordance with Diocesan processes in place to protect privacy, confidentiality and information security;
• Should only access personal or sensitive information which is relevant to their role. Any personnel accessing of information outside work requirements is subject to disciplinary action; and
• Comply with this policy and associated procedures.

4.4           Data Governance Committee

• Review privacy complaints on a quarterly basis and assess the actions taken to rectify the complaint;
• Recommend controls; and
• Be responsible for and coordinate the Data Breach Response Policy and Procedure.

4.5           Risk Management

The Diocese’s Risk Management Unit will:

• Monitor information security risks and controls by reviewing the outcomes of information security management processes.
• Monitor emerging risks.
• Oversee the adequacy of information security capability and controls; and
• Report to Diocesan Audit and Enterprise Risk Committee.

5.           PRINCIPLES

We ensure that:

• Information is used in an ethical and responsible manner;
• We operate in a consistent, cautious and thorough manner in the way that information about personnel is recorded, stored and managed;
• All individuals have legislated rights to privacy of personal information; and
• All personnel are to have an appropriate level of understanding regarding how to meet the organisation’s legal and ethical obligations to ensure privacy and confidentiality.

 

6.           PRIVACY AND CONFIDENTIALITY

We are bound by the Australian Privacy Principles in the Privacy Act 1988 (Privacy Act). All personal information that is collected is handled in accordance with the Australian Privacy Principles.

6.1           Collection of Information

We will only collect information that is necessary. We may collect and hold personal information, including health information and other sensitive information about clergy, employees, volunteers, parishioners, visitors, contractors (including subcontractors), job applicants and other people who come into contact with us.

We will endeavour to collect personal information directly from you. Where it is not reasonable or practical to collect personal information directly from you, consent will be sought prior to collecting personal information from a third party. If consent cannot be obtained, we will consult the requirements and exemptions of the Act before making such a collection.

6.1.1   Why do we collect Personal Information?

The personal information we collect is only for purposes which are directly related to the functions and activities of the organisation. These include:

• Managing the Diocese’s operations including staff training, systems development, developing new programs and services, undertaking planning, research and statistical analysis;
• The employment of staff and engagement of contractors and volunteers;
• To assess the suitability of prospective employees for the position for which they have applied;
• To assess an individual’s suitability for a position for which prospective employees have not applied but to which the Diocese believes they may be suited (the Diocese will seek their consent before considering any other position);
• To provide a safe working and learning environment;
• To discharge our legal obligations including our duty of care;
• For insurance purposes;
• For surveillance purposes;
• To minister to the faithful and to provide pastoral care;
• To provide welfare and support;
• Marketing, promotional and fundraising activities. Including raising funds to sustain the works of the Catholic Church in Western Sydney and the Blue Mountains through the Catholic Foundation and The Catholic Fund:
• Collecting and managing donations, including one-off and recurring donations.
• Sending out newsletters, social media etc.
• To administer sacraments;
• For religious obligations;
• Supporting community-based causes and activities, charities and other causes in connection with our functions and activities;
• Developing or evaluating our activities, services and programs to better achieve our purposes and mission;
• Responding to queries or comments from the public;
• Complying with our legal obligations; and
• Other purposes that may arise from time to time.

The Catholic Foundation has assumed responsibility for the Diocesan Works Fund, Diocese of Parramatta. The personal information of persons who had previously donated to the Diocesan Works fund, including names, contact details and donation amounts and history, will continue to be maintained by the Catholic Foundation pursuant to the terms of this Policy.

6.1.2   What kind of Personal Information do we collect?

The type of information we may collect, and hold varies depending on the purpose for which it is collected. The personal information that we collect and store will generally include:

• Full name;
• Address;
• Occupation;
• Date of birth;
• Marital Status;
• Religious affiliation;
• Identification details (including photographs);
• Contact details;
• Personal information and various documentation relating to possible employment with the Diocese;
• Payment details;
• Financial information (including credit card data);
• Information about when and how you have donated to us;
• Sacramental records;
• Any health information required by law;
• Personal information that will enable the Diocese to satisfy its duty of care to other individuals with whom you may come into contact in the course of your involvement with the Diocese;
• Participated in our activities or used our services and programs;
• Information relating to pastoral care needs;
• Information relating to a child’s enrolment at a Diocesan school; and
• Other types of information that may arise from time-to-time.

The type of information we collect might also depend on your relationship to us, including (amongst others):

1. Donors and supporters: as a supporter, donor or participant of our fundraising activities, we may need to collect your name, date of birth, contact details and financial information such as your bank account and/or credit card details in order to process your donation or set up a direct debit system for recurrent donations.
2. Employees and volunteers: as an employee or volunteer at the Diocese, we may need to collect information about your name and contact details, bank account and taxation details, qualifications, previous experience and emergency contact details.
3. Website user: Our website uses cookies and other digital identifiers. These include:

• site performance identifiers: these give us information about how our website is used. This helps us provide you with a more user-friendly experience.
• analytics cookies: we use these to gather statistics about our website. For example, Google analytics help us monitor how many users are on the site and what sections are most popular.

It is important to know you can clear or disable cookies or digital identifiers from your device by changing the security settings on your web browser. However, doing this might mean that parts of our website may not work as it should.

Anonymity and Pseudonymity

You can make a request to us that you remain anonymous or that a pseudonym is used during transactions unless it is impracticable to do so, or if the Diocese is required or authorised under law to deal with identified individuals. Furthermore, we may not be able to provide you with the information you asked for or give you the level of service you expect.

6.1.3   How do we collect information?

We collect personal information in a variety of ways, some of these ways are, but are not limited to:

• Signing up to our newsletters, becoming a donor or filling out form;
• Correspondence with us via email, letters, notes, social media messages or conversation;
• Face-to-face meetings and telephone conversations;
• Financial transactions; and
• Surveillance activities such as the use of CCTV security cameras.

Sometimes we may be provided with personal information without having sought it through our normal means of collection. This is referred to as “unsolicited information”. Where unsolicited information is collected, we will only hold, use and/or disclose that information if we could otherwise do so had we collected it by normal means. If that unsolicited information could not have been collected by normal means then the information will be destroyed, permanently or de-identified as appropriate.  For example, we may collect personal information from your friend or family member who decides to supply us with your personal information because they think that you might be interested in supporting our cause.

We may also collect personal information from other people, such as a referee or report from medical professional, or an independent source, such as a telephone directory, however, we will only do so when it is not reasonable or practicable to collect the information directly.

In the case of children, personal information will ordinarily be collected from their parents or guardians, unless specific and/or unusual circumstances require that the collection be made directly from the relevant child.

6.1.4   Our obligations when collecting personal information

In most cases, we require your consent specifically to any collection, use or disclosure of your personal information by us. Consent may be explicit, such as in writing or verbally, or may be implied by conduct.

At or around the time your personal information is collected, we will take reasonable steps to bring this Privacy Policy to your attention. Generally, however, having made you aware of our Privacy Policy, we will assume that you have read and agree to the terms of this Privacy Policy unless you inform us of any specific objections or their non-consent in writing.

The Diocese will take reasonable steps to make sure an individual knows that the Diocese has collected their personal information, how the Diocese got it and how Diocese will handle it. A Privacy Collection Notice will be issued to explain these details (please see the Diocese’s Privacy Collection Notice).

The Diocese has taken reasonable steps to alert people that CCTV’s are in use inside and outside the building. Signs around Diocesan premises alerts people onsite cameras are in use.

6.2           Handling Personal Information

Personal information may only be accessed and used for a valid work purpose.

6.2.1   Storage

The personal information we hold may be stored in many forms of media, including the following:

• Your written correspondence to us;
• Audio and/or visual data containing your personal information;
• CCTV recordings are recorded to a dedicated Digital Video Recorder (DVR) and only accessed when required to see if an incident was recorded (such as a break in, vandalism etc.). When storage capacity is reached, recordings are overwritten;
• Receipts and/or transaction or donations records in relation to your financial support of our fundraising activities; and
• Legal documents and information you provide to us in connection with your volunteering for or employment with the Diocese or as a recipient of, or participant in, one of our activities, services and programs.

We may keep copies of the above documents (in physical or electronic form, at our election) as is necessary to carry out our functions and activities and provide our services and programs.

6.2.2   Security

We take the security of personal information seriously, please see the Information Security Policy.  Security measures we take include, but are not limited to, the following:

• All personal information is securely stored at all times by us or an authorised external service provider;
• Our file servers and any applications hosted within our network are behind a firewall located at Global Switch DC;
• Frequent use of virus scanning tools;
• Our databases are protected by secure user IDs and passwords, to help protect it from misuse, unauthorised access, modification or disclosure; and
• Only authorised people who need to have access to personal information will have access to it.

To the best of our knowledge, we do not store card information in our electronic systems or file shares. Where we do store personal information and credit card information on third-party electronic systems and databases, we ensure that they have appropriate privacy and security policies and measures in place and that credit card details are stored as encrypted/tokenised cards.

Personnel must:

• Be aware of their surroundings and people nearby when handling personal data and information;
• Confirm recipient details before sending emails;
• Dispose unneeded copies of information securely; and
• Ensure the information is available to people who need to access it.

As our website is linked to the internet, and the internet is inherently insecure, we cannot provide any guarantee regarding the security of the information transmitted to us online. We also cannot guarantee that the information you supply will not be intercepted while being transmitted over the internet. Accordingly, any personal information or other information which you transmit to us online is transmitted at your risk.

6.3           Use and Disclosure of Information

Normally, we would use your personal information for the purpose(s) that it was collected, for any secondary purposes directly related to that primary purpose(s), or to comply with our legal obligations.

Personal information will be used for the purposes listed in 7.1.1.

The Diocese is a large entity with many agencies and organisations. Information may be shared over the whole range of Diocesan bodies.

6.3.1   Disclosing personal information to third parties

We may disclose personal information to external service providers (such as information technology service providers, legal service providers, mailing houses, fundraising agents and companies, etc). We may also distribute aggregated statistical information to the Vatican and the Australian Catholic Bishops’ Conference for reporting purposes.

We will take reasonable steps, through non-disclosure agreements, to ensure that external service providers and third parties only use personal information that we provide to them for the purpose(s) for which you have given your personal information to us and to not share it further with another party unless it is necessary to do so. We never sell personal information to third parties.

Personal information may be provided to government agencies, other organisations or individuals if:

• The individual has consented;
• It is required or authorised by law; and
• It will prevent or lessen a serious and imminent threat to somebody’s life or health or to public safety.

Sensitive information has a higher degree of protection and will be used and disclosed only for the purposes for which it was provided, or for a directly related secondary purpose, unless the person agrees otherwise, or the use or disclosure of sensitive information is required by law.

6.3.2   Disclosing personal information internationally

We do not normally send your information overseas, however, storing information with a “cloud computing service” may mean storing data outside of Australia. We will take all reasonable steps not to disclose your personal information to overseas recipients except in limited circumstances when necessary for the operation of our organisation. Such circumstances may include:

• Engaging with external suppliers for database support that we contract with to assist with the administration and management of the Diocese;
• Engaging with contractors located overseas for the limited purposes of storing personal information (including the storage of financial information in a cloud-based accounting program) and ensuring that such information remains accessible upon demand;
• Communication with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas;
• We are satisfied that the overseas recipient is compliant with Australian Privacy Principals or similar privacy regime; and
• We have formed the opinion that the disclosure will lessen or prevent a serious threat to life, health or safety of an individual or to public safety.

6.3.3   Using personal information collected from the website

The Diocese may collect the personal information of those who visit our website (www.parracatholic.org) and any other websites managed by the Chancery office (see Appendix B for a comprehensive list of websites).  In visiting the website, you agree that this Privacy Policy will apply to any personal information that we collect.

The website may contain links or references to other websites. We do not share your personal information with those websites and is not responsible for their privacy practices nor can it control other websites and the Privacy Policy does not apply to those external websites.

We may, from time-to-time, update or change the website collection of information policy to ensure that it reflects the acts and practices of the Diocese as well as any changes in the law.

6.3.4   Using personal information for advertising and marketing purposes

From time to time, we may use personal information to send promotional or marketing material to you.  We may send material to you by mail, phone, email, text, and online and in apps that we believe may be of interest to you, unless you opt out of receiving material.

We will ensure that any marketing emails, texts and letters that we send out clearly tells you how to opt out.

You can opt out of receiving promotional or marketing material at any time by following the opt-out instructions on the materials or by contacting us via the contact details in Section 12 below.

There are some types of marketing we cannot control on an individual basis, like general letterbox drops or online ads that are not targeted specifically to you.

6.4           Sharing Personal Information

Personal information may be shared only:

• When a formal agreement exists in relation to information or data sharing between parties; and
• In circumstances permitted under the Act.

To minimise the risk of unauthorised disclosure, personnel must:

• Check with a relevant manager before sharing confidential information; and
• Avoid using Internet-based file sharing software to share confidential information (e.g., Dropbox).

When sharing information with authorised persons via email:

• Ensure all confidential information is attached to the email in a password protected zip folder;
• Enable encryption where available;
• Do not include confidential information in the subject line or body of the email; and
• Do not share or discuss confidential information on social networking applications such as Facebook and Twitter.

6.5           Access and Correction

Under the Privacy Act and Health Records Act, an individual has the right to obtain access to any personal information which the Diocese holds about them and to advise us of any perceived inaccuracy.  However, there are exceptions to these rights set out in the applicable legislation therefore, there may be occasions when access is denied. Such occasions would include situations such as (though not limited to) where access would have an unreasonable impact on the privacy of another, where access may result in a breach in our duty of care or where information is provided in confidence.

We are entitled to impose a reasonable charge on the individual for providing the personal information, particularly where photocopying is necessary.

To access or amend personal information, a written request must be made to the Vicar General, Parish Priest, or the Director or Manager of the Diocese’s Agencies or Ministries.

6.6           Data Quality

We take reasonable steps to ensure that the personal information collected is accurate, up-to-date and complete. These steps include maintaining and updating personal information when advised by individuals that it has changed (and at other times as necessary).

It is your responsibility to ensure that your personal information is kept up to date. On an ongoing basis we maintain and update personal information when advised or when we become aware through other means that their personal information has changed. If you wish to change or modify your personal information, you should make a written request to the Parish Priest or Manager of the relevant ministry or agency. You should also contact the Privacy Officer if you believe that the information held is not accurate, up-to-date or complete (see Section 12).

6.7           Confidentiality Agreement

Some personnel may be required to sign a confidentiality agreement which states that they must not for any reason, directly or indirectly, use or disclose (or attempt to disclose) confidential information for their or any other person’s benefit.

7.           NOTIFIABLE DATA BREACH (NDB) SCHEME

The Notifiable Data Breach (NDB) Scheme under Part IIIC of the Privacy Act 1998 establishes requirements for entities in responding to data breaches.

Data breaches include malicious action, human error, or a failure in information handling or security systems. Examples of circumstances which may meet the criteria of an NDB include:

• A database containing personal information being hacked;
• Personal information being mistakenly provided to the wrong person;
• Records containing personal information stolen from unsecured recycling bins; and
• Disclosing personal information for purposes other than that for which it was collected and without consent.

7.1           Eligible data breach

It must be noted that under the NDB scheme, a data breach is a breach that is likely to result in serious harm to any of the individuals to whom the information relates. Under this scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach.

An eligible data breach arises when the following three criteria are satisfied:

• There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
• This is likely to result in serious harm to one or more individuals; and
• The entity has not been able to prevent the likely risk of serious harm with remedial action.

7.2           Legal Obligations

We are bound by the Privacy Act 1998 which states that the organisation has data breach notification obligations when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.  Serious harm includes serious physical, emotional, economic and financial harm as well as serious harm to reputation.

To comply with the law, the Diocese has implemented a Notifiable Privacy Incident and Data Breach Response Procedure and a Data Management Matrix (contained within the Data Governance Programme Framework document). These procedures enable suspected breaches to be promptly identified, reported to relevant personnel, and assessed if necessary.

If we are aware that there are reasonable grounds to suspect that there may have been a serious breach, our obligation is:

• To conduct an assessment. It must take all reasonable steps to complete the assessment within 30 calendar days (as a maximum time limit) after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach. The Diocese must not unreasonably delay an assessment of a suspected eligible breach, for instance by waiting until its CEO or board is aware of information that would otherwise trigger reasonable suspicion of a breach within the Diocese.

If we only have reason to suspect that there may have been a serious breach, our obligations are:

• To move quickly to resolve that suspicion by assessing whether an eligible data breach has occurred. If, during the course of an assessment, it becomes clear that there has been an eligible breach, then the entity needs to promptly comply with the notification requirements.

If we are aware of any reasonable grounds to believe that there has been an eligible data breach, our obligation is:

• To prepare a statement of prescribed information in accordance with the Act;
• To submit the statement to the Office of the Australian Information Commissioner by the use of an online form known as a Notifiable Data Breach Statement; and
• To contact all affected individuals directly or indirectly by publishing information about the NDB on publicly accessible forums. The notification must include recommendations about the steps individuals should take in response to the breach.

7.3           Breaching the Legislation

Reporting may have to be disclosed to the ATO, ASIC, ACSC or even the Federal Police, depending on the breach. Failure to uphold obligations under the Privacy Act may result in legal proceedings.

Serious or repeated interferences with the privacy of an individual can give rise to civil penalties of up to $2.1 million.

For more comprehensive information, please see:

https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme/

The Diocese’s Privacy Incident and Data Breach Response Procedure outlines the procedure for notifiable data breaches.

8.   RISK MANAGEMENT

We ensure that procedures are in place to demonstrate that decisions and actions relating to privacy, comply with federal and state laws.

This policy is made available on the Diocesan website, www.parracatholic.org, so that the public are made aware how their information is collected, stored and used.

All employees clergy and volunteers?? are made aware of this policy during their induction and are provided with ongoing support and information to assist them to establish and maintain privacy.

9.           POLICY IMPLEMENTATION

This policy is developed in consultation with all major stakeholders and it is approved by the Bishop.

This policy is part of all employee volunteers / clergy too?? induction processes and all employees are responsible for understanding and adhering to this policy.

This policy is accessible on the Diocese website, www.parracatholic.org, and other Ministry and Agency websites. It is also available on The Anchor, the Diocese’s intranet.

10.      POLICY REVIEW AND CHANGES

This policy will be reviewed from time to time or when there are relevant legislative changes.

If this Privacy Policy changes, the revised Policy will be posted on our website. Please check back periodically, and especially before you provide any personal information. Your continued use of our website following any amendments to it will confirm your acceptance of such amendments.

11.      CONTACTING US

11.1       Contacting the Diocese for any reason

You may need to contact us for any reason in relation to this Privacy Policy or for more information about personal information (updating information, accessing information, asking a question about how we handle personal information, making a comment about this Privacy Policy or to make a privacy complaint). Our contact details are:

Address:          Bethany Centre, 470 Church Street, Parramatta NSW 2150

Email:              privacy@parracatholic.org

11.2       Making a Complaint

A privacy complaint relates to any concern or dispute that personnel have with our privacy practices as it relates to your personal information. This could include matters such as:

1. How personal information is collected;
2. How personal information is stored;
3. How this information is used or disclosed;
4. How access is provided; and
5. How accurate the information is that we hold.

Should you be dissatisfied with the conduct of a Parish Priest, Director, Manager, colleague etc. with regards to privacy, confidentiality and the security of information, the matter should be raised with a senior Parish Priest, Director or Manager.

Those who are deemed to have breached privacy, confidentiality and information security standards set out in this policy may be subject to disciplinary action and/or legal consequences.

If your complaint is not resolved, a complaint can be made to the Office of the Federal Privacy Commissioner, who is responsible for the enforcement of the Act.

The Office of the Australian Information Commissioner’s contact details are as follows:

GPO Box 5218

Sydney NSW 1042

Phone: 1300 363 992

Email: enquiries@oaic.gov.au

 

11.3       Managing a Complaint

We are committed to managing privacy complaints made by individuals to us or to the relevant privacy commissioner or ombudsman.

Furthermore, we are obliged to comply with investigations by the relevant privacy commissioner or ombudsman into our handling of personal information, and with any enforceable orders, directions or undertakings arising from a complaint or investigation.

12.3.1 Overriding principles
In accordance with our Complaint Management Policy, we will ensure that:

1. All complaints will be treated with compassion, professionalism and integrity;
2. All complaints will be treated seriously;
3. All complaints will be dealt with promptly;
4. All complaints will be dealt with in a confidential manner so far as is possible, subject to procedural fairness;
5. Any privacy complaints will not affect your existing obligations or the commercial arrangements that exist between this organisation and you; and
6. Privacy complaints will be assessed in accordance with the urgency and/or seriousness of the issues raised. If a matter concerns an immediate risk to safety or security, the response will be immediate and will be escalated appropriately.

12.3.2    Complaint Management Process

Once the complaint has been made, the Diocese’s Human Resources will:

1. Inform the complainant of the following as soon as possible:
   1. The complaint management process;
   2. The expected timeframe for a response or reason for any delay;
   3. The progress of the complaint at critical stages; and
   4. Their likely involvement in the process.

If the complainant would like to be anonymous, their identity will be protected where it is practical and appropriate to do so. Personal information that identifies individuals will only be disclosed or used as permitted under the relevant privacy laws, where necessary to comply with rules of procedural fairness and any relevant confidentiality obligations.

2. Request further information from the complainant.
3. Once we have the full information, a complaint will be investigated. It may be necessary to contact other stakeholders in order to proceed with the investigation. Human Resources will report the investigation to the Chief of Operations and Risk Management and the Diocesan Audit and Enterprise Risk Committee.
4. Within 30 days, we will respond to the complainant and discuss with resolution options. The complainant could also suggest other solutions or give examples of how the personal information can be revised or stored in a different way.
5. We will inform the complainant about the outcome of the investigation and the reasons for the decision.
6. If the complainant is dissatisfied with the outcome of the investigation, they can refer the matter to the Office of the Australian Information Commissioner.

12.      FURTHER INFORMATION

Should you require more information about this policy, please see the Data Governance Committee at the Chancery office.

Given at Parramatta, New South Wales on this 22 July 2021.

APPENDIX A – DEFINITIONS

Term	Definition
“The Diocese”, “We”, “Us” or “Our”	Means the Diocese of Parramatta.
Australian Privacy Principles (APPs)	Replace the National Privacy Principles (NPPs) for organisations or APP entities.  They state that organisations: ·       Should be open and transparent with the management of personal information; ·       Should give individuals the option of not identifying themselves, or of using a pseudonym; ·       Should collect personal information that is solicited; ·       May only use or disclose personal information for direct marketing purposes if certain conditions are met They outline: ·       The reasonable steps that an APP entity must take to ensure the personal information it collects is accurate, up to date and complete.  An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure; ·       The steps an APP entity must take to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure; ·       An APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity.
Commonwealth Privacy Act 1988 (Privacy Act)	Is a law which regulates the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information.  This Act: ·       Regulates the collection, storage, use, disclosure, security and disposal of individuals’ tax file numbers; ·       Permits the handling of health information for health and medical research purposes in certain circumstances, where researchers are unable to seek individuals’ consent; ·       Allows for privacy regulations to be made
Confidentiality	Ensures that information is accessible only to those authorised to have access, and is protected throughout its lifecycle. Confidential information may be marked as such or deemed confidential by its nature.
Consent	means voluntary agreement to some act, practice or purpose.
Data breach	A data breach is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information.
Individual	Means any person such as a member of clergy or employee.
Likely to occur	Likely to occur means the risk of serious harm to an individual is more probable than not (rather than possible).
Loss	Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.
Notifiable Data Breaches (NDB)	The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.
Organisational information	Includes publicly available, and some confidential, information about organisations.
Our website	Means www.parracatholic.org; www.safeguarding.org;
Personal information	Has the same meaning as defined in the Privacy Act 1988, and generally means any information about you that identifies you or from which your identity reasonably can be determined.
Personnel	This term includes clergy, employees, parishioners, volunteers, contractors and subcontractors, prospective employees of the Diocese, members of the general public, any other parties to whom the Act applies.
Privacy Amendment (Private Sector) Act 2000	Amended the Privacy Act 1988 to regulate some organisations in the private sector
Privacy and Personal Information Protection Act 1998 (NSW)	Contains a set of privacy standards called Information Protection Principles that regulate the way NSW public sector agencies handle personal information (excluding health information).
Privacy provisions	Of the Privacy Act 1988 govern the collection, protection and disclosure of personal information provided to the Diocese by clergy, employees and stakeholders.
Public domain	In relation to confidentiality is considered “common knowledge,” e.g. information that can be accessed by the general public.
Reasonable person	Reasonable person means a person in the entity’s position who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach.
Record	Means any document or other source of information complied, stored or recorded in written form or on film, or by electronic process or by any other manner or mean .
Serious harm	In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Unauthorised access	Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access.
Unauthorised disclosure	Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.

APPENDIX B

Name of website	Website address
Office of Safeguarding and Professional Standards	https://safeguarding.org.au/
Diocesan Development Fund	https://parracatholic.org/ddf/
Pastoral Planning / Faith in our Future	https://faithinourfuture.wordpress.com/
Office for Worship	https://parracatholic.org/office-for-worship/
CatholicCare	https://ccss.org.au/
Baulkham Hills Family Day Care	https://hillsfamilydaycare.com.au/
Catholic Outlook	https://catholicoutlook.org/
Catholic Youth Parramatta	https://parracatholic.org/cyp/
Parramatta Catholic Foundation	https://yourcatholicfoundation.org.au/
Confraternity of Christian Doctrine	https://parracatholic.org/ccd-home/
World Youth Day	https://parrawyd.org/
Holy Spirit Parish, St Clair	https://holyspiritstclair.com.au/
Mary Queen of the Family, Blacktown	https://mqofblacktown.org.au/
Christ the King, North Rocks	https://northrockscatholic.org.au/
Parish of Richmond	https://parishofrichmond.org.au/
Sacred Heart Parish, Luddenham-Warragamba	https://warragambaparish.org.au/
St Nicholas of Myra, Penrith	https://stnicholasofmyra.org.au/
Holy Name of Mary, Rydalmere	https://holymary.org.au/
St Finbar’s, Glenbrook	https://stfinbars.org.au/
Holy Family Parish, Granville	https://eastgranvilleparish.org.au/
Holy Trinity Parish, Granville	https://granvilleparish.org.au/
St Patrick’s, Guildford Parish	https://guildfordcatholicchurch.org.au/
St Patrick’s Cathedral	https://stpatscathedral.com.au/
Corpus Christi, Cranebrook	https://corpuschristi.org.au/
St Luke’s, Marsden Park	https://stlukesmarsdenpark.org.au/
St John Vianney, Doonside	https://stjohnvianneydoonside.org.au/
St Paul the Apostle, Winston Hills	https://stpaultheapostleparish.org/
Our Lady of the Rosary, Kellyville	https://olorparishkellyville.org.au/
St Oliver Plunkett’s, Harris Park	https://www.stoliversharrispark.org.au/
St Mary of the Cross MacKillop	https://marymackillopupperbluemountains.org.au/
Our Lady of the Way, Emu Plains	https://catholicparishemuplains.org.au/
Sacred Heart Parish, Blackheath	https://sacredheartblackheath.org.au/
St Thomas Aquinas, Springwood	https://stachurchspringwood.org.au/
St Padre Pio, Glenmore Park	https://www.padrepioglenmorepark.org.au/

To download WHS Policy, click here.

The Church’s policies and procedures on how to respond to complaints of sexual or physical abuse by a Church person are set out in detail in Towards Healing, issued by Australia’s Catholic Bishops and Leaders of Religious Institutes in 1996.
It is the Church’s policy that complaints are to be received by a Contact Person specially appointed and trained for the task. A person wishing to make a complaint can arrange to meet a Contact Person by dialing the contact line: 1300 36 99 77.

For more information about what the Australian Catholic Church has done and is doing for safeguarding children and vulnerable persons, click here.

View the Complaint Management Framework here.

View the Complaint Management Policy here.

View the Whistleblower Policy and Procedure here.

To download Safeguarding Policy, click here.

The contents of this site are subject to copyright. No part of this site may be reproduced in any or by any means, electronic or mechanical, for any purpose, except educational, without the written permission of the Bishop of the Diocese of Parramatta.

The information contained in this site is provided in good faith and is derived from sources believed to be reliable and accurate and abiding by copyright restrictions. Where any text, illustrations, photos, audio, video or other material submitted by You for publishing to any websites hosted by the Catholic Diocese of Parramatta:

• You grant a worldwide, royalty-free, perpetual, license to use, reproduce, edit and exploit the Material in any form or on any medium and for any purpose, including the Diocese of Parramatta promotional material and websites.
• You warrant that you own all rights, including intellectual property rights, in the Material and have the authority to grant this license to the Catholic Diocese of Parramatta.
• You warrant that the Material does not breach any laws, including defamation laws.
• You unconditionally consent to any act or omission by Diocese of Parramatta in relation to the Material.
• You warrant that the events depicted in the Material submitted are real and not fabricated the Diocese of Parramatta expressly disclaims liability for any loss or damage arising as a result of your breach of these terms.

If you believe that any information contained in or linked to this web site is incorrect or inaccurate, please contact us.

Honours & Awards | Overview – click to download.
Overview of Papal, Diocesan and Civil Honours & Awards

Honours & Awards | Nomination form – click to download.
Nomination form for Papal, Diocesan and Civil Honours & Awards

Honours & Awards | Overview & nomination form – click to download.
Combined Overview/Nomination form for Papal, Diocesan and Civil Honours & Awards

2019 Working With Children Check Notification Form – click to download.

New Working with Children Check Application Process – click to download.

Working with Children Check Renewal Process – click to download.

Clergy Leave Form – click to download.

Integrity in the Service of the Church 2011 – click to download.

Integrity in Ministry – click to download.

The Whitlam Report – click to download.

Child Protection Policy – click to download.

National Response Protocol – click to download.

National Catholic Safeguarding Standards – click to download.

NCSS-STANDARD-5.7-AUTHORITY-DECLARATION – click to download.

NCSS-STANDARD-5.7-CLERGY-DECLARATIONS – click to download.