MCM works together to support the delivery of programs and services in predictable, transparent and healing oriented ways. Our guidelines uphold the dignity, wellbeing, connectedness and self-determination of people and communities.
MCM is a Child Safe organisation and child safety is at the forefront of our program delivery. Our guidelines ensure that Child Safety is a primary part of everyday thinking and practice. All employees and volunteers have an obligation to ensure we keep children safe from harm and abuse.
MCM is committed to protecting the privacy and security of personal information. This policy describes how we collect and use personal information about individuals in accordance with Privacy Act 1988 (Cth) and other applicable legislation.
MCM uses personal information to carry out its functions and activities which includes donations, to comply with legal obligations and to help us manage and provide our services.
The types of personal information we collect may include your name, date of birth, gender, contact information, credit/debit card information, health information and other information about your history with, or relationship to MCM and the circumstances which lead you to use our services.
MCM complies with the Australian Privacy Principles (APPs), which are part of the Privacy Act 1988 (Cth). MCM is also bound by the Privacy and Data Protection Act 2014 (Vic) (PDPA) and the Information Privacy Principles (IPPs) made under the PDPA and the Health Privacy Principles (HPPs) made under the Health Records Act 2001 (Vic).
We collect personal information from individuals who are connected to our operations and activities – including people who use our services, employees, job applicants, donors, volunteers, sponsors, health professionals, suppliers, and service providers.
MCM will take reasonable steps to keep personal information secure and will, subject to the APPs, comply with a request from a person to access, correct or remove their information.
Where MCM engages an external organisation to assist it, MCM will ensure that the external organisation will only use the personal information collected in line with this policy and the APPs. MCM allows individuals to act anonymously where it is practical and lawful to do so. For example, MCM will accept anonymous donations, however provisions contained in taxation legislation require us to collect the name of the donor if the donor requires a tax-deductible receipt.
How we collect and store personal and sensitive information varies depending on the purpose for which it is collected. We may collect your personal information as follows:
MCM will always collect your personal information directly from you unless it is impracticable to do so. This is usually be done in person, over the telephone or by email. Examples may include:
We may keep copies of the above documents (in physical and/or electronic form, at our election) as is necessary to carry out our functions and provide our services and programs. All personal and sensitive information is securely stored at all times by us or an authorised external service provider and only authorised people will have access to the above documents and information.
If you are applying for employment with MCM we may collect and process information about you such as employment history, qualifications, residency status, background check and other information required as part of the recruitment process. In that regard, we may also collect sensitive information or special categories of data such as health or medical information, racial or ethnic origin, and criminal convictions. You acknowledge and give your consent for MCM to collect, store, use, process and disclose any such information and personal data for the purpose of assessing your application for employment with MCM.
Generally, the purpose of us collecting your data as part of the recruitment process is to enable us to facilitate safe recruitment and to determine suitability for the role. If you fail to provide certain information when requested, we may not be able to take the steps to enter into a contract with you (for example if incorrect references are provided), or we may be prevented from complying with our legal obligations (such as evidence of right to work).
MCM will only use your personal information for the purposes for which it was collected, unless we reasonably consider that we need to use it for a secondary purpose, and that purpose is related to the original purpose. If we need to use your personal information for an unrelated secondary purpose, we will notify and seek your consent. How long we retain your information will depend on whether your application is successful you then become employed by us, the nature of the information concerned and the purposes for which it is processed.
As part of administering our services, we may collect health information and other sensitive information. For example, we may collect medical history information from you, if you are using particular services, participating in a specific activity or volunteering. We may also require information via a police or working with children check if you are volunteering for various programs.
MCM may collect, hold, use and disclose personal and sensitive information for purposes necessary to carry out our functions and provide our services and programs. Generally, these purposes include:
We may use personal information (including some sensitive) information to generate aggregated statistical data for the purpose of reporting to Government agencies and to plan for improvements to our services. We take reasonable steps to ensure that the information we report to Government agencies is de-identified and aggregated, so that the statistical data and reports cannot be used to identify you.
MCM is committed to maintaining your privacy and we will only use your personal and sensitive information for a permitted purpose for which we have collected the information. There is no obligation for you to provide us with any of your personal information however if you choose not to provide us with your personal information, we may not be able to provide you with the services that you require.
You have the option of not identifying yourself or using a pseudonym when dealing with us in relation to a particular matter, unless we believe it is impracticable to do so in the circumstances. If you wish to deal with us in this manner, you must tell us in writing so that we can consider if your request is practicable.
Under the APPs, you have the right to deal with us on an anonymous or pseudonymous basis. This means that you do not need to provide us with personal information if and when we request that information.
In order to carry out our functions and provide our services and programs, we may need to disclose your personal and sensitive information to external service providers. This may include:
We will only share your personal and sensitive information in accordance with your express consent and instructions, subject to the exclusions set out in the APP’s. We do not supply our database information to other marketing organisations not acting on our behalf.
We take all reasonable steps to protect all of the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Your personal information stored electronically will be stored securely either on our database, a database maintained by a cloud hosting service provider or other third party database storage or server provider. Backups of electronic information are written to drives which are stored offsite.
Except as otherwise permitted or required by applicable law or regulation, MCM only retains personal data for as long as necessary to fulfil the purposes they collected it for, as required to satisfy any legal, accounting or reporting obligations, or as necessary to resolve disputes.
To determine the appropriate retention period for personal data, MCM considers the amount, nature, and sensitivity of personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for processing the personal data, whether we can fulfil the purposes of processing by other means and any applicable legal requirements.
Hard copy information is generally stored in our offices, which are secured to prevent entry by unauthorised persons.
Where personal information is stored with a third party, we have arrangements which require those third parties to maintain the security of the information and we take reasonable steps to protect the privacy and security of that information.
MCM takes reasonable steps to ensure that any third party to which we disclose personal information collected from or about an individual takes steps to protect the personal information so disclosed and to destroy or to de-identify the information when the information is no longer required.
When we take steps to destroy or to de-identify personal information that is no longer required for the purpose(s) for which the information was collected, we will take reasonable steps to destroy or to de-identify the information in a secure manner.
Your direct debit or credit card information
We use Secure Socket Layer (SSL) certificates which is the industry standard for encrypting your credit card and debit card numbers, your name and address so that it cannot be viewed by any third party over the internet. Your financial information is encrypted on our servers and access to this information is restricted to our authorised staff only.
MCM undertakes Privacy Impact Assessments (PIAs) as part of our risk management strategy in order to assess whether it is safe to proceed to the implementation phase of a new project, activity, initiative or application. We also undertake PIAs if changes are made to the way we collect, use, store or dispose of personal information.
Most personal information held by us is stored in our systems, including donor management information systems, HR management systems, finance systems and records management systems. Some of these systems may be externally hosted or managed.
Generally, personal information will be retained for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will take reasonable steps to ensure the personal information we hold about you is accurate, up-to-date, complete, relevant and not misleading.
You can request access to the personal information we hold about you at any time by contacting MCM’s Privacy Officer. You also have a right to ask us to correct any inaccurate personal information we hold about you. Sometimes, we may not be able to provide you with access to all your personal information.
In these instances, reasons include where:
If we refuse to grant you access to your personal information, we will provide you with reasons for that decision (unless it is unreasonable to do so) and the avenues available for you to complain about the refusal.
We also reserve the right to redact information made available in response to an access request, in order to protect the privacy of other individuals.
Given that we hold personal and sensitive information collected from many individuals, and we do not wish to interfere with the privacy of other individuals, we reserve the right to request from you information in order to verify your identity in order to ensure that we do not inadvertently disclose personal information about another individual(s) to you where you are not entitled to access such access would pose a serious threat to the life, safety or health of any individual or to public health or public safety.
MCM is committed to protecting your privacy and where there has been a suspected or actual data breach we will follow the process in our Data Breach Policy and Response Plan which includes:
How we comply with the Notifiable Data Breaches Scheme
We will notify you in the event your personal information is involved in a data breach that is likely to result in serious harm. This notification will include recommendations about the steps you should take in response to the breach. We will also notify The Australian Information Commissioner of eligible data breaches. Each suspected data breach reported to us will be assessed to determine whether it is likely to result in serious harm, and as a result require notification.
If you have any queries about how we manage your personal information please contact our Privacy Officer at firstname.lastname@example.org.