1. Background and context
Catholic Professional Standards Ltd (CPSL) is committed to providing quality services to you and this Policy outlines our ongoing obligations and responsibilities to you in respect of how we manage your personal information.
CPSL is bound by the Privacy Act 1988 (Cth), which includes the Australian Privacy Principles (APPs), as well as applicable State and Territory-based health records legislation. The APPs govern the way in which we collect, use, disclose, store, secure and dispose of your personal information.
A copy of the Australian Privacy Principles may be obtained from the website of the Office of the Australian Information Commissioner at www.oaic.gov.au.
CPSL is a not for profit public company limited by guarantee. It has been established by the leadership of the Catholic Church in Australia to promote the dignity and welfare of all persons who come into contact with the Church and its works, especially the young and vulnerable.
This Policy describes ways in which CPSL collects, stores, uses and disposes of personal information. It applies when personal information is collected and/or used by CPSL.
This Policy is to be applied by all personnel of CPSL when they are handling any personal information.
Catholic Professional Standards Ltd, CPSL, we, our and us means Catholic Professional Standards Ltd (ACN 616 062 714) and any organisations, businesses or bodies corporate owned or operated by Catholic Professional Standards Ltd.
Personal information has the same meaning as defined in the Privacy Act 1988, and generally means any information about you that identifies you or from which your identity reasonably can be determined. It includes sensitive information, which is personal information about your racial or ethnic origin, religion, criminal record, sexuality, union activities and your health.
Website means the website located at www.cpsltd.org.au
4. Collection of personal information
CPSL carries out activities and provides services and programs across Australia for or related to the purposes of promoting the dignity and welfare of all persons who come into contact with the Catholic Church and its works, especially children and vulnerable adults.
CPSL is responsible for setting national safeguarding standards for the safety and protection of individuals involved with the Church, particularly children and vulnerable adults, by engaging with Catholic entities and service providers and auditing their compliance with these standards.
We collect personal information from you for the primary purpose of providing our services to you, providing information to our clients, marketing, and to assist you should you have an enquiry. We may also use your personal information for secondary purposes closely related to the primary purposes, in circumstances where you would reasonably expect such use or disclosure.
CPSL may collect your personal information for one or more purposes, including:
- establishing and reviewing safeguarding standards to promote the safety and prevent abuse and/or misconduct towards children;
- establishing and reviewing standards for responding to allegations of abuse and/or misconduct concerning Church contacts who are involved with Church entities;
- identifying and providing education and training directly or indirectly in respect of the safeguarding standards;
- auditing compliance of a Church entity with the safeguarding standards and reporting on the results of the audit;
- providing newsletter, website, social media and other communication updates on the activities of CPSL and the promotion of safeguarding of children and vulnerable adults;
- assessing employment applications of prospective employees and volunteers;
- developing and evaluating our activities to better achieve our purpose and mission;
- managing our organisation, including our website and social media platforms;
- complying with our legal obligations; and
- any other purposes that are authorised or required by law, including the APPs.
When CPSL first collects your information or at other appropriate times and where possible, we will explain to you why your personal information is being collected and how we plan to use it.
4.2 Types of personal information
The types of personal information we may collect and hold varies depending on the purpose for which it is collected (see clause 4.1) and on who you are and the nature of your interaction with CPSL.
We may collect contact information (such as your name, address, email address and telephone numbers), information about your employer or organisation, your newsletter preferences, comments you submit or feedback you provide to us about our services and products, our website or other matters.
Sometimes our activities require us to collect sensitive information. For more details, see Section 7 below.)
4.3 Methods of collection
Personal information may be collected by way of forms filled out by individuals (including via online forms), surveys, emails, telephone conversations, face-to-face meetings, interviews, from other websites, from media and publications and from other publicly available sources.
You may in some circumstances have the option of not identifying yourself or using a pseudonym when you deal with us. However, if you choose not to provide the information we need to fulfill your request for a specific product or service, we may not be able to provide you with the requested product or service or we may not be able to allow you to participate in our activities.
4.4 Third parties
Where reasonable and practicable to do so, we will collect your personal information only from you. However, in some circumstances we may be provided with information by third parties. In most cases, we will seek your consent prior to collecting information from third parties (such as in the case of referee checks for prospective employees). In cases where we have not been able to gain your consent prior, we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.
4.5 Other information we may collect
You can find out more information on how Google uses data when you use CPSL’s website at www.google.com/policies/privacy/partners/.
5. Use and disclosure of personal information
CPSL may use or disclose your personal information for the purpose/s that it was collected, for any secondary purpose/s directly related to that primary purpose/s, or to comply with our legal obligations.
Personal information may be used or disclosed for a range of purposes, including:
- providing you with products or services that you have requested;
- responding to your queries or feedback;
- analysing and improving all aspects of our business including, but not limited to, our standards development processes, audit approach and training, our business systems, processes, outcomes, communication, website engagement and performance;
- conducting audits and delivering relevant training and educational activities;
- enabling our staff and Board to deliver CPSL’s functions and purpose;
- providing you with communications or publications in which we think you might be interested, or which you have requested;
- letting you know about developments in our standards, guidance, advice, products, services, activities and programs that might be useful to you;
- facilitating your participation in forums, consultations, information and educational events; and
- considering employment applications.
You may opt out of a subscription to our newsletter at any time.
5.2 Disclosure to third parties
CPSL may disclose your personal information to third parties such as our members, professional advisors, external service providers that provide services to us (such as audit providers, trainers, website hosts, quality assurance and research partners), your employer or Church entity, government, statutory or regulatory bodies. We may disclose your personal information for the purposes set out in clause 5.1.
We will take reasonable steps to ensure that external service providers and third parties only use your personal information that we provide for the purpose/s for which you have given us your personal information and to not share it further with another party unless it is necessary to do so.
CPSL may disclose to the public information concerning the operation of committees and working groups, including information about the members of those committees, where we consider that it is appropriate to do so having regard to our public interest objectives.
CPSL may disclose your personal information if it is required or authorised by law, where disclosure is necessary to prevent a threat to life, health or safety, or where we are otherwise permitted by the Privacy Act.
CPSL does not sell or license your personal information to third parties.
6. Handling of personal information
Personal information CPSL holds may be stored in both physical and electronic form.
CPSL takes the security of personal information seriously and take reasonable steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure.
Safety measures we take include, but are not limited to:
- limiting physical access to our premises;
- ensuring all personal information is securely stored at all times;
- frequent use of virus scanning software;
- protecting our computers and servers by secure user IDs and passwords;
- restricting access to the information we collect about you (only those personnel who need your information to carry out our business activities are allowed access);
- requiring any third party providers to have acceptable security measures to keep personal information secure; and
- putting in place physical, electronic and procedural safeguards in line with industry standards.
When your personal information is no longer needed for the purpose for which it was obtained and CPSL is not legally required to retain it, we will take reasonable steps to destroy or permanently de-identify your personal information.
6.3 Links from our website to other websites
CPSL’s website contains links to third party websites. CPSL does not operate these websites and therefore are not responsible for the collection or handling of personal information by the operators of these websites.
7. Sensitive information
Sensitive information is defined in the Privacy Act to include information or opinion about such things as an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.
Sensitive information will be used by CPSL only:
- for the primary purpose/s for which it was collected;
- for a secondary purpose that is directly related to the primary purpose; and
- with your consent, or where required or authorised by law.
8. Access to your personal information
You may access the personal information we hold about you and update and/or correct it. If you wish to access your personal information, please contact us in writing (see Section 11 for contact information).
There are circumstances under the Privacy Act where we may not give you access to the personal information we hold about you. For example, we can’t give you access if it would unreasonably affect someone else’s privacy or if giving you access poses a serious threat to someone’s life, health or safety.
CPSL will respond to all requests for access within a reasonable period and usually within 30 days. If we refuse your request, we will give you written notice of the decision and reasons and explain how to complain if you are not satisfied with the decision.
In order to protect your personal information, CPSL will require confirmation of your identity prior to releasing the requested information.
There is generally no cost for accessing the personal information we hold about you, unless the request is complex or resource intensive. If CPSL considers applying a charge, it will be reasonable and we will notify you beforehand so that you can agree before proceeding.
9. Maintaining the quality of your personal information
It is important to CPSL that your personal information is up to date. We will take reasonable steps to make sure that your personal information is accurate, complete and up to date and if CPSL is satisfied that any personal information should be corrected we will take reasonable steps to correct that information.
If your personal details change or you believe that the personal information CPSL holds about you should be corrected because it is inaccurate, incomplete, out of date, irrelevant or misleading, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.
If CPSL does not agree that your information needs correcting, we will give you written notice of our decision, including our reasons and how to complain if you are not satisfied with our decision. You can also request that we attach a statement with your personal information which explains that you believe it is incorrect.
You will not be charged for making a correction request or requesting us to attach a statement with your information.
10. Data breach response
Considering the personal information CPSL handles and our obligations to protect this information, the following is required to assist with preparation of a response strategy in case of a data breach.
10.1 Data breach
A data breach occurs when personal information that CPSL holds is subject to unauthorised access or disclosure or is lost.
Examples of data breaches include:
- Loss or theft of paper records, laptops or storage devices that contain personal information.
- Accidentally sending personal information to the wrong person or third party.
- Unauthorised access to information.
- Disclosure of information to a scammer.
10.2 Responding to a data breach
CPSL action taken following a data breach should follow the following four key steps:
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Australian Information Commissioner if required. If the breach is an ‘eligible data breach’ under the Notifiable Data Breach Scheme, it may be mandatory for CPSL to notify (refer to clause 10.3 below).
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
10.3 Eligible data breaches
For a data breach to be an eligible, and therefore a notifiable, data breach, the risk of serious harm to an affected individual must be more likely than not. What ‘serious harm’ is will depend on a number of factors, which could include:
- the type and sensitivity of the information;
- what security measures (if any) protect the information;
- the nature of the harm that is likely to occur;
- the number of individuals likely to be affected;
- who is likely to gain unauthorised access to the information because of the breach; and
- CPSL has not been able to prevent the likely risk of serious harm with remedial action.
Some serious harm that can be caused by data breaches:
- Financial fraud including unauthorised credit card transactions or credit fraud.
- Identity theft causing financial loss or emotional and psychological harm.
- Family violence.
- Physical harm or intimidation.
Not all data breaches are eligible. For example, if CPSL acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Australian Information Commissioner.
If it assessed that serious harm is likely to occur, CPSL must notify individuals about an eligible data breach and prepare a statement, providing a copy via an online form to the Australian Information Commissioner – Notifiable Breach Statement
The statement must include the name and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved, and what steps CPSL recommends that individuals at risk of serious harm take in response to the eligible data breach.
If you have any questions about this Policy and our privacy practices, or you wish to complain about how CPSL has handled your personal information, in the first instance please contact CPSL:
Chief Executive Officer
GPO Box 5110, Melbourne VIC 3001
Telephone: 1300 603 411
If your complaint is not resolved to your satisfaction, you may complain to the Australian Information Commissioner, who is responsible for the enforcement of the Act. Information about how to make a complaint is available at www.oaic.gov.au.
The Information Commissioner's contact details are:
In person: Level 3, 175 Pitt Street
Sydney NSW 2000
(in person enquiries by appointment only –
call to make an appointment)
Post: GPO Box 5218
Sydney NSW 2001
Telephone: 1300 363 992
Facsimile: (02) 9284 9666
12. Policy updates