Privacy policy

Purpose and Scope

The College is the pre-eminent professional body representing Sport and Exercise Physicians and Sport and Exercise Medicine in Australia and New Zealand and is committed to maintaining the highest standards of privacy protection.

The P004 Privacy Policy (Policy) has been developed to outline how the College collects, uses, discloses and handles Personal Information (defined below) and describes the practices, procedures and systems it has in place for protecting privacy as per legislation updates and requirements. The specific legal obligations of entities when collecting and handling personal information are outlined in the Privacy Act 1988 (Cth), the Privacy Act 1993 (NZ), the Australian Privacy Principles and the Information Privacy Principles respectively. One of such obligations requires entities to have a privacy policy such as this in place.

College Members and staff are each responsible to be aware of and support the College’s commitment to the protection of privacy always and must comply with this Policy, and with any privacy laws that apply in the relevant jurisdiction to where they are:

  1. Operating and handling Personal Information about Members, staff or any other individuals who have dealings with the College
  2. Carrying out College related functions or activities
  3. Provide such assistance as the College may require dealing with inquiries and complaints about privacy

Where the College conducts activities outside Australia, the College or its Members may also be subject to privacy laws of the jurisdiction in which they are operating. However, even where the College is not bound by the privacy law of a jurisdiction, it strives to act consistently with the privacy principles and laws that apply wherever it operates. For further information about how the College complies with the European Union General Data Protection Regulation (GDPR), see point 7.

Please note that from 22 February 2018 the new Mandatory Data Breach Notification laws of the Privacy Act 1988 (Cth) came into effect. For further details as it relates to this Policy, see point 8.

Introduction

The College needs to collect a range of Personal Information to meet its objectives and serve the needs of its Members and other stakeholders.

In this Policy, unless the context indicates otherwise, Personal Information (which includes Sensitive Information and Health Information) has the meaning given to it by the Privacy Act 1988 (Cth) and includes, but is not limited to:

  1. contact information (including name, date of birth, address, phone number and email address)
  2. financial information (including billing address and payment information such as credit/debit card and bank details)
  3. employment details
  4. referee information
  5. education and employment history
  6. qualifications
  7. professional membership information
  8. Medical Board or other relevant registration

The College may collect, hold, use and disclose Personal Information about Fellows, Trainees, International Medical Graduates (IMGs), applicants for membership, suppliers, conference delegates, staff, online users and other individuals who have dealings with the College to effectively carry out its principal roles as a provider of training and online education modules, a Fellowship organisation and an employer.

This Policy also references “Members” which includes a Fellow, Trainee, Student Member, Overseas Trained Specialist, Retired Fellow and Committee Member; and “staff” which includes individuals who are employees or contractors of the College.

The College will ensure appropriate employees are trained in privacy legislation and how to handle requests for access and correction, complaints and other related matters.

Policy Responsibilities and Process

  1. Data Collection

    1. The College will always try to only collect the information needed for a function or activity. Collection may be via forms, documentation and online forums. The information collected will depend on the individual’s relationship with the College.
    2. The College will use Personal Information to carry out its functions and activities. Functions and activities of the College include:
      1. providing membership services and benefits and maintain membership and service/benefits records
      2. assisting and supporting Fellows, including providing and improving continuing professional development
      3. assisting and supporting Trainees
      4. providing education and training (including via online modules)
      5. providing assessment processes for IMGs
      6. providing workplaces and practice environments which are free from discrimination, bullying and sexual harassment
      7. operating a complaints resolution process, with external review and appropriate sharing of information with hospitals, employers and various regulatory bodies
      8. investigating conduct of staff, Fellows, Trainees and IMGs
      9. workforce planning and policy development
      10. implementing, monitoring and maintaining quality assurance processes and systems, as well as processes and systems concerning regulatory matters, registrations, accreditation, audits, risk and claims management (including dealings with insurers), complaints handling and information (including external review)
      11. procuring funding, donations or other support for the activities of the College
      12. recruiting suitable applicants to vacancies within the College
      13. internal administration, training, assessments and reviews
      14. operating boards, committees, working groups, sections and other bodies

  2. Online information collection

    1. The College may collect Personal Information and usage statistics from its online systems.
    2. When users submit information to the College online, or use the College’s online systems to view or purchase any products, services or content, they agree to the College collecting, using and disclosing their Personal Information and any usage statistics in accordance with this Policy.
    3. As a global leader in sport and exercise medicine, the College may operate other online systems including websites, learning management systems, modules and portals in addition to www.acsep.org.au. Personal Information collected through various College online systems may be used to:
      1. Create online user accounts
      2. Facilitate orders for products and services (including processing payments and providing invoices)
      3. Screen orders for potential risk or fraud
      4. Provide education and training
      5. Communicate generally with users
      6. Improve the College’s products and services and evaluate their effectiveness
      7. Provide information to users regarding the College’s products and services (in line
      8. with user preferences)
    4. Without limiting how information may be collected by the College through its online systems, the usage analysis software used by the College may collect information in connection with online records (amongst other things):
      1. unique visitors and sessions
      2. requested pages, downloads, search terms used, posted forms, status and errors, hits and bytes downloaded per directory, file, and file type
      3. entrance pages, exit pages, date/time stamps, click paths, click to and click from and length of session
      4. domains, time zones, countries, and IP addresses and
      5. browsers, platforms, and robots
    5. Statistics may be used for administrative purposes, including to improve and assess services, and to monitor usage patterns to improve navigation and design features—helping users to get information more easily.
    6. The College websites may also use cookies which are small text files automatically stored on a user’s device as well as other tracking, monitoring recording tools. These tools may be turned off, but this may affect the functionality of some features and content available on the College’s online systems.

  3. Disclosure

    1. In general, where appropriate, the College may disclose Personal Information to the following persons and organisations:
      1. Hospitals, health services, clinics and other employers of Fellows, Trainees and IMGs in connection with training, IMG assessment, complaints handling and mandatory course completion
      2. Specialty societies and associations
      3. Providers of goods and services to the College
      4. Government departments and agencies
      5. Internal and external reviews and quality assurance reviews of all college processes, including complaints, accreditation and review of training posts
      6. Regulatory bodies
    2. Enquiries by the public regarding a Fellow, Trainee or IMG
      1. Apart from confirming status and specialty of a Fellow, Trainee or IMG, no personal information will be disclosed to a member of the public without written consent except as required by law.
      2. Members of the public include spouses, family members, and colleagues.
    3. Workforce data
      1. The College may publish reports and information on its selection, training and accreditation activities and IMG assessment as well as general information on workforce on its website and requestors should be referred to them.
      2. In the ordinary course, ad hoc reports on College activities and data will not be provided without approval of the Chief Executive Officer.
    4. Direct marketing
      1. The College will not accept requests to market products or to advertise training courses directly to Fellows and Trainees and will therefore not disclose contact information to organisations requesting its use for these purposes. The College may choose to include marketing information in routine newsletters.
    5. Online, The College may use:
      1. Shopify Inc to manage online orders and payments through its online systems. When making a purchase through the College, payment information may be collected, processed and stored by Shopify. Shopify’s privacy policy is available at www.shopify.com/legal/privacy.
      2. Google Analytics to help understand how the College’s online systems are used.
      3. Google’s privacy policy is available at www.google.com/intl/en/policies/privacy/.
      4. Any other online providers where appropriate.
    6. The College may disclose Personal Information in order to comply with any applicable laws or court orders and to any other party where you expressly consent to the disclosure.
    7. Given that the College operates throughout Australia and New Zealand, it may be necessary for the College to disclose Personal Information between those countries. Where an individual’s Personal Information will be disclosed to recipients in other countries, the College will notify the individual.

  4. Access

    1. An individual may contact the College to access their personal information held by the College by emailing nationaloffice@acsep.org.au.
    2. The request will be addressed in accordance with privacy legislation. As is permitted by law, a fee may be charged to cover the cost of access.

  5. Correction

    1. The College seeks to maintain the accuracy of personal information. Individuals are encouraged to contact the College if the information held is incorrect or to notify the College if personal information has changed by emailing nationaloffice@acsep.org.au.
    2. Changes to personal details can also be made on College online systems by individuals via the personal login access where available.

  6. Storage and Security

    1. The College stores Personal Information securely either electronically or in hard copy.
    2. IT protection systems and internal procedures are utilised to protect the Personal Information held by the College. This includes the website where the College endeavours to ensure the website is secure using firewalls.
    3. The College may store electronic information on remote servers or in the cloud directly, or through contracted agencies which may be based overseas. Due to the Australasian nature of the College, Personal Information may be securely stored in both Australia and New Zealand.
    4. Personal Information is only to be accessed internally by those the College employees who require access as part of their role or to complete a task.

  7. GDPR Obligations

    1. Under the GDPR, the College has some additional obligations with respect to the processing of “personal data” collected from residents of the European Union. The meaning of personal data is similar to Personal Information; however, it is broader as it includes any information relating to an identified or identifiable natural person.
    2. The College will take appropriate steps to ensure that personal data is:
      1. processed lawfully, fairly and in a transparent manner
      2. collected for legitimate purposes
      3. accurate and up to date
      4. kept for no longer than is necessary for the purposes for which it was collected
      5. secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage
    3. European residents have the right to access personal data the College holds about them and to request that personal data be corrected, updated, deleted or transferred to another organisation. European residents are also able to request that the processing of their personal data be restricted or object to their personal data being processed. To make any of these requests, please contact the College by emailing nationaloffice@acsep.org.au.
    4. As the College is based in Melbourne, Victoria, Australia, personal data collected will be transferred out of the European Union. The College has implemented appropriate safeguards in connection with the transfer of personal data from the European Union. The College will also use best endeavours to ensure that any third-party recipient located outside the European Union will take steps to safeguard the personal data transferred or disclosed to such a recipient.

  8. Data Breach Requirements

    1. From 22 February 2018 the new Mandatory Data Breach Notification laws of the Privacy Act came into effect.
    2. This new notifiable data breach requirement imposes a mandatory requirement that if there is ‘an eligible data breach’ it is a requirement by law to notify our membership who may be affected. Examples of an eligible data breach can include:
      1. A device that holds membership/customers information is lost or stolen
      2. A database storing membership/customer information is hacked or accessed without consent
      3. Personal information is sent to the wrong person
    3. A data breach occurs when personal information (name, contact or banking details etc) is accessed or released without proper authorisation or lost and likely to be accessed or released without authorisation and when the breach is likely to result in ‘serious harm’. Examples of serious harm include:
      1. Financial loss through fraud
      2. Identity theft
      3. Risk of physical harm, such as by an abusive person
      4. Psychological harm
      5. Reputational harm
    4. The College has a maximum of 30 days to notify the affected parties as per legislation requirements but will endeavour to notify as soon as practicably possible.
      1. The College will notify affected parties either directly (email, phone) or indirectly (notification on the College website)
      2. The College will also notify the Office of the Australian Information Commissioner (OAIC - www.oaic.gov.au)
    5. The following information will be included in any College data breach notification:
      1. The personal information involved in the breach
      2. A description of the data breach
      3. The College’s contact details
      4. Recommendations for steps the affected parties can take to minimise harm
    6. If a serious data breach occurs beyond the scope of the College’s capacity to address, the College as a body will seek out and employ external (i.e. independent) cyber, forensic and legal experts.
    7. If a serious data breach occurs there will be Executive / Board level oversight and reporting undertaken to ensure a culture of compliance and robust privacy / information security governance.

  9. Complaints Process

    1. Any inquiries or complaints about the College’s handling of personal information should bedirected to nationaloffice@acsep.org.au.
    2. Privacy complaints may be required in writing and will be resolved as promptly as possible.
    3. The websites of the Office of the Australian Information Commissioner and the Office of the New Zealand Privacy Commissioner are an additional source of information – www.oaic.gov.au and www.privacy.org.nz.
    4. It is College policy that any adverse feedback (written or verbal) from membership or external personnel about college policy or procedures will be investigated thoroughly as per the most current version of the P002 ACSEP Grievance Policy and Procedure.
    5. The College will take appropriate action against any persons behaving in a way that falls within the range of unacceptable behaviour as outlined within the College’s various policies on Code of Ethics and Professional Behaviour, Harassment, Bullying and Discrimination, Cultural Diversity and Ethics. This may include disciplinary action under the College rules and constitution.
    6. All parties involved will be notified either in writing or verbally of the outcome from the College National Office and for severe breaches, incidents may be referred to the College Legal Counsel and Fair Work Australia.

  10. Reporting

    No additional reporting outside of this Policy is required. The College shall publish annually a report on College activities for membership reporting.

  11. Records Management

    Staff must maintain all records relevant to administering this Policy in a recognised College record keeping system. Records will be managed and maintained at the College in accordance to the P012 ACSEP Records Management Policy and associated procedures.

  12. Related Legislation and Documents

    Office of the Australian Information Commissioner www.oaic.gov.au Office of the New Zealand Privacy Commissioner www.privacy.org.nz. P002 ACSEP Grievance Policy and Procedure
    P012 ACSEP Records Management Policy
    P015 ACSEP Code of Ethics and Professional Behaviour Policy

  13. Feedback

    College staff, membership or any other interested person may provide feedback about this document by emailing nationaloffice@acsep.org.au.

  14. Approval and Review Details

    Approval and Review

    Details

    Approval Authority

    ACSEP CEO and ACSEP Board of Directors (Executive)

    Advisor or Advisory Committee to Approval Authority

    ACSEP CEO

    Policy Administrator

    ACSEP Programs, Policy and Systems Administrator

    Next Review Date

    1/7/2019


     

    Approval and Amendment History

    V2 - 08/08/2018 V2 - 09/07/2018

     

     

    V2 – 12/6/2018

     

     

    V1 - 01/05/2016

    Ratified by Board Executive

     

    Researched and redrafted by Programs and Systems Administrator

    Reviewed by ACSEP CEO

     

    Legal advice Russell Kennedy Lawyers, Melbourne

     

    Developed by ACSEP CEO

    Original Approval Authority

    Effective Date

    ACSEP CEO

    01/05/2016

    Amendment Authority and Date

    08/08/2018 ACSEP Board EXECUTIVE

    Notes: