Privacy Policy

bool(false)

Policy statement

The Haymarket Foundation Ltd (ABN 24 001 397 986) (we, us, our, Haymarket) is a charitable organisation focussed on supporting those experiencing homelessness or at risk of experiencing homelessness, or harm related to AOD (Alcohol and other drugs). 

At Haymarket, we take our privacy obligations seriously. We take all reasonable steps to ensure we are open and transparent about the way we manage your personal information.

When we collect and handle personal information (including health information), we are required to comply with applicable laws, including the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles (APPs), and the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) and Health Privacy Principles (HPPs).

Purpose and Scope

Purpose

This Privacy Policy sets out how we collect, hold, use and disclose personal information, including health information. 

Scope

This policy applies to Haymarket residents and all people we provide a service to (clients), and about whom we collect personal information (you, your). 

This policy does not apply to the privacy of Haymarket employees. Haymarket is generally exempt from the Privacy Act when we handle ‘employee records’ (as defined in the Privacy Act). If you are a current or former employee, employee records are those that are directly related to your employment with us and include personal information held by us which relates to your employment. 

Please note that this policy does apply to Haymarket contractors and subcontractors. If you are unsure about your relationship with Haymarket, you can contact us. 

At times, we will also provide a privacy collection notice or privacy statement when we collect personal information from you. These may set out additional details about the ways we will handle personal information in specific situations.

Responsibilities

CEO

  • Ensure the policy is implemented across Haymarket. Oversee compliance with privacy laws and principles.

Policy Officer

  • Maintain and update the Privacy Policy and ensure all staff are trained on privacy obligations.

Managers

  • Ensure their teams comply with the Privacy Policy and report any privacy breaches to the Policy Officer.

All Staff

  • Follow the Privacy Policy in their daily activities. Report any privacy concerns or breaches.

Procedure

Incident Reporting:

  • Staff members must report any incidents involving personal information breaches to their immediate supervisor
  • The supervisor will document the incident and notify the Privacy Officer

Remediation:

  • The Privacy Officer will assess the incident and determine the necessary remediation steps.
  • Staff members involved in the incident will assist in the remediation process as directed by the Privacy Officer.

Data Collection:

  • Personal information should be collected directly from the individual whenever possible.
  • In cases where information is collected from a third party, staff must ensure that the individual has provided consent.

Data Usage:

  • Personal information should only be used for the primary purpose for which it was collected.
  • Any secondary use of personal information must be in accordance with applicable laws and with the individual’s consent.

Data Disclosure:

  • Personal information should not be disclosed to external organizations or third parties unless required by law or with the individual’s consent.
  • Staff must ensure that any third party handling personal information complies with applicable privacy laws.

Access and Correction:

  • Individuals have the right to request access to their personal information.
  • Staff must verify the individual’s identity before providing access.
  • Individuals can request corrections to their personal information if it is inaccurate or outdated.

Complaints Handling:

  • Staff should direct any privacy-related complaints to the Privacy Officer.
  • The Privacy Officer will acknowledge the complaint within three working days and aim to resolve it within 21 days.
  • If the complaint is not resolved, the individual can contact the Office of the Australian Information Commissioner (OAIC) or the NSW Privacy Commissioner.

What is ‘Personal’, ‘Sensitive’ and ‘Health’ Information? 

“Personal information” is defined in the Privacy Act, and means information or an opinion about an identified individual, or an individual who is reasonably identifiable. 

In this policy, whenever we use the term “personal information”, we are referring to this definition. 

Personal information does not include aggregated or de-identified data.

We may also collect “sensitive information”. Sensitive information is a subset of personal information that includes information or an opinion about an individual’s: 

  • racial or ethnic origin 
  • political opinions or associations 
  • religious or philosophical beliefs 
  • trade union membership or associations 
  • sexual orientation or practices 
  • criminal record 
  • health or genetic information; and 
  • some aspects of biometric information.

“Health information” is defined under the Privacy Act and the HRIP Act to include: 

  • information or an opinion about an individual’s physical or mental health, disability (at any time), or express wishes about the future provision of health services, or information about a health service provided, or to be provided, to an individual; 
  • other personal information collected to provide, or in providing, a health service; 
  • personal information collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances; or
  • genetic information that is in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. 

Under the HRIP Act, healthcare identifiers (such as Medicare numbers) also constitute “health information”.

What personal information do we collect and hold? 

The types of personal information, including health information and other sensitive information, we collect and hold about you will depend on who you are and the purpose for collecting it. 

Below we have described the types of personal information we generally collect. We will only collect information about you that is reasonably necessary for our functions or activities as they relate to you.

Clients (personal and health information) 

Personal information

  • Your name and contact details, including your telephone number, email address and residential address (including prior residential addresses) 
  • Your date of birth and your age 
  • Your sex at birth
  • Your gender identity 
  • Your Medicare and Centrelink information (where this does not constitute health information)
  • Your driver licence details
  • Your pension information 
  • Your tenancy history, including your tenancy file housing number and tenancy reference checks 
  • Your identity document numbers and/or copies, including information from your driver licence, passport, birth certificate, and proof of age card 
  • Your education and employment history
  • Information about your family and living arrangements, including your marital status, number of children and family health information (where this does not constitute health information)
  • Your emergency contact details
  • Information about your working eligibility rights 
  • Your tax file number
  • Your credit related personal information 
  • Your financial information, including bank account details, credit card information, debt information and income
  • Information about any orders in place authorising another person to make healthcare, lifestyle, financial and medical decisions on your behalf or assist you with making these decisions
  • Sensitive information, including information about your racial or ethnic origin, religious beliefs or affiliations, membership of a professional or trade association, sexual orientation or practices, or criminal record
  • Details of your interactions with us (e.g. when you make an enquiry or complaint, provide us with feedback, or if there is an incident you are involved in) 
  • Any other information we require to provide our services to you. 

Health information we may collect includes: 

  • Physical or mental health symptoms or diagnoses
  • Disabilities
  • Substance (i.e. drug and alcohol) usage or dependency
  • Allergies
  • Current or previous diagnoses / illnesses
  • Current or previous medication prescriptions / usage
  • Current or previous health care / treatment
  • Blood Borne Virus infections (e.g. HIV, HCV, STIs)
  • Treating health care practitioners (including doctor/s)
  • Test results
  • Discharge summaries
  • Specimens provided for analysis (urine, saliva, blood)
  • Vaccination status (including for Covid-19)
  • Healthcare identifiers (e.g. Medicare number) 

When we collect what would otherwise be classed as personal information for the purpose of providing you with a health service (such as in providing you with a medical, mental health or community health service), this will also be “health information”. 

Donors and non financial supporters

  • Your name and contact details, including your telephone number, email address and residential address 
  • Your date of birth and your age 
  • Your employment information (if you are donating on behalf of your employer)
  • Your financial information, including credit card details 
  • Details about your donation history 
  • Details of your interactions with us (e.g. when you make an enquiry or complaint or provide us with feedback).

Note: in some cases, this information is processed by a third-party provider: see below)

Third party service providers 

  • Your name and contact details, including your telephone number, email address and residential address (including prior residential addresses) 
  • Your date of birth and your age 
  • Your education and employment history 
  • Credentialing information, including professional licences and registrations 
  • Financial information, including bank account details.
  • Details about your donation history 

Volunteers, prospective employees, contractors 

    • Your name and contact details, including your telephone number, email address and residential address
    • Your date of birth and your age 
    • Your sex at birth and your gender identity 
    • Your identity document numbers and/or copies, including information from your driver licence, passport, birth certificate, and proof of age card 
    • Your education and employment history
    • Your emergency contact and referee details
    • Information about your working eligibility rights 
    • Your tax file number 
    • Credentialing information, including your working with children check 
    • Your vaccination status (including for Covid 19)
    • Your financial information, including back account details and superannuation details  

Sensitive information, including information about your membership of a professional or trade association, criminal record, and health information.

Emergency contact, family member of client, referring / treating health care professional, referee, authorised representative, visitor

  • Your name and contact details, including your telephone number, email address and residential address 
  • Your sex at birth and your gender identity
  • Your date of birth and your age 
  • Your education and employment history 
  • Information about your family and living arrangements 
  • Information about any orders in place authorising you to make healthcare, lifestyle, financial and medical decisions on another individual’s behalf or assist an individual with making these decisions 
  • Sensitive information, including your health information 
  • Details of your interactions with us (e.g. when you provide us with an opinion).   

Website users

  • Your name and contact details, including your telephone number, email address and residential address (including prior residential addresses) 
  • Details of your interactions with us (e.g. when you make an enquiry or complaint, or provide us with feedback) 
  • Online and digital services information, including your IP address, device details and activities on our website (through ‘cookies’ and ‘pixels’). A cookie is a small file placed in your web browser that collects information about your web browsing behaviour. Use of cookies allows a website to tailor its configuration to your needs and preferences. Cookies do not access information stored on your computer or any Personal Data (e.g. name, address, email address or telephone number). You can choose to reject cookies by changing your browser settings. This may, however, prevent you from taking full advantage of our website.Our website uses cookies to analyse website traffic, provide social media sharing and liking functionality and help us provide a better website visitor experience. In addition, cookies and pixels may be used to serve relevant ads to website visitors through third party services such as Google Adwords and Facebook Adverts. These ads may appear on this website or other websites you visit.
  • Our website may contain links to other websites. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Haymarket is not responsible for the privacy practices of such other websites This privacy policy applies solely to information collected by this website.

For all individuals

We may also collect other types of personal information, including: 

  • Image, video and sound recordings (such as voicemails and audio on promotional videos)
  • Camera surveillance information (image and video only) captured through Closed-Circuit Television (CCTV) footage
  • Information related to your interactions with us (e.g. information from email, text message, telephone call or other electronic interactions and in-person interactions with you)
  • Publicly available information

How do we collect and hold personal information?

How information is collected 

Where possible, Haymarket collects personal information directly from you. 

In some cases, we will collect your personal information from a third party. For example, depending on the nature of our relationship with you, we may collect personal information about you from other people and organisations, including (but not limited to): 

  • a health care professional or service;
  • your authorised representative, emergency contact, next of kin or family member; 
  • a government agency; 
  • another service provider;
  • a client;
  • your employer; or
  • your referee. 

We will only collect and use your sensitive information, including your health information, where you have provided your consent, or as otherwise permitted or required by law. Where consent to collection is sought, it is sought voluntarily from you and we will inform you of what you are consenting to.

You can opt out of ‘cookies’ and Google Analytics by adjusting your device and privacy settings.

How information is held 

Personal information may be collected and held in hard copy or electronic form. Hard copy and electronic records are held securely by us, our third party providers or within databases we have access to.   

We maintain physical security over our hard copy files and premises, including through locks, security systems, and restricting access and amendment permissions to authorised personnel. 

We maintain security over our electronic files, including through multi-factor authentication, password complexity and change requirements, conducting continuous monitoring for unauthorised access, and restricting access and amendment permissions to authorised personnel. We may engage third party data storage providers to store and secure our data, including personal information we hold, on the basis that the information is properly secured and protected.

We also take reasonable steps to destroy or de-identify personal information that is no longer required, or personal information which we did not ask for and which we are not entitled to collect or retain under the APPs, in accordance with applicable laws and the requirements of any government or other funding body’s record-keeping requirements. 

Why do we collect, hold, use and disclose your personal information?

The primary purpose for which we collect, hold, use and disclose your personal information will depend on who you are and how you interact with us. Generally, this will be the purpose set out in the table below:

Relationship with the Haymarket Foundation Primary purpose 
Client To provide you with our services
Donor/SupporterTo process your donation/s and manage the donor relationship with you 
Third party service providerTo manage the commercial relationship with you
Volunteer, prospective employee, contractorTo assess your suitability for a position with us, and manage our working relationship with you
Next of kin, emergency contact, family member of client, referring / treating health care professional, referee, authorised representative, visitorTo liaise with you in relation to another individual, as permitted under applicable laws,  and authorised by the individual or required
Website userTo provide you with access to information on our website

 

We collect, hold, use and disclose personal information only for the primary purpose for which it was collected, purposes permitted under applicable laws, including the APPs and HPPs, or for those additional purposes set out below:

  • to assess your eligibility for our services;
  • to make contact with you, as permitted; 
  • to plan, manage, monitor and evaluate the administration and services of Haymarket; 
  • to conduct statistical analysis and reporting; 
  • to obtain advice and relevant details from consultants and other professional and healthcare advisors; 
  • to comply with the requirements of our funding bodies as part of their funding agreement/s with us;
  • to provide customer service functions, including requesting and handling feedback, enquiries, and complaints;
  • to facilitate proper governance processes such as risk management, incident management, internal audit and external audits; 
  • to plan and undertake marketing, fundraising and promotional activities, in support of our objectives; 
  • to satisfy our legal obligations, comply with applicable laws and meet the requirements of bodies which regulate the services we provide; 
  • to comply with our record-keeping and audit obligations; 
  • to create de-identified or aggregate datasets; 
  • to understand, through aggregated information, trends and patterns which we use for research and advocacy; 
  • to coordinate and schedule meetings; 
  • to refer you to another service provider;
  • to liaise with external bodies, such as government agencies, on your behalf; 
  • to verify your identity; 
  • to meet requirements under our insurance policies; and 
  • to fulfil other purposes which you have consented to, in accordance with applicable laws. 

Who do we share your personal information with and why? 

We will not disclose or otherwise provide your personal information to other external organisations and/or third parties except: 

  • as required by our funding agreements;
  • as required or permitted by law;
  • where we have your consent to do so; 
  • for a purpose permitted by this policy;
  • for a purpose explained to you at the time we collect your personal information;
  • where your life, health or safety or that of another individual is at risk, or where there is a serious threat to public health or safety; or 
  • if you request us to do so. 

Examples of organisations and/or third parties that your personal information may be disclosed or otherwise provided to include:

  • another service provider, where you are transferring to a service provider external to Haymarket; 
  • a government agency; 
  • our third party service providers, who assist us with the delivery of our services or in undertaking quality assurance of our services; or 
  • an organisation or third party who can ensure your safety, where we have a reasonable concern that your life, health or safety is at risk.  

Where possible, we seek to ensure through our contractual and other arrangements with external organisations and third parties that they:

  • comply with the applicable laws, including the APPs and HPPs, in handling your personal information; and 
  • use personal information only to provide the services or perform the functions required by us.

Do we share your personal information overseas? 

We generally collect and hold your personal information within Australia. However, we may engage third party providers located offshore to store and secure our data and to provide other services, in accordance with applicable laws. These locations include the United Kingdom, New Zealand, Canada, China, Singapore, Hong Kong and the United States of America. 

We only ever disclose or otherwise provide your personal information offshore in accordance with applicable laws, including the APPs and HPPs. We also take reasonable steps to ensure your personal information is only used to provide the services or perform the functions required by us.

If you do not agree to the transfer of your personal information outside Australia, you should contact the Haymarket Foundation’s Privacy Officer at:

Email: privacy@haymarket.org.au 

Phone: (02) 9197 9761

Post: Haymarket Foundation Privacy Officer 

            137-139 Regent Street 

            Chippendale NSW 2008

Do we share or use your personal information for direct marketing? 

We may collect, hold, use and disclose the personal information of our donors for the purpose of telling you about our services and to communicate with you about our activities, including upcoming fundraising events and campaigns. 

We will only send these communications in accordance with applicable laws, including the Spam Act 2003 (Cth). 

If you do not wish to receive marketing or promotional communications from us, you may  ‘unsubscribe’ via the link provided in any electronic message we send you. In other circumstances, you may contact us using the details below and we will cease the relevant marketing or promotional communication: 

Email: privacy@haymarket.org.au 

Phone: (02) 9197 9761

Post: Haymarket Foundation Privacy Officer 

            137-139 Regent Street 

            Chippendale NSW 2008

If you opt out of receiving marketing material from us, we may still contact you for non-marketing reasons. For example, if you are a supplier, receiving a service from us or receiving a receipt, we may still communicate with you.

Can you deal with us without providing your name? 

We will provide an option for you to use an alias or otherwise be anonymous unless it is impermissible, impractical or inhibits the adequacy or quality of service provided to you.

We will always address you by your preferred name. However, in some cases, we may be required to sight or retain a copy of an instance of your personal information which contains your birth name. For example, we may require a copy of your birth certificate to validate your identity. 

How can you access or seek correction of your personal information? 

Access

You are entitled to request access to the personal information held by us about you. To do so, please contact us at: 

Email: info@haymarket.org.au 

Post: Haymarket Foundation Privacy Officer 

            137-139 Regent Street 

            Chippendale NSW 2008

Your personal information will generally be provided to you once we have completed our verification and risk processes, subject to applicable laws. We may liaise with you to obtain further information about your request and how you would like to receive the requested information.

Correction 

You are entitled to ask us to correct personal information about you which is inaccurate, outofdate, incomplete, irrelevant or misleading. For example, we ask that you inform us if any of your contact information changes. To do so, please contact us at: 

Email: info@haymarket.org.au 

Post: Haymarket Foundation Privacy Officer 

            137-139 Regent Street 

            Chippendale NSW 2008

We will correct your information where we agree with you. 

If we receive and consider an application from you to correct your information, and decide the information should not be corrected, we will not correct it. In such cases, we will:

  • provide you with written reasons for this refusal;
  • provide you with written information about how to make a complaint about the refusal; and 
  • include a note with the personal information you consider should be corrected, noting that you consider this information to be inaccurate, out-of-date, incomplete, irrelevant or misleading. We will also advise you once we have done so.

How can you make a complaint about the handling of your personal information? 

If you have a query or a complaint about our handling of your personal information, please direct your this to the Haymarket staff member who is your ordinary contact in the first instance. 

Alternatively, you can direct a query or complaint about our handling of your personal information to the Haymarket Foundation’s Privacy Officer at:

Email: info@haymarket.org.au 

Phone: (02) 9197 9761

Post: Haymarket Foundation Privacy Officer 

            137-139 Regent Street 

            Chippendale NSW 2008

We will treat your query or complaint confidentially. We will acknowledge your query or complaint within three working days, and will aim to investigate and resolve your query or complaint in a timely and appropriate manner (and within 21 days of lodgement).

If your query or complaint is not resolved, or you are dissatisfied with the outcome, you may contact the Office of the Australian Information Commissioner (OAIC). For further information, visit the OAIC’s website or phone 1300 363 992. 

You may also make a privacy related complaint to the NSW Privacy Commissioner within six months of the conduct subject of your complaint. You can find further information here

Relevant documents

External

Privacy Act 1988 (Cth): This Act includes the Australian Privacy Principles (APPs) and governs how personal information is handled by organizations, including NGOs.

Health Records and Information Privacy Act 2002 (NSW) (HRIP Act): This Act includes the Health Privacy Principles (HPPs) and specifically governs the handling of health information in NSW.

Internal

The Haymarket’s privacy policy is published on our website

Complaints Policy

Subscribe for updates

Support the Haymarket’s work to end homelessness and disadvantage

    Contact us for further information about The Haymarket Foundation