Hume Community Housing is required by the Privacy Act 1988 (Commonwealth) to comply with the
Australian Privacy Principles (APPs) (subject to the other provisions of the Privacy Act). The
APPs regulate the manner in which personal information is handled throughout its
lifecycle, from collection to use and disclosure, storage, accessibility and disposal.

1.0 Purpose

(i) To explain how Hume manages personal customer information obtained

(ii) Enhance the transparency of Hume operations

2.0 Scope

This policy applies to all functions, operations and activities of Hume and
all employees, Directors, contractors involved in the delivery of Hume functions,
operations and activities. However, Hume may rely upon any applicable 'employee records'
exemptions from the APPs when dealing with information relating to Employees,
and this policy will not apply in those cases.

Personnel at Hume may be required to comply with mandatory reporting obligations where they have
reasonable grounds to suspect a child is at risk of significant harm. For the avoidance of
doubt, disclosure of personal and sensitive information in connection with such reporting is
permitted by this policy.

(i) Strategic Alignment

A progressive and high achieving organisation

3.0 Reference

(i) Australian Privacy Principles (APPs)

(ii) Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988

(Privacy Act)

(iii) General Data Protection Regulation 2016/679 (GDPR)

(iv) Definitions

i. Customer: means a tenant, resident or participant in a program or service, and includes a
potential tenant, resident or participant, or an applicant for Hume programs or services.

ii. Customer information: Information or an opinion (including written and verbal
information or an opinion forming part of a data base) whether it is true or not, written or verbal
material or about an individual who can be identified from the information or opinion.


iii.       Personal  information:  Information  Hume  may  collect  including  an  individual's
name, gender, date of birth, address, email address, bank details, phone and facsimile
numbers, emergency contact information, and photograph.

iv. Sensitive information: Information or opinions which may include an individual's
racial or ethnic background, religious or philosophical beliefs, employment record,
criminal record or health/medical information.

v. Employee: Reference that includes paid employees, volunteers and students on placement.

vi. Contractors: Third party worker engaged to complete work at any Hume
property.

vii. Subpoena: Court issued command for an individual or organisational
representative to appear before the court or to provide specific evidence.

e.g. customer file. Failure to obey a subpoena without good reason can result in either, a warrant
issued for arrest, liability for costs or any penalties imposed by the courts.

4.0 Policy

(i) All Hume services will comply with the APPs which regulate how
this organisation may collect, use, disclose and store personal information and how individuals may
access and correct personal information held by Hume.

(ii) Hume is committed to protecting customer privacy. Hume will only use
information that relates to Hume functions, operations or activities.

(iii) When Hume has been engaged to provide any of its functions and services, then
use and disclosure of your personal information should be conducted in the manner described in
this policy.

(iv) Furthermore, where applicable, Hume will confirm the express consent if
collecting any personal information for the purposes of compliance with Privacy Act and where
applicable, the regulations set out in the General Data Protection Regulation (EU) ('GDPR').

5.0 Privacy Principles

Part 1 - Consideration of Personal information privacy

Principle 1: Open and transparent management of personal information

Hume collects and handles a range of personal information for the purpose of providing
services or complies with legislative functions. The practice of Hume is to try and only
ask for and collect personal information we need for the functions and activities we carry
out. A copy of Hume Privacy Policy is available on the website or in a hard copy form which can be
picked up at any Hume Office free of charge.

Principle 2: Anonymity and Pseudonymity

Whenever it is lawful and practicable, customers will have the option of not identifying themselves
by dealing with us anonymously or by using a pseudonym. For instance, customers can report on
any anti-social behaviour or lodge a complaint to Hume anonymously. Hume may also
provide information that is publicly available to customers, such as annual
reports, without the customers having to identify themselves.

Part 2 - Collection of personal information

Principle 3: Collection of personal information

Hume uses and collects personal and sensitive information relating to our primary
functions, operations or activities. Hume collects information for the following
purposes:

i. To provide services

ii. To run Hume's business and operations

iii. To communicate and manage our relationship with customers

iv. To assist employees in providing services to customers and assess eligibility for
services and support to potential customers

v. For administrative requirements including maintaining and updating records, carrying
out data analysis and providing information to Hume's insurance providers

vi. To prevent or detect fraud or abuses

vii. To provide information to law enforcement, legal advisors and Government
agencies at all levels

viii. To provide information to Hume support partners and health providers who
provide necessary follow up and ongoing services to Hume customers and participate in
information sharing systems to improve support and service to customers receiving services
from agencies and departments as well as Hume

ix. To comply with Government and other reporting requirements that apply.

Hume may receive information collected from support partners, health providers or other
agencies so that we can provide follow up or ongoing services. Hume may also receive information
from a Customer or applicant that relates to another family or household member. Hume
will collect personal information about a customer or applicant from a third party only if:

i. The individual consents to the collection of the information (for example by
authorizing Hume to obtain information from Centrelink, a health service or support
worker); or

ii. It is unreasonable or impracticable to collect the information from the individual (for
example, if personal information is given about a Customer as part of a tenancy
complaint about the household).


Sensitive Information
Hume does not collect sensitive information, unless it is specifically relevant and
necessary for the purpose of Hume' functions, operations or activities, and an
individual's express consent is first obtained. Such functions, operations or activities may
include:
i. Providing customers with translation services
ii. Conducting surveys on tenant satisfaction
iii. Considering eligibility for and providing supported or priority housing
iv. Ensuring Hume staff respect the religious and cultural customs of Customers when
entering properties for inspections.

Sensitive information that is relevant and necessary for these activities may include health
information about customers and household members. All sensitive information that is collected is
to be managed in accordance with this policy.

Impact of not providing information
Customers do not have to consent to providing information requested by Hume. However, if
Hume is not able to collect an individual's personal and health information, Hume may not be able
to process the individual's application, provide the individual with services and products, deal
with an individual's enquiries or engage in the activities listed above.

Principle 4: Dealing with unsolicited personal information (not requested)
Hume will determine whether or not the information could be unsolicited information. If it is
determined that Hume does not require the information, the information will be destroyed as soon
as practical or the information will be de-identified.

Principle 5: Notification of the collection of personal information
Hume will take reasonable steps to notify customers or ensure that the customer is aware that
personal information is being collected about the customer using the Form- Disclosure
Consent.

Part 3 - Dealing with personal information

Principle 6: Use or disclosure of personal information
Hume will only hold and disclose personal information about a customer that is
collected in accordance with Principle 3 (the primary purpose). Hume will not use or disclose
the information for any other purpose (the secondary purpose) unless:


i. The secondary purpose is related to the primary purpose of collection and, if the personal
information is sensitive information, directly related to the primary purpose of
collection;

ii. The individual would reasonably expect the organisation to use or disclose the
information for the secondary purpose (for example, these secondary purposes may include
handling a complaint, reporting to Government, coordinating with other service providers
through information sharing systems, and promoting Hume);

iii. The individual has consented to the use or disclosure to the third party (support
partners);

iv. Where required or authorized by Australian Law, or a court/tribunal order (e.g.
subpoena/NCAT} or for the purposes of legal proceedings to which Hume is a party

v. Hume reasonably believes that the use or disclosure is necessary to prevent:
serious impact to a customer's life, health or safety or a serious threat to public health and
safety.

Principle 7: Direct marketing

Hume will not use or disclose personal information for the purpose of direct marketing. If in the
event such personal information is used for the purposes of 'direct marketing', then at the point
any personal information is collected, a personal should be asked to "opt in" to consent to Hume
using or disclosing their personal information for direct marketing. A person should
generally be given the opportunity to "opt out" from receiving marketing communications
from Hume. A person may "opt out" from receiving these communications by clicking on an
unsubscribe link at the end of an email or by contacting Hume with this request.

Principle 8: Cross-border disclosure of personal information

Personal information may be processed by or disclosed to employees or other third parties
operating outside of Australia who work for Hume. For example, we may use a server hosted
overseas or a cloud-base software to store data, which may include your personal information.
Hume will take reasonable steps, in the circumstances, to protect any information transferred
or stored outside Australia to ensure that the overseas recipient does not breach
Australian privacy laws in relation to the personal information ('reasonable steps')

However, the reasonable steps may not apply if Hume reasonably believes that:

i. The recipient of the information is subject to laws that has the effect of protecting
information in a similar way to the APPs; and

ii. There are mechanisms that an individual can access in that overseas country to enforce
their rights for any breaches of privacy of their personal information.

Principle 9: Adoption, use or disclosure of government related identifiers

Hume will not use an Australian Government identifier for any customer as its own.
However, Hume will record government identifiers such as; Centrelink Reference Number
(CRN) in order for Hume to fulfil its obligations to Centrelink.

Part 4 - Integrity of personal information

Principle 10: Quality of personal information

Hume will take reasonable steps to ensure that personal information is accurate complete
and up-to-date.

Principle 11: Security and personal information

Hume will take reasonable steps to protect information from misuse, interference, loss and
unauthorized access, modification or disclosure. These steps include password protection for
accessing our electronic IT system, securing paper files in locked cabinets and
physical access restrictions, and destroying information in a secure manner where required.

Part 5 - Access to and correction of personal information

Principle 12: Access to personal information

Customers have a right, on request, to access their own personal information held by Hume unless:

i. Hume believes access would pose a serious impact to customer's life, health or safety or a
serious threat to public health and safety;

ii. Giving access would have an unreasonable impact on the privacy of other
individuals;

iii. Information relates to existing or anticipated legal proceedings;

iv. Giving access would be unlawful;

v. Denying access is required or authorized by or under Australian law or a
court/tribunal order;

vi. Hume has reason to suspect that the information will be used for unlawful
activities or misconduct of a serious nature;

vii. Giving access would be likely to prejudice one or more enforcement bodies;

viii. Giving access would reveal evaluative information generated within Hume
Housing in connection with a business sensitive decision-making process;

Individuals will need to verify their identity before being granted access or correcting
information held by Hume. Hume will usually respond to a request for access to
personal information within 30 days after the request has been made.

If Hume does not agree to provide access to personal information or amend personal information
held for reasons noted above, Hume will generally provide a written response explaining
the reasons for the decision. Customers can appeal Hume's decision as per Policy &
Procedure- Appeals.

Principle 13: Correction of personal information

Hume will take reasonable steps to correct information to ensure it is up to date,
complete, relevant and not misleading. These steps include maintaining and updating personal
information when we are advised by individuals that their personal information
has changed, and at other times as necessary.

Consent to record and use images

i. Hume will obtain consent for any images of customers taken for promotional
purposes. Customers will be asked to sign a Privacy Consent Form which will also
contain detail about the purposes for which the photograph or video footage will be used.

ii. In cases where it is difficult to gain informed consent for the intention of taking
photographs or video footage (for example, at a large event), Hume may give notice to
people attending the function that photographs or video footage will be taken and may be used for
specified purposes. Hume respects individual privacy and will allow an attendee to make
arrangements if they are sensitive to the use of their image.

iii. Hume will take special care in the publication of photographs or video/DVD
images of children. Hume will seek consent of the child's parent or legal guardian in relation to
photographs or video/DVD footage of persons under the age of 18.

iv. Hume uses video surveillance / CCTV systems in strategic locations in our
internal and external areas of our premises. These camera systems may record footage of
Customers, Employees, Contractors and other individuals on our premises. This surveillance
is undertaken continuously and will continue on an ongoing basis. Cameras used for this
purpose will be clearly visible and accompanied by notices at relevant entrances.

Placements and Volunteers

All students or volunteers who wish to complete their placement at Hume must comply
with privacy principles and agree to sign a Confidentiality Agreement.

Each participant is required to sign a Privacy Consent Form prior to participation.

Students looking to complete their placement at Hume are also required to

submit a proposal regarding their placement and must include a statement confirming their
practices will accord with this policy.

Contractors

All Contractors who wish to work directly or indirectly for Hume must comply with Hume's
privacy principles and agree to sign a Confidentiality Agreement and Privacy Consent Form, prior
to commencement of works on any Hume common area, property or office.

Disposal and Retention of personal information.

All documents and information containing personal information will be retained, disposed
and stored as per the Policy-Document Control.

Complaints

All privacy complaints should be addressed to the Risk and Quality Assurance
Manager and will be handled as per the Policy & Procedure - Complaints. If Hume
receives a privacy complaint from an individual, the responsible officer will determine what (if
any) action will be taken to resolve the complaint and will respond to the individual
within a reasonable period.

Data Breach

In the event of a data breach, such as the unauthorised loss, use or disclosure of
personal information, Hume will assess and respond in line with its applicable policies and
procedures, which incorporate the requirements contained in the Privacy Act. Pursuant to
its obligations under the Privacy Act, Hume will notify an individual if their personal
information is involved in an eligible data breach that is likely to result in serious
harm. Such notification will also include making recommendations about the steps an individual
should take in response to the breach. Where required by law, the Australian Privacy and
Information Commissioner will also be notified of eligible data breach.

GORP Applicability
Data Subject Rights - Where applicable under the GDPR, and in addition to the rights set out above,
a person will have the following rights regarding its personal information stored with Hume:
i. the right for an individual to object to its personal information being processed;
ii. the right to data portability of your personal information;
iii. the right to complain or query how Hume process an individual's personal
information;
iv. the right for an individual to object to automated decision making using their
personal information; and;
v. the right for an individual to have its personal information forgotten by Hume.

Data Controller and Data Processor - An individual should acknowledge that when using
Hume's website, it will be deemed to be the data controller in relation to any personal
information that Hume collect and store and will be responsible for how such personal information
is collected. An individual must ensure that it obtains consent and provide notice to any
persons as required under the relevant privacy legislation in relation to the collection,
storages and use of their personal information. When an individual uses Hume's website,
Hume is only acting as a data processor only in relation to personal information
and data entered, collected and stored by an individual. Hume must only access an
individual's data in accordance with written instructions given by that person, or unless
required to do so by the Privacy Act or GDPR.

Changes to our Privacy Policy
Hume reserves the right to change this policy from time to time. If this policy is
changed, an updated version will be posted on our website.

Links or references to other websites or entities
Hume's website or other materials may contain links or references to other web sites or entities.
Hume is not responsible for the privacy practices or content of such third-party websites or
entities.

6.0 Responsibility
(i) Board is responsible for ensuring this policy is developed
(ii) CEO is responsible for ensuring this policy is regularly reviewed
(iii) Managers are responsible for ensuring that this policy is implemented


7.0 Relevant Documents
(i) Privacy Consent Form.
(ii) Publications Consent Form - Confidentiality Agreement
(iii) Policy & Procedure - Complaints
(iv) Policy & Procedure - Appeals.
(v) Policy - Document Control


8.0 Summary of changes

Version Nr. Date: Details of Changes 001 18/03/2013
Initial Issue
002 7/03/2016 Reviewed as part of annual review on 16/12. Updated
that all complaints be addressed to Risk and Quality Assurance Manager. Removed 'Form-
Consent for the use of images' from 'Relevant documents' section.
003 16/03/2017 Changes to defined terms. Statement added referring to
employee records. Content added in the Policy to describe the patchwork tool.
Addition of 5.1.4 of the Policy address the obligation of workplace surveillance. Mandatory
Reporting obligations reflected in the scope.
004 23/10/2018 Primary changes:
- Policy reviewed and updated for GDPR regulations and Notifiable Data Breach Regulation
- New logo and fonts throughout
- Updated reference to new strategic plan
- Removed reference to Hume Housing to Hume