Privacy Policy
Details
| Publication Date: | 06/08/2024 |
| Date of last review: | 06/08/2024 |
| Owner: | Head of Customer Engagement and Operations |
| Next Review Date: | 06/08/2026 |
Introduction
This Policy outlines CCC’s commitment to the appropriate collection, management, use, disclosure and protection of Personal Information.
This Policy explains how CCC will collect, hold, use and disclose Personal Information, how individuals can gain access to their Personal Information, correct inaccuracies within that information, and make complaints about possible breaches of privacy.
All CCC employees, consultants and contractors (CCC Staff) have a responsibility to carry out their duties in compliance with this Policy and all relevant privacy legislation.
Personal information is any information, including an opinion, about you or that identifies you or from which your identity can reasonably be determined, whether true or not or and whether recorded in some form or not.
Sensitive information is a subset of Personal Information which is given additional protection by the Privacy Act 1988 (Cth) and includes information about religious affiliation or beliefs, ethnic origin, criminal record and sexuality. Health information is also sensitive information and its handling in New South Wales is also regulated by the Health Records and Information Privacy Act 2002 (NSW).
Policy Statement
CCC collects and handles Personal Information (which may include State Records) in compliance with its obligations under the:
- Cemeteries & Crematoria Act 2013 (NSW);
- Privacy Act 1988 (Cth);
- Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth);
- Health Records and Information Privacy Act 2002 (NSW); and
- State Records Act 1998 (NSW).
- Privacy & Personal Information Privacy Act 1998 (NSW)
Guidelines
What Personal Information does CCC collect?
In summary CCC collects and holds Personal Information that includes (but is not limited to):
- Names, addresses, telephone numbers, facsimile number, email address and other contact information.
- Deceased names, date of birth, date of death, next-of-kin contact information, religious affiliation, burial locations and death certificates and other records as dictated by the Public Health Act (2010) NSW and the Cemeteries & Crematoria Act 2013 (NSW) and their associated regulations as amended from time to time.
- Financial information, such as credit card details.
Proof of Identity
In addition to the information noted above, as obligated by the Cemeteries & Crematoria Act 2013 (NSW) 100 point ID requirement, CCC is required to clearly identify persons wishing to purchase any form of memorialisation product from CCC. As a result, each person is required to provide two original identification documents, one of which must include photo ID. These may include driver licence, passport, birth certificate, EFTPOS card, credit card or other government issued licence.
Original copies of the Identification documents must be sighted by CCC staff, however, copies will not be taken or stored by CCC. Having sighted the documents, the CCC staff member will note which documents were sighted and the date.
Why does CCC collect Personal Information?
CCC collects and holds Personal Information for the purposes of providing services under the Cemeteries and Crematoria Act 2013 (NSW) (which includes the legal requirement to maintain a Cemetery Register), or to carry out our other business functions. The industry in which we operate, and our type of service offering, means that some of the information we handle may be Personal Information.
CCC is obliged to collect Personal Information regarding medical causes of death for burials and internments.
We also collect Personal Information for planning, monitoring and evaluating our services and functions. Where practicable, we remove identifying details from information used for these purposes.
CCC maintains a records management program in accordance with Standard No. 12 issued under the State Records Act 1998 (NSW), including maintaining a full and accurate record of the activities of CCC.
Consequences of not providing Personal Information
If you do not provide us with your Personal Information or the information you provide is incomplete or inaccurate, we may be unable to provide you, or a person nominated by you with the information, services or goods you or they are seeking.
How does CCC collect Personal Information?
CCC’s usual practice is to collect Personal Information directly from application forms and registration forms completed by you or responsible person, from face to face meetings, interviews, telephone calls, via our web site or by some other method (such as by post or email).
In addition to collecting Personal Information from you, sometimes CCC collects Personal Information from a third party (e.g. funeral director, etc.).
Privacy Principles
We are bound by the Privacy Act 1988 (Cth) (Privacy Act), the Health Records and Information Privacy Act 2002 (NSW), the State Records Act 1998 (NSW), the Privacy & Personal Information Act 1998 (NSW) as well as other laws which impose specific obligations in regard to the handling information.
We have adopted the principles contained in the Australian Privacy Principles (APPs) as minimum standards for the handling of Personal Information. In broad terms this means that we:
- collect only information which we need for a specified primary purpose;
- ensure that the person knows why we collect it and how we will handle it;
- use and disclose it only for the primary (or a directly related purpose), or for other purposes with the person’s consent (or as otherwise authorised by law);
- store it securely, protecting it from unauthorised access;
- retain it for the period authorised by the State Records Act 1998 (NSW); and
- provide the person with access to their own information, and the right to seek its correction.
A summary of the APPs appears at Appendix 1 to this Policy.
Access to Personal Information
Individuals have the right to access, and request corrections to, their Personal Information which is being held by CCC. Requests for access to Personal Information will be managed in the following ways:
- For Personal Information in our possession, this right is available through the Privacy & Personal Information Privacy Act 1998 (NSW)
- For Personal Information in the possession of our service partners, this right is available through that service partner directly, under the privacy legislation applicable to that organisation.
- The Cemeteries & Crematoria Act 2013 (NSW) provides a right of access for researchers to records relating to: deceased persons; cremations and; interments.
Requests can be made in writing via post addressed to The Privacy Officer, PO Box 10, LIDCOMBE 1825 or via email to: enquiries@catholiccemeteries.com.au
Consent
The APP’s permit a wider range of collection, use and disclosure of Personal Information and Health Information with the consent of the person to whom the information pertains.
Consent must be voluntary, informed, specific and current. The person giving consent must be deemed to have capacity.
It is CCC’s understanding that when a customer seeks our services and provides Personal Information to CCC either directly or via a funeral director, then that customer has given consent to collect, use and disclose Personal Information for the purpose of providing those services.
Communications to you from CCC
With your consent we will send you emails or other communications, such as a newsletter, about CCC and our activities (including information about marketing, promotional, and research purposes). We might send you account reminders via SMS.
Please be aware that you are free to “unsubscribe” or “opt out” to any publication or marketing or promotional communication that you receive from CCC at any time. All newsletters sent include an unsubscribe link the footer of the email. You can also “opt out” from any SMS messaging from us.
Does CCC disclose any Personal Information to anyone?
CCC may disclose your Personal Information in a number of circumstances, where required by law (for instance, in response to a subpoena or other court order).
Management and security of Personal Information
CCC takes all reasonable precautions to safeguard your Personal Information from loss, misuse, interference, unauthorised access, modification or unlawful disclosure. These steps include restricted access to CCC offices and other areas where Personal Information is stored, and in computer files that can be accessed only by authorised individuals using login names and passwords.
CCC stores your Personal Information in servers located in Australia. Personal information will be retained by CCC while it can use or disclose that information for a legitimate purpose under the APP’s. When it can no longer use or disclose the Personal Information for such a purpose, CCC will take reasonable steps to destroy or de-identify that personal information, where it is lawful for it to do so.
Notifiable Data Breaches
CCC adheres to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth.).
If you believe that a data breach has occurred in relation to your personal details, please contact the CCC Privacy Officer providing details and circumstances of the data breach.
The online Notifiable Data Breach (NDB) form located within the Privacy Policy on the CCC (website: www.catholiccemeteries.com.au) is to be completed as soon as possible and emailed to the Privacy Officer.
The advised breach will be investigated immediately, and you will be informed of remedial action to be undertaken. If the breach constitutes a Notifiable Data Breach under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth.), the Office of The Australian Information Commissioner (OAIC) will be informed as soon as practicable of the breach and provided with the full circumstances and remedial action undertaken by CCC.
If CCC determine that Personal Information has been accessed without permission, acquired, used or disclosed in a manner which compromises the security of the Personal Information, CCC will assess the risk to affected parties as detailed in its Data Breach Procedure and Response Plan.
If CCC determines that a breach causes serious harm to an individual, CCC will notify all affected parties (including the individuals to whom the data pertains) and the OAIC, as detailed in CCC’s Data Breach Procedure and Response Plan.
Handling of Complaints Regarding Breaches of Privacy
Individuals wishing to make a complaint about CCC’s handling of their Personal Information may:
- Contact and discuss the situation with the Cemetery Manager for the cemetery concerned. Contact CCC’s head office on 02 8713 5700.
- Provide written feedback via post addressed to the CCC Privacy Officer at: PO Box 10, LIDCOMBE 1825, or via email to: enquiries@catholiccemeteries.com.au
- Ask CCC to arrange an interpreter if assistance with language translation is needed.
- Access further information regarding our customer charter via the CCC Website.
The monitoring of the resolution of complaints is the responsibility of the CCC Privacy Officer and the CCC CEO.
Complaints about other service providers
The CCC works closely with other service providers, including funeral directors, stonemasons, community groups and faith-based organisations. Concerns about the management of Personal Information held by any of these external organisations should be raised directly with that service provider.
External avenues of redress
An individual can seek further information and advice on the resolution of complaints from: Information & Privacy Commission NSW
Email: ipcinfo@ipc.nsw.gov.au
Phone: 1800 472 679
Address: Level 15, McKell Building, 2-24 Rawson Place, Haymarket NSW 2000
Postal: GPO Box 7011, Sydney NSW 2001
Health Care Complaints Commission
Ph: 1800 043 159
Web: www.hccc.nsw.gov.au
Office of the Australian Information Commissioner
Ph: 1300 363 992
Web: www.oaic.gov.au
Implementation and Monitoring
CCC has the right to amend this Policy at any time by posting a revised version on its website. All CCC Staff will be educated regarding the contents of the revised Policy and will receive ongoing education.
CCC will endeavour to ensure that if it substantially changes the way that it handles Personal Information, that it communicates this change with the people whose Personal Information it already holds.
References & Related Materials
Legislation & Regulations
- Cemeteries & Crematoria Act 2013 (NSW)
- Privacy Act 1988 (Cth.)
- Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth.)
- Health Records and Information Privacy Act 2002 (NSW)
- Health Records and Information Privacy Regulation 2012 (NSW)
- State Records Act 1998 (NSW)
- Privacy & Personal Information Privacy Act 1998 (NSW)
Related CCC Documents
- Data Breach Procedure & Response Plan
- Customer Service Policy
- Code of Conduct
Definitions
| Cemetery Register | As defined in section 63(2) of the Cemeteries and Crematoria Act 2013 (NSW). |
| CCC | Means Catholic Cemeteries & Crematoria |
| Health Information | A category of Personal Information. Information or opinion about the physical, mental, psychological health of an individual, about the disability of an individual, or about a health service provided or to be provided to individual, but not including information about an individual who has been deceased for more than 30 years. |
| Personal Information | Information or opinion, whether true or not and whether recorded in material form or not, about a living individual whose identity is apparent, or can reasonably be ascertained from the information or opinion |
| Policy | This Privacy Policy, as amended from time to time. |
| State Record | Any record made and kept, or received and kept, by any person in the course of the exercise of official functions at CCC. |
Appendix 1: Summary of the Australian Privacy Principles
| Principle | Brief outline of details |
| Australian Privacy Principle 1 Open and transparent management of personal information | The object of this principle is to ensure that APP entities manage personal information in an open and transparent way. An APP entity must have a clearly expressed, up to date and publicly available policy (the APP privacy policy) about the management of personal information by the entity. |
| Australian Privacy Principle 2 Anonymity and pseudonymity | Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter. |
| Australian Privacy Principle 3 Collection of solicited personal information | An APP entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities. |
| Australian Privacy Principle 4 Dealing with unsolicited personal information | If an APP entity receives personal information and the entity did not solicit the information, the entity must, within a reasonable period after receiving the information, determine whether or not the entity could have collected the information under Australian Privacy Principle 3 if the entity had solicited the information. |
| Australian Privacy Principle 5 Notification of the collection of personal information | At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances to notify the individual of the circumstances surrounding the collection of the personal information. |
| Australian Privacy Principle 6 Use or disclosure of personal information | If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless it has sought consent from the individual to do so, or if an exception applies. |
| Australian Privacy Principle 7 Direct marketing | If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing unless an exception applies. |
| Australian Privacy Principle 8 Cross-border disclosure of personal information | Before an APP entity discloses personal information about an individual to a person (the overseas recipient) the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information. |
| Australian Privacy Principle 9 Adoption, use or disclosure of government related identifiers | An organisation must not adopt a government related identifier of an individual as its own identifier of the individual or disclose a Government related identifier of an individual unless an exception applies. |
| Australian Privacy Principle 10 Quality of personal information | An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects, uses or discloses is accurate, up to date and complete. |
| Australian Privacy Principle 11 Security of personal information | If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information from misuse and unauthorised access and must destroy or de-identify information which is no longer needs, or is no longer required to keep. |
| Australian Privacy Principle 12 Access to personal information | If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information within 30 days of the request, unless an exception applies. |
| Australian Privacy Principle 13 Correction of personal information | An entity must take such steps (if any) as are reasonable in the circumstances to correct information which is not accurate, incomplete, irrelevant or misleading. |
| Date | Change | Completed by |
| 18/02/2015 | Policy Reviewed and Approved | M.White |
| 19/05/2021 | New template | G.Sorensen |
| 03/06/2021 | Policy Reviewed and Approved | L.Hardgrove |
| 29/06/2023 | Policy Reviewed and Approved | L.Hardgrove |
| 14/02/2024 | Policy Reviewed | G.Tucker |
| 06/08/2024 | Policy Reviewed and Approved | M.Cashin |
