Knowing Me. Privacy Policy
Policy last updated: 18/03/2024
1 Purpose and nature
1.1 Yarrachai Pty Ltd (ACN 653 001 079), trading as Knowing Me. (Company) recognises the importance of your privacy. This Privacy Policy explains how the Company intends to collect, store, use, disclose, protect and otherwise handle your personal information and health information having regard to:
(a) the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth)
(Privacy Act);
(b) the Health Privacy Principles (HPPs) contained in the Health Records Act 2001 (Vic)
(HR Act); and
(c) any applicable code of practice made under the Privacy Act, the PDP Act or the HR Act,
(collectively, the Privacy Principles).
1.2 The Company is not an APP Entity for the purposes of the Privacy Act 1988 (Cth) (Privacy Act) and is not bound by the terms of the Privacy Act. However, we have had regard to the Australian Privacy Principles (APPs) contained in the Privacy Act in developing our privacy practices and this Privacy Policy.
1.3 This Privacy Policy does not constitute a contractual representation, promise, guarantee or warranty by the Company to you as to the manner in which the Company will or may collect, store, use, disclose, protect or otherwise handle your personal information.
1.4 This Privacy Policy applies to the Company and its related entities, such as its subsidiaries, and their employees. These related entities comply with the same obligations that the Company has to protect your personal information and health information under this Privacy Policy.
2 What is personal information?
Personal information is information or an opinion about you, whether true or not and whether recorded in a material form or not, from which you can be reasonably identified.
3 Why does the Company collect personal information?
3.1 The Company collects personal information in connection with providing, administering, improving and personalising its products and services, marketing and to support its business functions. This includes:
(a) providing a safe and secure system to hold key information about its users, that can be accessed by parents and carers;
(b) notifying individuals of the Company’s activities and campaigns, inviting participation in initiatives and providing products and service to individuals;
(c) forging corporate and professional alliances;
(d) seeking media coverage of project strategies and outcomes;
(e) maintaining a website and app;
(f) recruiting staff, Board members and volunteers;
(g) receiving feedback or complaints on any of the above functions or activities;
(h) responding to your comments or questions and receiving feedback or complaints on any of the above functions or activities; and
(i) improving its website and app.2
3.2 The Company will only collect your personal information (other than sensitive information) when the information is reasonably necessary for one of more of the Company’s functions or activities set out in paragraph 3.1. The Company may also collect your personal information for secondary purposes that are closely related to these primary purposes.
3.3 If the Company does not collect your personal information, it may not be able to provide you with its products and services.
4 What personal information does the Company collect?
Personal information
4.1 The types of personal information collected by the Company include:
(a) names;
(b) contact details (including address, email address, telephone number(s) and other contact details);
(c) dates of birth;
(d) identification documents;
(e) gender;
(f) usernames,
(g) passwords;
(h) sensitive information, which may include medical records and personal medical plans
(refer paragraph 4.2 below);
(i) health information (refer paragraph 4.5 below); and
(j) other information you provide to us.
Sensitive Information
4.2 The personal information collected by the Company may include sensitive information, which is defined in the Privacy Act as information or an opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record
or health information.
4.3 The sensitive information that the Company may collect include medical records and personal medical plans.
4.4 The Company will only use sensitive information:
(a) for the primary purpose for which it was obtained;
(b) for a secondary purpose that is directly related to the primary purpose;
(c) with your consent; or
(d) where required or authorised by law.
Health Information
4.5 As part of providing its products and services, the Company will also collect and hold health information. For the purposes of this Privacy Policy, “health information” means:
(a) information or an opinion about:
(i) your physical, mental or psychological health (at any time); or
(ii) disability (at any time); or
(iii) your expressed wishes about the future provision of health services to you; or
(iv) a health service provided, or to be provided, you,3 that is also personal information; or
(b) other personal information collected to provide, or in providing, a health service; or
(c) other personal information about you collected in connection with the donation, or intended donation, of your body parts, organs or body substances; or
(d) other personal information that is genetic information about you in a form which is or could be predictive of your health (at any time) or the health of your descendants.
5 How does the Company collect your information?
5.1 The Company will collect personal information only by lawful and fair means and not in an unreasonably intrusive manner. When you provide the Company with personal information you consent to the use, disclosure and handling of your personal information in accordance with this Privacy Policy and any subsequent amendments (see paragraph 13) Collecting personal information from you
5.2 If it is reasonable and practical to do so, the Company will collect personal information directly from you.
5.3 Depending on how you choose to interact with the Company, the Company may collect your personal information when you contact, or are contacted by, the Company or its service providers by telephone, by email, through the Company's website, apps, social media and other digital services or when you complete a form or document and provide it to the Company. Collecting information from third parties
5.4 The Company may also collect information about you from other people (eg a third party administrator) or independent sources. For example, the Company may collect personal information about you from third parties including (without limitation) a health practitioner, medical equipment suppliers, schools and carers. However, the Company will only do so where it is not reasonable and practicable to collect the information from you directly. Where the Company has collected your information from a third party, such personal information will be held, used and disclosed by the Company in accordance with this Privacy Policy. Collecting information from visits to the Company's website
5.5 The Company may collect information about how you use and visit its website. For example, we record your server address, the date and time of your visit, the pages you visited, any documents you downloaded, the previous site you visited and the type of device, browser and operating system you used. We use and disclose this information in anonymous, aggregated form only for purposes including statistical analysis and to assist us to improve the functionality and usability of our website. You are not individually identified, however we reserve the right to use or disclose this information to try to locate an individual where we reasonably believe that the individual may have engaged in any unlawful or inappropriate activity in connection with our website, or where we are otherwise required or authorised by law to do so.
5.6 The Company may also collect information based on how you use its website, includingthrough 'cookies', web beacons and other similar technologies. Cookies are small text files that are transferred to your computer's hard drive through your
web browser to enable the Company's systems to recognise your browser and record non- personal information such as the date, time or duration of your visit and the pages accessed, for website administration, statistical and maintenance purposes (Cookie Information). We use cookies to provide you with a more consistent experience across our services. No attempt is made by the Company to use Cookie Information to personally identify you. However, if Cookie Information is linked with personal information as set out above, this Cookie Information becomes personal information and will be treated in the same manner as
the personal information to which it has been linked.4 You can remove or reject cookies by adjusting the settings on your web browser. Please note that some parts of the Company's website may not function fully for users that disable
cookies.
Unsolicited information
5.7 If the Company receives personal information that it has not requested and determines that the personal information received is not reasonably necessary to provide its services, the Company will take all lawful and reasonable steps (if any) to de-identify or destroy that personal information.
Health information
5.8 The Company will not collect health information about you unless the health information is reasonably necessary for one of more of the Company’s functions or activities set out in paragraph 3, and at least one of the following applies:
(a) you have consented;
(b) the collection is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law);
(c) the information is necessary to provide a health service to you and you are incapable of giving consent within the meaning of section 85(3) of the HR Act and:
(i) it is not reasonably practicable to obtain the consent of an authorised representative within the meaning of section 85 of the HR Act; or
(ii) you do not have such an authorised representative;
(d) the information is disclosed to the Company in accordance with paragraphs 7.10(a), 7.10(d), 7.10(i), 7.10(j) or 7.11;
(e) if the collection is necessary for research, or the compilation or analysis of statistics, in the public interest—
(i) that purpose cannot be served by the collection of information that does not identify you or from which your identity cannot reasonably be ascertained; and
(ii) it is impracticable for the Company to seek your consent to the collection; and
(iii) the information is collected in accordance with guidelines issued or approved by the Health Complaints Commissioner under section 22 of the HR Act for the purposes of HPP 1.1(e);
(f) the collection is necessary to prevent or lessen—
(i) a serious threat to the life, health, safety or welfare of any individual; or
(ii) a serious threat to public health, public safety or public welfare, and the information is collected in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 of the HR Act for the purposes of HPP 1.1(f);
(g) the collection is by or on behalf of a law enforcement agency and the Company reasonably believes that the collection is necessary for a law enforcement function;
(h) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim; or
(i) the collection is in prescribed circumstances under the HR Act.
5.9 The Company will only collect health information by lawful and fair means, and not in an unreasonably intrusive way. When you provide the Company with health information you5 consent to the use, disclosure and handling of your health information in accordance with this Privacy Policy and any subsequent amendments (see paragraph 13).
5.10 At or before the time the Company collects health information about you (or, if that is not practicable, as soon as practicable after) the Company will take reasonable steps to ensure that you are aware of:
(a) the identity of the Company and how to contact the Company;
(b) the fact that you are able to gain access to and seek correction of the information;
(c) the purposes for which the information is collected;
(d) to whom (or the types of individuals or organisations to which) the Company usually discloses information of the kind collected;
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for you if all or part of the information is not provided.
5.11 If it is reasonable and practicable to do so, the Company will collect health information about you only from you.
5.12 The Company may also collect health information about you from other people (eg a third party administrator) or independent sources where it is not reasonable and practicable to collect the information from you directly. Where the Company has collected the information from a third party, such information will be held, used and disclosed by the Company in accordance with this Privacy Policy, including taking reasonable steps to ensure that you are of have been made aware of the matters as set out in paragraph 5.10, except to the extent that this would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence.
5.13 The Company will notify you of the identity of persons, or classes of persons, to whom health information may be disclosed in accordance with paragraph 7.10(d).
5.14 The Company will take such steps as are reasonable in the circumstances to make sure that, having regard to the purpose for which the information is to be used, the health information it collects, uses, holds or discloses is accurate, complete, up to date and relevant to its functions or activities.
6 How does the Company hold your information?
6.1 The security of your personal information and health information is important to the Company. Accordingly, the Company takes reasonable steps to protect your personal information from misuse, loss and unauthorised access, modification or disclosure. These steps include the implementation of the following safeguards:
(a) information security training for all staff members;
(b) internal information security policies;
(c) external information security policies and obligations when contracting with third parties; and
(d) ongoing review of security controls and processes.
6.2 The Company will take reasonable steps to permanently de-identify or responsibly destroy personal information and health information if it is no longer needed for the purpose for which the information was used or disclosed.
6.3 The Company's data security practices have been adopted with a view to protecting the data
held by the Company. Notwithstanding this, individuals should be aware that there are
inherent risks associated with the transmission of data over the internet and other mediums.
Accordingly, the Company cannot guarantee any transmission will be completely secure.
7 How does the Company use, hold or disclose your information?
7.1 The Company may hold, use or disclose your personal information and health information for the primary purpose set out in paragraph 3.1 which includes to provide products and services to you.
7.2 The Company may also hold, use or disclose your personal information to:
(a) permit access to the Company or the Company affiliated events and programs;
(b) the Company send you newsletters and other information as required;
(c) consider any concern or complaint that you raise against the Company or to manage
any legal action between you and the Company;
(d) prevent or investigate any actual or suspected fraud, unlawful activity or misconduct;
(e) respond to queries submitted by you; or
(f) comply with any relevant laws, regulations, codes of practice and court orders
7.3 The Company may collect and disclose health information to the State of Victoria as represented by the Department of Health (Department) for specific purposes, including for the purpose of providing its services to you and for the Department's auditing and monitoring of the Company. The Department may disclose the health information received from the Company to:
(a) other Victorian Governmental Agencies; and
(b) if requested by the Auditor-General, the Ombudsman, or the relevant Minister responsible for the portfolio under which the Company’s services to the Department relate; and
7.4 Unless your personal information or health information is destroyed by the Company, it will ultimately be disposed of to, or at the direction of, the Department or the Keeper of Public Records.
7.5 The Company does not sell, rent or trade personal information or health information to, or with third parties. The Company may however, in order to provide its products and services to you, disclose your personal information to third parties in limited circumstances, including to other parties when you ask us to do so or when you consent to that disclosure. Cross-border disclosure
7.6 The Company may transfer your personal information to an entity which is in a foreign country to assist the Company in providing its products and services. For example, your personal information may be stored on servers located overseas by our third-party cloud storage providers, or it may be provided to current or potential contracted overseas services providers or partners where the provision of our products or services requires the transfer of the information. Such foreign countries may include South Africa, Israel, New Zealand, the United Kingdom and the United States of America.
In these circumstances, the Company will take such steps as are reasonable in the circumstances to ensure that the information that is transferred to third parties located outside of Australia will not be held, used or disclosed by the recipient of the information in a manner that is inconsistent with the APPs.
Third Party Links
7.7 The Company's website may contain certain links to other websites. The Company does not share your personal information or health information with those websites without your consent and it is not responsible for the privacy practices applying in respect of those websites.
Secondary Purposes
7.8 The Company may sometimes use or disclose personal information or health information about you for a purpose (the secondary purpose) other than the primary purpose. However, the Company will only use or disclose personal information or health information about you for a secondary purpose in limited circumstances.
7.9 The Company may use or disclose personal information about you for a secondary purpose if:
(a) you have consented to the use or disclosure; or
(b) you would reasonably expect the Company to use or disclose the information for the secondary purpose and the secondary purpose is;
(i) if the information is sensitive information — directly related to the primary purpose; or
(ii) if the information is not sensitive information — related to the primary purpose; or
(c) the use or disclosure of the information is required or authorised by or under law; or
(d) where it is unreasonable or impracticable to obtain consent and the Company reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety; or
(e) the Company has reason to suspect an unlawful activity has been or may be engaged in and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or
authorities; or
(f) the Company reasonably believes that the use or disclosure of the information is reasonably necessary for one or more of the following enforcement related activities conducted by, or on behalf of, an enforcement body (and will make a written note
about such use):
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper
conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
7.10 The Company may use or disclose health information about you for a secondary purpose if one of the following applies:
(a) you have consented to the use or disclosure; or
(b) you would reasonably expect the Company to use or disclose the information for the secondary purpose and the secondary purpose is directly related to the primary purpose; or
(c) the use or disclosure is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law); or
(d) the use or disclosure is for the purpose of:
(i) funding, management, planning, monitoring, improvement or evaluation of health services; or
(ii) training provided by a health service provider to employees or persons working with the organisation,
and
(iii) that purpose cannot be served by the use or disclosure of information that does not identify you or from which your identity cannot reasonably be ascertained and it is impracticable for the organisation to seek your consent to the use or disclosure; or
(iv) reasonable steps are taken to de-identify the information,
and
(v) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication; and
(vi) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 of the HR Act for the purposes of HPP 2.2(f)
(e) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest and all of the following apply:
(i) it is impracticable for the organisation to seek your consent before the use or disclosure; and
(ii) that purpose cannot be served by the use or disclosure of information that does not identify you or from which your identity cannot reasonably be ascertained; and
(iii) the use or disclosure is in accordance with guidelines issued or approved by the Health Complaints Commissioner under section 22 for the purposes of HPP 2.2(g); and
(iv) in the case of disclosure, the Company reasonably believes that the recipient of the health information will not disclose the health information and the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained;
(f) where it is unreasonable or impracticable to obtain consent and the Company reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety, or public welfare and the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for HPP 2.2(h); or
(g) the Company has reason to suspect an unlawful activity has been, is being or may be engaged in and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities (and will make a written note about such use); or
(h) the Company reasonably believes that the use or disclosure is reasonably necessary for a law enforcement function by or on behalf of a law enforcement agency the use or disclosure would not be a breach of confidence (and will make a written note about such use);
(i) the use or disclosure is necessary for the establishment, exercise or defence of a legal or equitable claim;
(j) the use or disclosure is in the prescribed circumstances under the HR Act.
7.11 The Company may use or disclose health information about you where it is known or suspected that you are dead or missing, or have been involved in an accident or other misadventure and are incapable of consenting to the use or disclosure, and the use or disclosure is to the extent reasonably necessary to identify you or ascertain the identity and location of a relative to assist a police officer, a coroner or other prescribed organisation. Direct Marketing9
7.12 The Company may also use your personal information to identify and promote products or services that may be of interest to you. At any time you may opt out of receiving direct marketing communications from the Company. To do so, please contact the privacy officer at privacy@knowingme.com.au
8 Change of control
If the Company sells, assigns or otherwise transfers part or the whole of its business, your personal information or health information, which was collected by the Company through your use of the service may be among the items transferred or sold to the extent that it is relevant to the Company's business.
9 How you may access or correct your information
9.1 You may contact the Company to request access to the personal information it holds about you at any time. You may also ask the Company to correct information about you that you may believe is inaccurate, incomplete or out of date.
9.2 Please contact the Company using the contact details set out in paragraph 10. The Company will need to verify your identity before giving you access to, or correcting, your personal information. The Company will respond to the request within a reasonable period after the request is made. There is no charge to make a request, however the Company may charge a reasonable fee to cover the administrative costs of retrieving your personal information.
9.3 In certain circumstances, the Company may refuse, or be unable, to correct or provide you with access to your personal information. In these circumstances, the Company will write to you to explain the reasons why this is the case.
9.4 If the Company holds health information about you, the Company will provide you with access to the information on request in accordance with Part 5 of the HR Act, unless:
(a) providing access would pose a serious threat to the life or health of any person and refusing access is in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 of the HR Act for the purposes of HPP 6.1(a); or
(b) providing access would have an unreasonable impact on the privacy of other individuals and refusing access is in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 of the HR Act for the purposes of HPP 6.1(b); or
(c) the information relates to existing legal proceedings between the Company and you, and the information would not be accessible by the process of discovery in those proceedings or is subject to legal professional privilege or client legal privilege; or
(d) providing access would reveal the intentions of the Company in relation to negotiations, other than about the provision of a health service, with you in such a way as to expose the Company unreasonably to disadvantage; or
(e) the information is subject to confidentiality; or
(f) providing access would be unlawful; or
(g) denying access is required or authorised by or under law; or
(h) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(i) providing access would be likely to prejudice a law enforcement function by or on behalf of a law enforcement agency; or
(j) a law enforcement agency performing a lawful security function asks the Company not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia; or10
(k) the request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again; or
(l) you have been provided with access to the health information in accordance with the HR Act and are making an unreasonable, repeated request for access to the same information in the same way; or
(m) where providing access to health information would reveal information in connection with a commercially sensitive decision-making process, in which case the Company may give you an explanation for the commercially sensitive decision rather than access to the health information.
9.5 Other than in the circumstances set out in paragraphs 9.4(a) and 9.4(e), wherein the Company must refuse to provide you with access to your health information, nothing compels the Company to refuse to provide you with access to your health information. If access is refused on the ground of 9.4(a), the Company will follow the procedure set out in Division 3 of
Part 5 of the HR Act.
9.6 The Company will respond to an access request in respect of health information as soon as practicable but no later than 30 days and will give you access to the health information in the manner requested by you, if it is reasonable and practicable to do so.
9.7 The Company may, in appropriate circumstances, charge you for giving access to the health information (not for any such request). Such a charge will not be excessive. If the Company charges for the provision of information, it will advise you that the information will be provided on the payment of the fee, and the Company may withhold the information until the fee is
9.8 If the Company refuses to give access to health information because one or more of the exceptions referred to in paragraph
9.4, the Company will give you a written notice that sets out the reasons for the refusal.
10 Open and transparent management
10.1 The Company has set out in this document, in an open and transparent way, its policies on the management of personal and health information.
10.2 The Company will make this document publicly available on its website at www.knowingme.com.au/privacy and will take reasonable steps to provide a copy of this Privacy Policy, free of charge, to anyone who asks for it (see paragraph 12 of this Privacy
Policy for contact details).
10.3 On request, the Company will take reasonable steps to let you know, generally, what sort of personal information the Company holds in relation to you, for what purposes, and how it collects, holds, uses and discloses that information.
10.4 On request, the Company will take reasonable steps to let you know, generally, whether the Company holds health information in relation to you, the steps that you should take if you wish to obtain access to the information, and, in general terms, the nature of the information and for what purposes, and how it collects, holds, uses and discloses that information.
11 Complaints
11.1 The Company will consider complaints made in relation to:
(a) a decision to refuse access to personal information or health information you request; or
(b) a decision not to correct personal information or health information; and will respond as soon as practicable (but within 30 days) after the complaint is received. The Company response to a complaint is final.
11.2 You may make a complaint about the Company’s handling of your information to: (a) the Office of the Australian Information Commissioner (OAIC). Further information is available on the OAIC website: http://www.oaic.gov.au/privacy/privacy-complaints; or11 (b) in relation to health information, the Health Complaints Commissioner. Further information is available on the Health Complaints Commissioner’s website:
https://hcc.vic.gov.au/make-complaint.
12 How to contact us
If you have any questions about this Privacy Policy or the Company's management of your personal information, please contact the Company on:
Attention: Privacy Officer
Tel: +61 400 878 480
Email: privacy@knowingme.com.au
Mail: Level 2, 434 St Kilda Road Melbourne Victoria 3004
13 Changes to the Company's privacy policy and information handling practices
This Privacy Policy is subject to change at any time so we encourage you to review this Privacy Policy at regular intervals. If the Company changes this Privacy Policy an updated version will be posted on the Company's website to notify you of this change. By continuing to use the Company's services after that time you will be deemed to have accepted any changes to its Privacy Policy.