Privacy Policy

PRIVACY POLICY OF THE CATHOLIC DIOCESE OF BROKEN BAY AND ITS PARISHES

The Catholic Diocese of Broken Bay and its parishes are committed to protecting your personal information.

Please read this Privacy Policy carefully as it outlines how we collect, handle and use personal information received.

We advise that this Policy does not cover the handling of personal information by our Catholic schools, the Catholic Schools Office (CSO) or CatholicCare, Diocese of Broken Bay. For information relating to the handling of personal information by our schools and by CatholicCare, please visit their respective websites.

We may revise this Policy from time to time by publishing a revised version on our website taking effect from the time it is published.

CATHOLIC DIOCESE OF BROKEN BAY PRIVACY POLICY The Catholic Diocese of Broken Bay and its Parishes (We, Our or Us) are committed to protecting the privacy of personal information it collects from individuals (You or Your) in accordance with the Privacy Act 1988 (Cth) (Act) and the associated Australian Privacy Principles (APPs). This Privacy Policy (Policy) describes the principles we follow concerning the collection, use, disclosure and storage of personal information. This Policy does not apply to the Catholic Schools Broken Bay or CatholicCare (agencies); each agency has a privacy policy available on request or from their website. 1. WHAT IS PERSONAL INFORMATION 1.1. Personal Information is defined as any information or an opinion about you or an individual from which your identity can be reasonably determined.

1.2. Sensitive Information is a subset of personal information and is given a higher level of protection than other types of personal information. Sensitive information includes, but is not limited to, information concerning details of your race or religious affiliation and beliefs, your health and your political beliefs.

2. WHAT PERSONAL INFORMATION WE COLLECT FROM YOU The personal information we collect includes the following: • name, address, telephone number and other contact details; • date of birth, gender, marital status, religion and occupation; • financial information, such as donation history and credit card details; • identification documents; • photographs, videos and news stories in respect of Church-related events and activities; • dietary requirements, special needs and mobility access requirements; • website metadata (e.g. domain names server addresses); and • information needed when an individual is an employee (or prospective employee), volunteer or clergy.

3. HOW WE COLLECT YOUR PERSONAL INFORMATION 3.1. Personal Information you provide We collect your personal information by way of our standard forms, over the internet, via email, or through our workers, volunteers, and clergy conversations with you, and when you otherwise provide us information.

3.2. Personal Information provided by other people (third parties) On occasion, in circumstances where it is impracticable or unreasonable to collect the personal information from you directly or when you would reasonably expect your personal information to be collected from another source, we will collect your personal information from third-party sources, such as other parishes, other dioceses, church agencies or service providers, and individuals, (e.g. an employment referee). Unless an exception applies under the APPs, we will only collect sensitive information about you if you or your guardian consents to the collection of the information.

2 3.3. You do not need to provide Personal Information that we may request You can choose to deal with us anonymously or by using a pseudonym. However, the circumstances may need us to identify you, for example, administering the sacraments, inducting you into ministries or other volunteer roles. In these types of instances, your ability to fully participate may be limited if you cannot be identified or do not allow us to collect certain personal information.

4. PURPOSE OF PERSONAL INFORMATION COLLECTED We will use the personal information collected to fulfil our mission including: • Administering the sacraments and providing pastoral care; • Responding to your welfare and support needs; • Supporting fundraising activities; • Informing you, parishioners and the public about matters related to the Diocese, parishes, and agencies through correspondence, newsletters, magazines and other media; • Assessing suitability for volunteer roles; • Employment screening to assess employment applications; • Complying with legislative and regulatory requirements and legal responsibilities; • Responding to complaints; and • Dealing with requests for information and personal direct response in connection with applications under the National Redress Scheme. You may opt out of receiving communications from us at any time by contacting us at the address the communications have been received from or by contacting the Privacy Officer.

5. HOW WE MAY DISCLOSE YOUR PERSONAL INFORMATION We may disclose your personal information when it could be reasonably expected in a church environment. We may disclose personal information: • To the Diocesan Chancery, parishes and agencies; • To other Catholic Church dioceses, parishes and agencies; • To service providers, consultants, advisers, workers and volunteers; • Where required by or authorised by Australian law; and • Where we have a financial transaction with you. If disclosure involves sensitive information, it will only be disclosed where you authorise it to be disclosed. For example, public prayers naming an individual will only be with the consent of that individual (or their guardian). Some third-party providers we use, for example, for cloud storage of electronic data, may be located outside of Australia. We are committed to safeguarding personal information held by us and will comply with all applicable laws relating to the cross-border data disclosure.

6. HOW WE KEEP YOUR PERSONAL INFORMATION SECURE We take reasonable precautions to safeguard your personal information from loss, misuse, interference, unauthorised access, modification or unlawful disclosure. Where your personal information is held in paper form, it will be held in locked cupboards or other secure locations. If the information is held in electronic form, the media will be password protected with restricted access to the records. 3 Where we no longer need your personal information for the purposes for which it was collected, we will take reasonable steps to destroy or de-identify the information unless it would be unlawful for us to do so.

7. CAN YOU ACCESS AND CORRECT THE PERSONAL INFORMATION HELD 7.1. Access You may access personal information we hold about you. We may ask you to verify your identity before disclosing any personal information. In determining if we can give you access to information held, we will rely on APP 12 – Access to Personal Information. Note that in some instances, under APP 12 we might not be able to give you access to some information. We may request you to meet the reasonable costs of disclosing the information to you.

7.2. Correction When disclosing your information, we will take reasonable steps to ensure that personal information we hold is correct. If you inform us of more correct information, we will attempt to update our records. In instances where updating your existing information is not possible or would conflict with the purpose of collecting the original information, we will give you a notice in writing that explains the reasons. If you wish to have your personal information removed from our records, we will take reasonable steps to comply with your request, unless we need to keep your information for specific business or legal reasons Any request to access, correct or remove personal information is to be sent in writing to the Diocesan Financial Administrator for the Chancery or the Parish Priest for the respective Parish.

8. WHAT IS OUR APPROACH TO PERSONAL INFORMATION OF CHILDREN We assess whether a child (a person under 18 years) has the capacity to make their own privacy decisions on a case by case basis. Where we cannot assess the child’s capacity to make a decision, we will request the consent of a parent or guardian prior to collecting, using or giving access to personal information. In giving access to information held in relation to a child, consideration will be given to the child’s consent on a case by case basis and the safeguarding of the child. For collection or use of photographs or videos, the consent of the child’s parent or guardian is always required where a child is actively participating in an event or in some circumstances where a child is attending an event. For further clarification of where a photo or video maybe used, please contact the Privacy Officer.

9. HOW TO MAKE A COMPLAINT Contact details for the Privacy Officer are as follows: Privacy Officer Catholic Diocese of Broken Bay PO Box 340 PENNANT HILLS NSW 1715 or Email: privacyofficer@bbcatholic.org.au Once we become aware of any ongoing concerns or problems raised by you, we will work to address those concerns. We will endeavour to respond to you within 30 calendar days. Should we require further information, we will contact you. There is no fee associated with lodging a complaint. If you are not satisfied with the response, you can contact the Office of the Australian Information Commissioner (OAIC). The OAIC has the power to investigate the matter and make a determination. 4 REFERENCE Privacy Act 1988 (Cth) Privacy Regulation 2013 (Cth) Australian Privacy Principles RELATED FORMS There are no Forms related to this policy.

RELATED POLICIES Code of Conduct Policy Guidelines - Privacy Policy POLICY REVIEW Review of this policy will be undertaken every three years by the Privacy Officer in consultation with the In-House Legal Counsel and approved by the Diocesan Financial Administrator. REVISION/ MODIFICATION HISTORY Date Version Current Title Summary of Changes Approval Date Commencement Date Feb 2018 1. Privacy policy (external/website) New – for websites incorporating Notifiable Data Breach Scheme requirements Feb 2018 Feb 2018 11/05/18 2. Privacy policy (external/website) Updated May 2018 May 2018 16/08/18 3. Privacy policy (external/website) Review Aug 2018 Aug 2018 11/02/21 4. Privacy Policy New – Replaces both Privacy Policy (External) and Privacy Policy (Internal) Feb 2021 Feb 2021 APPROVED DATE/REVISION SCHEDULE Approved by: Emma McDonald, Diocesan Financial Administrator Date: 11 February 2021 To be Revised: 11 February 2024The Privacy Act 1988 (Cth) and the Australian Privacy Principles also apply to us in relation to how we collect, handle and use your personal information.