Data Policy

Policy Updated: 1 March 2024

1. Purpose

This Data Policy outlines the principles and guidelines governing the collection, storage, processing, and protection of data at Paralympics Australia (PA). It aims to ensure compliance with Australian privacy laws and standards, safeguarding the privacy and security of individuals’ data and upholding the organisation’s reputation.

2. Data Collection and Usage

PA collects only necessary data relevant to its operations and services, ensuring transparency and lawful processing. Data is used solely for legitimate purposes related to PA’s mission and activities, with clear consent obtained where required.

Transparent Collection

PA ensures transparent data collection practices, providing individuals with clear and concise information regarding the types of data collected, the purposes for which it is collected, and any third parties involved in the process. This transparency is upheld through the provision of privacy notices, consent forms, or other appropriate means, in accordance with the Australian Privacy Principles (APP).

Lawful Processing

Data collection and processing activities are conducted in compliance with Australian privacy laws and standards, including the Privacy Act 1988 (Cth) and the APP. PA ensures that all data processing activities have a lawful basis, such as consent, contractual necessity, legal obligation, vital interests, public task or legitimate interests pursued by the organisation or a third party.

Purpose Limitation

Data is collected and used solely for legitimate purposes related to PA’s mission and activities. PA does not process data in a manner that is incompatible with the purposes for which it was collected, ensuring that data processing activities are limited to what is necessary for the specified purposes and time required.

Data Minimisation

PA collects only the minimum amount of data necessary to achieve the intended purpose, avoiding the collection of sensitive, excessive, or irrelevant information. This practice helps to reduce the risk of privacy breaches and ensures that data processing activities are proportionate to the desired outcomes.

Consent Management

Where consent is required for data processing activities, PA obtains express and informed consent from individuals prior to collecting or using their data for specific purposes. For example, collection of personal information for accreditation at a Paralympic Games consent is obtained freely, voluntarily and without coercion. Individuals are provided with the opportunity to withdraw consent at any time, as required by the APP.

Data Concerning Minors

Data collection from children under the age of 18 is undertaken only when absolutely necessary for the fulfillment of PA’s mission. Prior to collecting data concerning minors, PA carefully assesses the necessity and appropriateness of such collection, ensuring that it is in the best interests of the minor and complies with the Privacy Act 1988 (Cth) and relevant guidance from the Office of the Australian Information Commissioner (OAIC). PA obtains parental consent or ensures that the data collection is legally permissible under applicable laws and regulations, prioritising the protection and privacy of children. Additionally, PA provides clear and age-appropriate information to children and their parents regarding the purpose and handling of their data, fostering transparency and trust in PA’s data processing practices.

Accountability

PA maintains records of its data processing activities, including the purposes of processing, the categories of data subjects and personal data processed, the recipients of the data, and any transfers of data to third parties. These records help to demonstrate compliance with Australian privacy laws and standards and facilitate accountability and transparency in PA’s data processing practices.

3. Data Security

PA implements appropriate technical and organisational measures to protect data from unauthorised access, disclosure, alteration, and destruction, in accordance with the APP. Access to data is restricted to authorised personnel on a need-to-know basis, with regular security assessments conducted to maintain compliance.

4. Data Retention

Data is retained only for the period necessary to fulfill the purposes for which it was collected, in line with the APP and other relevant regulations. Upon expiration of the retention period, data is securely deleted or anonymised as soon as is no longer required to prevent unauthorised use or disclosure.

5. Data Sharing and Third Parties

PA does not share data with third parties unless necessary to fulfill PA’s mission or required by law, ensuring compliance with relevant contractual and legal obligations. Data sharing agreements with third parties include provisions for data protection and confidentiality, consistent with Australian standards.

6. Individual Rights

Individuals have the right to access, correct, or delete their personal data held by PA, as outlined in the Privacy Act 1988 (Cth). Requests for data access or modification should be submitted to the designated privacy officer, with responses provided in accordance with legal requirements. Where individuals request their data is removed or deleted, this will be actioned as soon as practicable.

7. Compliance

PA complies with applicable data protection laws and regulations, including the Privacy Act 1988 (Cth) and the APP. This Data Policy is periodically reviewed and updated to ensure ongoing compliance with Australian standards and any other relevant legislation.

8. Training and Awareness

Staff and volunteers receive training on data protection principles, policies, and procedures, with specific emphasis on Australian privacy laws and standards. Awareness campaigns are conducted to promote a culture of data privacy and security within PA, fostering compliance and accountability.

9. Governance

A designated Privacy Officer oversees the implementation and enforcement of this Data Policy, ensuring alignment with Australian privacy laws and standards. Regular reviews and assessments of data processing activities are conducted to identify and address any non-compliance issues and areas for improvement. Staff are encouraged to reach out to the Privacy Officer when there is any concern with the implementation of this policy.

10. Enforcement

Violations of this Data Policy may result in disciplinary action, including termination of employment or volunteer engagement, in accordance with organisational policies and legal requirements. Individuals found to have breached Australian privacy laws or standards may be subject to legal consequences, as outlined in the Privacy Act 1988 (Cth).