Viva! Health at Work is subject to the Commonwealth Privacy Act 1988 (Act). The Privacy Amendment (Enhancing Privacy Protection) Act2012 which commenced in March 2014 made significant changes to the Act. This Policy complies with the new requirements imposed by the Act.

Viva! Health at Work is committed to managing personal information in an open and transparent way. Viva! Health at Work (subsidiary of L’Amour Yoga Institute Pty Ltd) is a registered company and is subject to the requirements of the Act. It adheres to the Australian Privacy Principles (APPs) set out in Schedule 1 to the Act.

Viva! Health at Work collects personal information for the purposes of Viva! Health at Work’s functions and activities. It collects personal information about training staff, student-participants, and other individuals who have dealings with Viva! Health at Work for administrative need, to conduct its business, for legislative compliance or for research purposes.

The information may include demographic contact details, academic performance to achieve certification, qualifications, financial information, information relating to enrolment, research subject material, or material shared via discussion forums. Some of the personal information that Viva! Health at Work collects and holds is sensitive information. Viva! Health at Work only collects sensitive information where it is necessary for the purpose for which it is being collected and with the individual’s consent unless the collection is required or authorised by law. Personal information is held in both paper and electronic form, including databases.

Viva! Health at Work website material is associated with host training websites (in this case, Thinkific). Website log files (“cookies”) may be used via these sources that track user information and interface history I order to improve services and custom-support a user via digital profiles. Web analytics may apply in terms of determining how a website is accessed also. Individual users may accept or reject cookies if they apply by adjusting the settings in their web browser. However, rejecting cookies may affect functionality of website interaction.

The material accessed may contain hyperlinks (e.g. via training materials or websites shared). Viva! Health at Work cannot control the privacy controls of third party websites or training host sites. Third-party sites are not subject to ViVAs Privacy Policy or Procedures.

Viva! Health at Work collects, holds, uses, stores, and discloses personal information for the purposes of:

Student-participant (user) enrolment, instruction, support, assessment, and graduating or issuance of a certificate of completion
Enhancing and assessing the user experience
Maintaining contact and providing education about supportive resources or services
Commercial application of intellectual property and professional expertise
Student-participant recruitment
User support
Research undertakings
Business improvement and general conduct

Unsolicited material: If Viva! Health at Work receives unsolicited personal information, it will assess the nature of the material and treat it accordingly per these procedures. The material may be reportable. The material may be deemed unnecessary to receive and, if lawful to do so, destroyed or de-identified.

When Viva! Health at Work no longer needs to retain personal information and is lawfully able to do so, it may destroy or de-identify information.

Viva! Health at Work applies physical and information and communications technology security to protect personal information. Where necessary, Viva! endeavours to encrypt or password-protect critical information or transactions. Again, third party websites may be used for learning support and hosting or financial transactions.

Subject to clause 4.2, anyone has a right under the Act to access personal information that ACU holds about them. Access to personal information is governed by the Access to and Correction of Personal Information Procedure.

Subject to clause 4.2, anyone has a right under the Act to request corrections to any personal information that Viva! Health at Work holds about them if they think that the information is inaccurate, out of date, incomplete, irrelevant or misleading. Correction of personal information is governed by the Access Procedure.

Subject to clause 4.2, anyone may complain about a breach of a policy or procedure by Viva! Health at Work. Complaints should be made in accordance with the Privacy Inquiries and Complaints Procedure.

Viva! Health at Work may disclose information to third parties to provide services, for purposes of research to improve its operations and services, promote its activities, or if permitted or required by law, Where Viva! Health at Work discloses personal information to third parties it will require restrictions on the collection and use of personal information equivalent to those required of Viva! Health at Work by the Privacy Act 1988.

Glossary of Terms

Access Procedure means the Access to and Correction of Personal Information Procedure promulgated under this Policy.

Act means the Privacy Act 1988 (Cth).

Australian Privacy Principles (APPs) means the 13 APPs set out in Schedule 1 of the Act.

Data breach means the loss, unauthorised access to, or disclosure of, personal information.

Inquiries and Complaints Procedure means the Privacy Inquiries and Complaints Procedure promulgated under this Policy.

Loss means accidental or inadvertent loss of personal information likely to result in unauthorised access or disclosure. For example, an employee leaves a copy of a document or a device on public transport. If data can be deleted remotely or is encrypted it will not constitute an NDB.

Notifiable Data Breach (NDB) is a data breach that is likely to result in serious harm to any of the individuals to whom the personal information relates.A NDB occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.In such circumstances, ACU must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Privacy Amendment (Notifiable Data Breaches) Act 2017

Permitted general situation has the same meaning as provided for in section 16A of the Act and referred to in APP 6.2(c). The permitted general situations are: lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety; taking appropriate action in relation to suspected unlawful activity or serious misconduct; locating a person reported as missing; asserting a legal or equitable claim; conducting an alternative dispute resolution process.

Personal information means information or an opinion in any form about an identifiable individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.

Sensitive information means information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record, or health information, genetic information or biometric information.

Serious harm is determined about the following list of relevant matters as provided for in section 26WG of the Privacy Amendment (Notifiable Data Breaches) Act 2017:

the kind or kinds of information;
the sensitivity of the information;
whether the information is protected by one or more security measures;
if the information is protected by one or more security measures—the likelihood that any of those security measures could be overcome;
the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
if a security technology or methodology:
was used in relation to the information; and
was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information;
the likelihood that the persons, or the kinds of persons, who:
have obtained, or who could obtain, the information; and
have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;
have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;
the nature of the harm;
any other relevant matters.

Unauthorised access means personal information accessed by someone who is not permitted to have access. This could include an employee of the entity, a contractor or external third party (such as hacking).

Unauthorised disclosure means where an entity releases/makes visible the information outside the entity in a way not permitted by the Privacy Act. For example, N employee accidentally publishes a confidential data file containing personal information on the internet.

Web Analytics means the measurement collection, analysis and reporting of web data for the purpose of understanding and optimising web usage.

Information Privacy Act 2009 is adhered and the following levels of management of data are considered:

Knowledge Management

The practice of extracting value from information, including analysis and reporting.

Knowledge is information in perspective.

Knowledge transfer
Reporting and analytics
Planning
Evidence-based decision making
Performance monitoring and evaluation

Information Management

The practice of creating, managing, using and sharing information.

Information is data in context.

Information governance
Information architecture
Information asset management
Business intelligence (BI)
Document and records management

Data Management

The management and maintenance of the data that underlies information.

Data is the raw material that is used to create information.

Data governance
Master data management
Data quality management
Metadata management
Data warehouse (DW)
Data architecture management
Database operations management
Data security management