Privacy Policy

Introduction
Saltbush, Balnarring Beach (“Saltbush”, “we”, “our”, “us”) is a not‑for‑profit charitable organisation supporting individuals and families experiencing hardship. We are committed to protecting your privacy and handling personal information responsibly and transparently.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Where we handle health information in Victoria, we also comply with the Health Records Act 2001 (Vic) and its Health Privacy Principles (HPPs).

1. What Personal Information We Collect
We may collect:
– Names, addresses, email addresses, phone numbers
– Information about special needs, health or accessibility requirements (this is “health information”)
– Information provided by referrers (community services, hospitals, schools, etc.) to help plan your stay or program involvement.

2. How We Collect Personal Information
– Directly from you via phone, email, website forms, and in‑person conversations
– From referral agencies and partner organisations when organising or funding your stay or program

3. Why We Collect Personal Information (Primary & Secondary Purposes)
We collect and use personal information to:
– Provide and plan services, programs, and stays
– Report service utilisation (names never published without written permission)
– Evaluate and improve Saltbush services

4. Sensitive & Health Information
We may collect sensitive or health information. We only use such information:
– For the primary purpose for which it was obtained
– For a directly related secondary purpose
– With your consent, or where required/authorised by law
Under the Health Records Act 2001 (Vic), we will:
– Keep health information secure
– Provide access and correction rights
– Only transfer health information outside Victoria where permitted under HPP 9 (Transborder Data Flows)
– Provide your health information to another health service provider at your request (HPP 11)

5. Disclosure of Personal Information
We may disclose personal information:
– To third parties with your consent
– Where required or authorised by law

We may also disclose information to:
– IT, hosting and cloud service providers
– Email, booking and communication system providers
– Auditors, insurers, and regulators

6. Overseas Disclosure
Saltbush does not routinely disclose personal information overseas.
If this changes, we will update this policy and identify the countries involved where practicable.
If we use offshore cloud or communication systems in future, we will take reasonable steps to ensure overseas recipients comply with privacy protections substantially similar to the APPs.

7. Security & Storage
We store personal information in a manner that reasonably protects it from misuse, loss, unauthorised access, modification or disclosure.
Information no longer needed will be destroyed or permanently de‑identified, though some records may be retained for a minimum of 7 years.

8. Access & Correction
You may request access to the personal information we hold about you, or ask us to correct it.
We may require identification before releasing information and may charge an administrative fee for providing copies.

9. Notifiable Data Breaches
If a data breach is likely to result in serious harm, we will notify:
Affected individuals, and
The Office of the Australian Information Commissioner (OAIC)
as required by the Notifiable Data Breaches (NDB) scheme.

10. Complaints
If you have a concern or complaint about how we handle your personal information, please contact us at:
info@saltbushbb.org.au or (03) 5983 1819.
We will acknowledge your complaint and respond within a reasonable timeframe.
If you are not satisfied with our response, you may escalate the matter to the:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Postal: GPO Box 5288, Sydney NSW 2001

11. Automated Decision‑Making (ADM)
Saltbush does not use computer‑based automated decision‑making that could significantly affect your rights or interests.
If this changes, and such systems are introduced, this policy will be updated to include:
The types of decisions made
– The kinds of personal information used
– Your options in relation to those decisions
in line with amendments commencing 10 December 2026.

12. Policy Updates & Versioning
This policy is reviewed regularly and updated when laws or practices change.
Version: 3
Reviewed: February 2026
Next review: February 2027