Donate

Learning Links’ Privacy Policy outlines our commitment to protecting the privacy of personal and sensitive information collected from our customers, staff, donors, and partners. This commitment underpins our relationships and ensures compliance with privacy laws and best practices.

The key principles guiding our approach to privacy include:

  • Transparency: Informing individuals about how their personal information is collected, used, and protected.
  • Consent and lawfulness: Obtaining appropriate consent for data collection and ensuring its use aligns with legal and ethical obligations.
  • Limited disclosure: Restricting the sharing of personal information unless required by law, authorised by the individual, or necessary for
    service delivery.

This policy applies to all individuals and entities who interact with Learning Links including employees, students, contractors, and any other individuals working on behalf of the organisation.

It also applies to third-party service providers who handle personal information on behalf of Learning Links.

You can read the full Learning Links Privacy Policy here > (opens in a new tab)

You can read the Learning Links Easy Read Privacy Policy here > (opens in a new tab)

Learning Links Privacy Policy

Learning Links values and respects the privacy of everyone we interact with.

We are committed to ensuring that clients, staff, and stakeholders understand:

  • The types of personal and sensitive information we collect
  • How we use and store personal information
  • The purposes for collecting data and security measures in place.
  • How we protect privacy: The systems and processes that safeguard personal information.
  • When and why information may be shared: The circumstances under which data may be disclosed to third parties.

This policy covers:

  • The types of personal information we collect and hold.
  • How we collect, store, and secure personal information.
  • How we use and disclose personal information.
  • How and when we respond to regulatory requirements for disclosure.
  • The rights of individuals to access and correct their personal
    information.
  • How to make a privacy-related complaint.

Privacy protections are embedded into our systems and processes to ensure compliance with legal requirements.

Learning Links has a dedicated Privacy Officer. This role oversees compliance, monitors privacy systems and implements improvements based
on legislative changes and scheduled reviews.

We are committed to staff completing mandatory privacy training, including staff online modules.

Types of Information We Collect

Client information

The information we collect depends on the nature of engagement and may include

  • Personal details – name, contact information, identification documents.
  • Financial information – payment methods, banking details.
  • Service-related data – feedback, service applications, assessment reports, referrals, and communications from external professionals,
    NDIS plans.
  • Online activity – IP addresses, device details, and website interactions.
  • Feedback provided – survey responses and other input.
  • Sensitive information – only when required and in compliance with privacy laws.

Government-related identifiers

  • Learning Links does not routinely adopt government-related identifiers assigned by an agency or a contracted service provider.
  • We are required to use the allocated identifiers when supporting children and families through agencies such as the National Disability
    Insurance Agency (NDIA) and Medicare.

Sharing personal information with external agencies

We only share personal information with external agencies and regulatory bodies where legally required or necessary for service delivery. These may
include:

  • Department of Communities and Justice (DCJ)
  • Department of Social Department of Communities Services
  • Medicare
  • National Disability Insurance Agency (NDIA)
  • NDIS Quality and Safeguards Commission
  • NSW Department of Education
  • NSW Office of the Children’s Guardian (OCG)
  • SafeWork NSW

How We Collect Information

Learning Links collects personal information when necessary for providing services, meeting legal obligations, or fulfilling other legitimate  organisational functions. Information may be collected through:

  • Direct interactions – forms, emails, phone calls, in-person conversations, or online submissions.
  • Third-party referrals – with appropriate consent.
  • Website analytics and cookies – to track usage patterns and improve user experience. Cookies do not collect personally identifiable information unless explicitly provided.

Responsibilities of Staff

Staff are required to manage personal information by adhering to C.A.R.E.D principles:

  • Collect: Get explicit, written consent before collecting personal data.
  • Assess: Ensure data is secure and handled appropriately at all stages.
  • Restrict: Only use data for its intended purpose. Check before sharing/disclosing.
  • Escalate: Notify the Privacy Officer immediately if you suspect a breach or misuse.
  • Dispose: Securely delete or shed inforamtion that is no longer required

Consent and Transparency

Learning Links obtains explicit consent before collecting, storing, and using personal information, where required by law.

Where applicable, clients, staff, and stakeholders may request to remain anonymous or use a pseudonym, except where identification is legally
required for service provision or compliance.

Learning Links informs clients of any potential limitations on services if they choose not to provide requested information.

Individuals have the right to request access to their data in a portable format or request its deletion, provided such requests do not conflict with legal,
contractual, or operational obligations.

The Use and Disclosure of Information

Use of personal information

Learning Links uses personal information to:

  • Deliver services to children and families.
  • Improve programs and operations through service feedback and data analysis.
  • Process payments and donations.
  • Communicate updates, surveys, and relevant promotional materials, where consent has been provided.
  • Comply with legal and regulatory obligations.
  • Ensure safety by identifying and addressing risks.
  • Prevent unlawful activity and mitigate associated risks.

Disclosure of personal information

Learning Links does not disclose personal information unless:

  • Required by law (e.g., court orders, subpoenas, mandatory reporting obligations).
  • It is necessary to address safety risks, including duty of care and child protection concerns.
  • Permitted under funding agreements, in compliance with privacy legislation.
  • Authorised by the individual or otherwise allowed under privacy laws.

Staff responsibilities

  • Staff must not disclose personal information to external parties without explicit authority or a legal obligation to do so.
  • Staff must handle sensitive information with the utmost care and, where possible, use anonymisation or de-identification techniques in accordance with privacy legislation.
  • Staff must not input, share, or process personal or sensitive information using artificial intelligence (AI) tools or platforms unless explicitly authorised and in compliance with Learning Links’ privacy and security policies. This includes ChatGPT and other tools, which staff are  permitted to use for work-related tasks, but must not be used to handle any client, staff, or stakeholder personal data that is not already publicly available, such as information found on LinkedIn or other public platforms.

Maintaining Confidentiality

Learning Links maintains the confidentiality of client records except in the following situations where disclosure is legally required or authorised:

  • Mandatory reporting of child abuse or when a child is at risk of significant harm.
  • NDIS Reportable Incidents that must be lodged with the NDIS Quality and Safeguards Commission.
  • Allegations of Reportable Conduct, managed in accordance with legal and regulatory obligations.
  • Work health and safety (WHS) incidents that require reporting to SafeWork NSW.
  • Court-ordered disclosures or legal subpoenas.
  • Client-authorised information sharing, where written consent has been provided.
  • Consent for data collection must be explicit, informed, and time-bound.
  • Clients may withdraw their consent for the use and storage of their personal information at any time; however, this may impact service  provision, and Learning Links may be required to retain certain records to comply with legal and regulatory obligations.

Data and Security Retention

Learning Links ensures the secure handling of personal information through:

  • Password-protected systems and encrypted databases.
  • Physical security measures, such as locked file storage.
  • Controlled access to sensitive data, limited to authorised personnel.
  • Secure disposal of personal information when no longer required, in line with legal obligations.
  • Correction of personal data, when requested by clients or staff and permitted by law.
  • Staff training in data privacy and security practices.

Learning Links promptly responds to requests related to personal information, including corrections, access, and breaches, unless prohibited by law. We are committed to enhancing data security by:

  • Requiring multi-factor authentication (MFA) for staff.
  • Conducting regular security audits and risk assessments.
  • Keeping staff informed about cybersecurity best practices.
  • Accessing external IT support from accredited providers.
  • Maintaining a data breach and incident response plan to manage security risks.

Third-party vendor agreements

Learning Links requires all third-party vendors handling personal information to sign data protection agreements. Before engaging a vendor, a review of their data management practices is conducted. Managers are responsible for ensuring agreements clearly outline how personal information is collected, stored, and used, and that the terms do not pose a risk to Learning Links.

Mandatory Data Breach Notifications

Learning Links is committed to identifying, assessing, and reporting data breaches in compliance with relevant privacy laws, including the Notifiable
Data Breaches (NDB) scheme. Any breach involving personal information that may result in serious harm will be reported to the appropriate  regulatory body and affected individuals within the required legal timeframe.

A data breach response plan is activated immediately to ensure timely investigation, mitigation, and resolution of the breach.

Learning Links Data Breach Policy and Cyber Security Policy provide guidance on responding to both actual and potential threats to personal information.

Privacy Officer

The General Manager, Governance and Risk serves as Learning Links’ Privacy Officer, responsible for overseeing compliance with privacy laws, responding to privacy concerns, and managing data breach incidents. For any privacy-related concerns or requests regarding personal information,
individuals can contact the Privacy Officer via:

Office of the Australian Information Commissioner (OAIC)

Learning Links is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Under the Privacy and Other Legislation Amendment Act 2024, the Office of the Australian Information Commissioner (OAIC) has the authority to issue infringement and compliance notices to Learning Links and other regulated organisations for breaches of privacy laws.

The OAIC may issue a compliance notice if it believes an entity has contravened the Australian Privacy Principles (APPs) and may impose civil
penalties for failure to comply.

Individuals’ Rights

Learning Links customers, staff, and external stakeholders have the right to:

  • Access, correct, or request deletion of their personal information, subject to legal and operational requirements.
  • Lodge a complaint with Learning Links if they believe their privacy has been breached. If the issue is not resolved, they may escalate it to the
    Office of the Australian Information Commissioner (OAIC).
  • Seek legal redress for serious invasions of privacy, including unauthorised access, misuse, or improper disclosure of personal
    information.

Learning Links is committed to transparency in its use of technology. If automated decision-making tools are adopted in the future, clients, staff, and
external stakeholders will be informed about their use, purpose, and impact.

Doxxing

Learning Links is committed to preventing and responding to the unauthorised release of personal data in a manner that is menacing, harassing, or intended to cause harm (known as ‘doxxing’).

Doxxing is a serious criminal offence, and any instance involving Learning Links’ clients, staff, or stakeholders will be investigated and may result in legal action or disciplinary measures. Staff are strictly prohibited from engaging in, facilitating, or encouraging doxxing in any form.

Legislation

Learning Links complies with the following privacy laws:

  • Privacy Act 1988 (Cth) – Governs the collection, use, and disclosure of personal information in Australia.
  • Privacy and Other Legislation Amendment Act 2024 – Expands regulatory powers and enforcement mechanisms for privacy compliance.
  • Other applicable state and federal legislation, as required.

 

Version

Updated Februray 2025

Next review February 2027

Download Full Privacy PolicyDownload Easy Read Privacy Policy