1. Scope and Responsibilities
This policy applies to all Many Rivers’ clients/community organisation representatives or potential clients/community organisation representatives, donors, Many Rivers’ current or former employees, contractors, volunteers or someone who comes into contact with Many Rivers.
2. Purpose
Many Rivers Microfinance Limited ABN 58 128 486 788 (Many Rivers, we, us) is required by law to comply with the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (Schedule 1, Privacy Act) (APPs) the Cyber Security Act 2024 (Cth) and any other applicable privacy laws when handling and protecting personal information. We take our privacy obligations seriously and this Privacy Policy outlines our privacy practices, and explains how we handle personal information, including in relation to our website located at manyrivers.org.au (Many Rivers Website).
In this Privacy Policy, personal information has the meaning given to it in the Privacy Act, and includes information or an opinion, whether true or not about an identified individual or an individual who is reasonably identifiable.
By providing your personal information to us, you consent to us collecting, holding, using and disclosing your personal information as described in this privacy policy (as amended from time to time).
You are not required to provide personal information to us. However, if you do not provide us with all the personal information we request, the services we provide to you may be affected.
3. Personal information we collect and hold
3.1 Kinds of personal information
The kinds of personal information we collect depends on the nature of our interactions and dealings with you. For example, we may collect personal information about you if you are a Many Rivers’ client/community organisation representative or potential client/community organisation representatives, donor, current or former employee, contractor, volunteer, or someone who comes into contact with Many Rivers.
The types of personal information we may collect and hold generally include:
Clients/Community Organisation Representatives:
- your name, date of birth, gender, driver licence details, contact details (including residential, postal and/or business addresses, email addresses and phone numbers), bank details, Centrelink payment type and status and other information which assists us in conducting our business, providing our newsletter, services and meeting our legal obligations;
- your image and other personal information (in photographs, films, videos, electronic presentations and/or sound recordings which may also be collected via a consent form);
- other personal information relevant to providing our services to you such as languages you speak, next of kin details, family and living circumstances, education qualifications, employment history, personal/household income, assets, savings frequency, liabilities (including loans and recent access to loans), living expenses (including rent/mortgage repayments), ability to access finance, access to essential services (including phone, internet and a motor vehicle), service feedback and complaint details;
- financial information related to Many Rivers business loan applications, including bank statements, statements of financial position, credit reports and business/personal bank details; and
- other information collected through structured wellbeing surveys to better understand and provide support beyond your immediate business or economic needs including financial stability, health, work activities, social connections, cultural identity, safety, learning and skills, resilience, access to basic needs, environment, civic engagement, emotional wellbeing, personal time, sense of purpose and overall life satisfaction.
Donors:
- your name, contact details (including residential, postal and/or business address, email addresses and phone numbers), date of birth, gender, workplace and position; and
- your payment details and financial contribution(s) made to Many Rivers.
Employees/Contractors/Volunteers:
- your name, date of birth, gender, contact details (including residential, postal and/or business addresses, email addresses and phone numbers), cultural identity, emergency contact details, bank and superannuation account details and tax file number;
- your salary, benefits and services you may receive from Centrelink or other government bodies, employment history, education and qualifications, references and feedback; and
- we may also collect confidential health-related information, including disclosed disabilities, medical certificates and other health records; disclosures of medical conditions provided during recruitment processes; and documentation such as certificates of capacity, ergonomic assessment reports and other health-related records.
Many Rivers complies with applicable health records laws when collecting and handling health information, including the Health Records and Information Privacy Act 2002 (NSW).
To the extent that we collect government related identifiers (GFIs) (as defined in the Privacy Act), we will only use or disclose GFIs in accordance with the APPs.
3.2 How we collect personal information
Where possible, personal information is collected directly from you at the time of your interaction with us. In some cases, personal information is also collected from third parties, including in circumstances where you are transferred or referred to us.
We will only collect your personal information with your consent, where collection is required by law, or in other special specified circumstances.
We may also collect non-personal information using “cookies” or other similar tracking technologies that help us measure website traffic on the Many Rivers Website. Cookies are small files that store information on your computer, mobile phone or other device. They enable us to recognise your IP address across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser, but the Many Rivers Website may not work properly if you do so.
4. Purposes for which we collect, use and disclose personal information
We may collect, use and disclose your personal information for the purpose of:
Clients/Community Organisation Representatives:
- providing client or community services which may include, general business coaching support, access to finance and access to other products to support you to start and sustain your business;
- sharing or transferring personal information within Many Rivers to provide, expand or improve the services we provide to you or assist with more efficient service delivery;
- handling client or community enquiries, complaints and feedback about the quality of the services that we provide; or
- we may also collect information through structured wellbeing surveys to better understand and support clients and communities beyond business or economic needs.
Donors:
- fundraising, promotional and charitable activities and functions.
Employees/Contractors/Volunteers:
- employing or engaging you as an employee, contractor or volunteer.
We may also generally collect, use and disclose your personal information for the general management and conduct of Many Rivers, including:
- facilitating proper governance processes such as risk management, incident management, internal audit and external audits;
- complying with funding requirements and requirements of government bodies which regulate and fund the services we provide, legal obligations and applicable laws;
- organising and holding events and conferences;
- understanding, through aggregated information, trends and patterns used for research and advocacy; and
- assessing the services and outcomes delivered by Many Rivers.
We will not use nor disclose your personal information for any purpose other than the purpose for which it was collected (or a related purpose that would be reasonably expected by you), unless you have consented to that other purpose, or we are permitted to do so by law.
5. Disclosure to third parties
We may disclose your personal information to third parties:
- for the purposes for which it was collected:
- where required by government agencies or funding agreements;
- when transferring you to another service provider;
- for assistance with the delivery or provision of our services;
- where you have provided your consent, including via a consent form to share your ABN with the Department of Social Services (DSS), share your stories, or for purposes related to electronic communication and electronic signature;
- where we have a reasonable concern regarding your safety or wellbeing;
- where required or authorised by law; or
- if you ask us to do so.
We may disclose some of your personal information to third parties providing electronic storage services, some of which may be located overseas.
Where we engage third parties to aggregate, collate and/or analyse information for the purposes of research and advocacy, we will only provide them with de-identified information. DSS may also link some of your de-identified information.
We are committed to ensuring that all third parties who handle personal information on our behalf uphold robust privacy and security standards. We assess and manage third-party risks through contractual safeguards, due diligence and ongoing oversight to maintain compliance with our legal obligations as required under the Privacy Act 1988 (Cth) and Cyber Security Act 2024.
6. Responsible Use of Artificial Intelligence (AI)
Many Rivers uses AI tools responsibly to support data analysis and inform decision-making. While personal information may be used to help identify trends or insights, all decisions are made by people. AI does not make automated decisions that directly affect individuals. Where we use tools outside our internal systems, we ensure the data is de-identified to protect privacy and uphold our legal and ethical obligations.
7. Marketing and newsletter
Many Rivers generally does not send marketing nor promotional communications, however we do send a newsletter to subscribers. If you have previously opted-in to receiving our newsletter or other communication, you may unsubscribe via the link provided or contact us via email at [email protected] and we will cease the relevant communication.
8. How you can access and correct your personal information
You are entitled to request access to the personal information held by us about you. This is generally provided upon your request and is subject to completion of our verification and risk processes, certain legal exceptions, and to access restrictions imposed or permitted by law. If a legal exception or restriction applies and we decide not to provide you with access to any personal information we hold about you, we will advise you of the reasons for our decision. Access requests should be made to the same point of contact to whom you provided your personal information, or you can contact us at [email protected].
Where we are satisfied that any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading (having regard to the purpose for which it is held), we will take such steps (if any) as are reasonable in the circumstances to correct that personal information, subject to certain legal exceptions.
You are entitled to request the de-identification or deletion of your personal information. Where we no longer need your personal information we will action your request.
Correction, de-identification or deletion requests should be made to the same point of contact to whom you provided your personal information, or you can contact us at [email protected].
If we do not agree that the personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, you may ask that we attach a statement to this effect to our record.
9. How we manage, protect and store your personal information
Personal information may be stored by us in hard copy form or electronic form. We will take reasonable steps to protect personal information held from misuse, loss, unauthorised access, modification or disclosure by ensuring the use of physical security of hard copy records and restricted access to electronic records.
We will take reasonable steps to ensure your personal information is retained securely and in accordance with applicable laws or the requirements of any government or other funding body’s record-keeping requirements. Where we no longer need your personal information, we will take reasonable steps to destroy or de-identify it.
In the unlikely event that personal information is lost, stolen, accessed by, or accidently shared with an unauthorised individual or third-party Many Rivers will investigate the data breach. This extends to data breaches concerning personal information held by a third party. Impacted individuals will be notified as soon as practicable where the data breach is likely to result in serious harm and where Many Rivers (or the third-party) has been unable to prevent or remediate the data breach. The notification will include contact details of the breached company, a description of the breach, the information involved and recommended steps to minimise the impact.
Where a cyber-extortion payment is made either directly by Many Rivers or on our behalf we will lodge we follow required reporting and response procedures in accordance with relevant legislation.
10. What to do if you have a privacy enquiry or complaint
If you have an enquiry or a complaint about our handling of your personal information, please direct it to the point of contact to whom you provided your personal information, or you can contact us at [email protected]. We will outline options regarding how your enquiry or complaint may be resolved, and we aim to respond and resolve it in a timely and appropriate manner, treating your enquiry or complaint confidentially.
If we are unable to satisfactorily resolve your concern or complaint, you can enquire or lodge a complaint with the Office of the Australian Information Commissioner (OAIC). You can contact the OAIC hotline on 1300 363 992. The OAIC has the power to investigate the matter and make a determination.
11. Contact details
You can contact us at:
Post: Many Rivers Microfinance Limited Privacy Officer Level 21, 233 Castlereagh Street, Sydney NSW 2000; or
Phone: 1300 626 974; or
Email: [email protected]
Policy Review
Many Rivers will review the Privacy Policy at least annually to ensure standards and risk control measures are upheld, relevant regulatory information is current and content aligns to other organisational policies.
