Privacy Policy
About Ensō and this Privacy Policy
Ensō Workplace Wellbeing Pty Ltd (ABN 67 670 015 424) (Ensō, we, us or our) is committed to protecting the privacy and confidentiality of your personal information.
We provide workplace support services for organisations (Clients) and their staff members, including consultancy services, wellbeing workshops and critical incident support services.
We may collect various types of information from Clients and their staff members when providing our services, such as psychological injury statistics, interventions already trialled, workplace culture information, or other information collected by us through wellbeing workshops and critical incident support services.
This privacy policy (this Policy) specifically relates to our handling of your identifying personal information which we may collect as part of our services or activities, whether you are a Client staff member, or another individual we engage with.
This Policy explains how we will collect, use, disclose, store, and protect your personal information. This Policy also describes the way in which you may access or correct the personal information we hold about you, and how to contact us if you have any complaints in relation to your privacy.
We will handle your personal information in accordance with applicable privacy and health records laws, including the Privacy Act 1988 (Cth) (the Privacy Act) and its Australian Privacy Principles (APPs), and the Health Records Act 2001 (Vic) and its Health Privacy Principles (HPPs).
What is ‘personal information’?
This Policy applies to our handling of personal information. ‘Personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in a material form or not.
Personal information includes ‘sensitive information’, which is a particular type of personal information. Sensitive information includes identifying health information about you (such as details of your health and medical history). Sensitive information also includes information about racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, and sexual orientation or practices.
Why do we collect your personal information?
We collect personal information from you so that we can provide our services to you, or where this is otherwise necessary for our functions or activities.
If you are a Client staff member (including management staff and other staff) we may collect your personal information:
to provide you with workplace support services and any other services we provide;
to provide you with information regarding our services;
to obtain any necessary consents from you to engage in the above services and activities;
to arrange payments (if applicable to your role); and
to enable us to respond to any queries or complaints you may have.
If you are a person other than a Client staff member, such as a service provider, contractor or other third party we engage with, we will collect your personal information to the extent necessary for our functions or activities, and to work, transact or engage with you.
You are not required to disclose your personal information to us. However, if you do not provide the information requested, you may not be able to receive our services or engage with us effectively.
What types of personal information do we collect?
We may collect the following personal information from Client staff members, to the extent this is necessary for the services and activities we have been engaged to provide:
name, date of birth, postal address, email address and telephone numbers;
health and medical history (for example, if this is necessary for any critical incident support services);
details or your involvement in any workplace wellbeing interventions, workplace risk management or workplace incidents or issues;
occupation and employment/engagement details with your organisation; and
payment and billing details (if applicable to your role).
We collect personal information from persons other than Client staff members, such as service providers, contractors and third parties we engage with, to enable us to work, transact or engage with them. This will include contact details and other relevant personal information of such individuals which they provide or which we request and collect from them.
How do we collect your personal information?
We will collect your personal information in a lawful and fair way and in a manner that is not unreasonably intrusive.
We will only collect your personal information where you have consented, or otherwise in accordance with the law.
If you are a Client staff member, we will generally collect your personal information directly from you. This might be during a face to face discussion, telephone conversation, or email/electronic communication, and may be collected using a registration form, survey/feedback form or another form which we provide. There are limited circumstances in which we may need to collect your personal information from someone else. We will only do this with your consent, or where it is not practical to obtain this information from you and this is otherwise permitted by the privacy laws. For example, we may need to collect your information from your organisation, a health service provider, or a family member, where there is a serious threat to your life or health and you cannot provide consent.
If you are person other than a Client staff member, such as service providers, contractors and third parties we engage with, we will generally collect your personal information directly from you, and we may collect your personal information from third parties. For example, if you are a service provider we may collect information from your referees.
When we collect your personal information, we will as soon as is practicable take reasonable steps to notify you of the details of the collection (including notifying you through this Policy), such as the purposes for which the information was collected, the organisations (if any) to which the information will be disclosed, and also notify you that this Policy contains details on how you may access or correct your information, or raise any complaints.
How do we use your personal information?
How we use your personal information will depend on why you are dealing or engaging with us and in what capacity.
We will generally only use your personal information for the main purposes for which you have provided it to us. For example, if you are a Client staff member, we will generally only use your personal information to provide our workplace wellbeing services to you.
If you are a person other than a Client staff member, such as service providers, contractors and third parties we engage with, we may use your personal information to manage our relationship with you.
We may also use your personal information where we are otherwise required or authorised by law to do so, which may include the following:
where we use your information for purposes which are directly related to the main purpose for which we collected it, in circumstances where you would reasonably expect us to use your information for these purposes; or
for funding, management, planning, monitoring improvement or evaluation of our services, or the training of staff, where we take all reasonable steps to de-identify that information; or
where it is unreasonable or impracticable to obtain your consent and the use is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
Do we disclose your personal information to others?
We respect the privacy of your personal information and we will take reasonable steps to keep it confidential and protected.
We will generally only disclose your personal information to other persons for the main purposes for which you have provided it to us, which will usually be for the purposes of you receiving workplace wellbeing services from us.
If you are a person other than a Client staff member, such as service providers, contractors and third parties we engage with, we may disclose your personal information to manage our relationship with you.
We will otherwise only disclose your personal information to other persons:
for other purposes for which you have provided consent. For example, if you are a Client staff member who has received critical incident support services, and we consider you require ongoing clinical care, we may seek your consent to refer you to an appropriate health professional for that care;
for purposes which are directly related to these main purposes for which the information was collected, in circumstances where you would reasonably expect us to disclose your information for these purposes. For example, unless you object, if you are a Client staff member and your organisation or another referrer has referred you to receive critical incident support services, we may confirm to the referrer in simple terms that you have received those services; or
where we are otherwise required or authorised by law to do so, for example:
where disclosure is necessary under law, such as where we need to comply with a subpoena or Court order; or
where it is unreasonable or impracticable to obtain your consent and we reasonably believe disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
Will we transfer your personal information interstate or overseas?
We comply with the requirements of the APPs and HPPs when disclosing personal information interstate or overseas.
It may be necessary to disclose your personal information to persons or organisations interstate or overseas to provide you with ongoing care (for example, where a referral is made to a health professional located interstate or overseas).
We will only disclose your personal information interstate or overseas if we would be lawfully permitted to disclose it to a recipient in Australia, and:
we have taken reasonable steps to ensure that the interstate or overseas recipient of your personal information does not breach the APPs or HPPs; or
the interstate or overseas recipient is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs and HPPs which you can access and enforce; or
the disclosure interstate or overseas is otherwise required or authorised by law.
How do we store and secure your personal information?
We may store personal information in both paper and electronic form. The security of personal information is important to us. We take reasonable steps to protect this information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Some of the ways we do this include:
requiring our staff to maintain confidentiality;
implementing document storage security;
imposing security measures for access to our computer systems; and
providing a discreet environment for confidential discussions.
We keep your personal information for the time periods required by law. After this time, we securely de-identify or dispose of the information.
How can you access and correct your personal information?
You have a right to seek access to, and correction of the personal information we hold about you.
You may request access to the personal information that we hold about you, using our contact details set out below. In certain circumstances, we may refuse to allow you access to your personal information where this is authorised by the law, such as where providing access would have an unreasonable impact on the privacy of other individuals, providing access would pose a serious threat to the life or health of any person or to public health or safety, or giving access would be unlawful.
If you believe that the personal information we hold about you requires correction (for example, because the information is inaccurate, out-of-date, incomplete, irrelevant or misleading), you may request that the information be corrected using our contact details set out below.
If we refuse your request for access or correction, we will provide you with reasons for the refusal in writing, and details about how you may complain about the decision.
Website privacy
We may collect your personal information through your interactions with us via our website.
We will deal with any personal information collected via our website in accordance with this Policy and the law.
We also collect data through our use of ‘cookies’ and other internet technologies.
Cookies are small data files which are stored on your device’s browser. Cookies are stored in order for your internet browser to navigate a website. Cookies will not identify you, but they do identify your internet service provider and browser type.
We will not use cookies to collect your identifying personal information. The cookies may collect statistical information about your visit to our website (such as the pages you visit on the website) in order to remember your preferences and allow you to navigate the website more easily.
The default setting of most internet browsers is to accept cookies automatically, but you can choose whether to allow cookies through your browser settings.
If we provide links through our website to third-party websites, or other third party applications, we are not responsible for the content provided, privacy policy and practices of such third-parties. You should familiarise yourself with the privacy policies of any such third parties.
Data breaches
We are required to comply with mandatory ‘notifiable data breach’ scheme (the NDB scheme) under the Privacy Act. The NDB scheme applies when an ‘eligible data breach’ of personal information occurs.
An ‘eligible data breach’ occurs when:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds; and
this is likely to result in serious harm to one or more individuals; and
the organisation has not been able to prevent the likely risk of serious harm with remedial action.
An organisation may take remedial steps to prevent the likelihood of serious harm occurring for any affected individuals after a data breach has occurred, in which case, the data breach is not an ‘eligible data breach’.
Where we have reasonable grounds to believe that we have experienced an eligible data breach (and remedial action cannot be used), we will promptly notify affected individuals and the Office of the Australian Information Commissioner about the breach in accordance with the Privacy Act.
Privacy related questions and complaints
We respect your privacy and we take all complaints regarding privacy very seriously.
If you have any questions about privacy-related issues, or wish to complain about a breach of your privacy or the handling of your personal information by us, you may lodge your question or complaint in writing to us using the contact details below. We will respond to you as soon as possible, but no later than 30 days from receipt of your question or complaint.
If you are not satisfied with our response, or if you do not wish to raise a question or complaint with us directly, you may wish to contact:
the Office of the Australian Information Commissioner. See www.oaic.gov.au; or
the Victorian Health Complaints Commissioner. See www.hcc.vic.gov.au.
Our contact details
If you would like to contact us regarding any privacy matters, including where:
you would like to request access to or correction of your personal information; or
you have a complaint or concern regarding your privacy,
please contact us using the following details:
Email address: hello@ensoworkplacewellbeing.com
Telephone number: 1300 986 625
Updates to this Policy
We may update this Policy from time to time. We will notify you about any changes to this Policy through our website, and we will make the most current version of the Policy available when you receive services from us, or on your request.
Last updated: August 2023