1. Overview

Mental Health First Aid International (MHFA) is a national not-for-profit company limited by guarantee. MHFA develops and evaluates training programs and trains and accredits Instructors.

This document sets out the policy relating to the protection of the privacy of MHFA personal information.

We are committed to protecting the privacy of the personal information we collect and receive. This Privacy Policy sets out how we manage your personal information, including sensitive and health information. It describes the types of information we collect and hold and why we do so, how we keep the information secure, how to access and correct the information, and how to make a privacy complaint.

A copy of this Privacy Policy is available on the Mental Health First Aid website www.mhfa.com.au . A printed copy can be obtained free of charge by contacting our Privacy Officer (details under heading 12 below)

1.1 What is personal information?

Personal information means information or an opinion, whether true or not and whether recorded in a material form or not, about a living individual who is either identified or reasonably identifiable.

Examples include an individual’s name, address, contact number and email address.

For the purposes of this Privacy Policy, a reference to personal information should read as including sensitive and health information, unless otherwise specified.

1.2 Our obligations

MHFA is required to comply with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act). The APPs regulate the manner in which personal information is handled throughout its life cycle, from collection/receipt to use and disclosure, storage, accessibility and disposal.

We are also required to comply with other laws, including more specific privacy legislation in some circumstances and in some jurisdictions, such as:

  • notifiable Data Breaches scheme under Part IIIC of the Privacy Act
  • applicable Australian State and Territory health privacy legislation (including the Victorian Health Records Act 2001) when we collect and handle certain health information. This Privacy Policy is principally focussed on privacy law requirements imposed by the Commonwealth Parliament
  • applicable data protection and privacy legislation of the other national and international jurisdictions in which MHFA operates.

2. The purposes for which we collect, hold, use and disclose personal information

In addition to collecting and using your personal information in order to carry out our services, we collect and use your personal information for the purposes explained below:

Education, training and events

  • developing, promoting and conducting MHFA events (whether digitally, online, face-to-face or otherwise), including seminars and conferences (including organising speakers, locations and catering, making travel arrangements where required and keeping attendance records)
  • developing, administering, supporting and assessing MHFA’s training programs,
  • developing new MHFA resources and programs
  • marketing MHFA workplace and community development materials


  • conducting surveys and research for product and program improvement purposes
  • and to compile statistics and analyse trends
  • developing research grant applications and administering research grants

Personal information collected for research is not used for direct marketing, unless your consent is obtained for that purpose.

Research studies may require ethics approval from an Australian Human Research Ethics Committee and this may impose additional obligations in relation to the collection of personal information.

Grant Applications

  • developing funding applications and administering funding applications

Direct Marketing (and opting out)

  • sending marketing and promotional information by post, email, social media or telephone (including SMS). You may opt out of receiving direct marketing communications from us at any time. If you wish to stop receiving direct marketing communications from us, please tell us by following the opt-out instructions on the communication we send you or contact us.

Other general services

  • Employment: to manage queries from or about a prospective, current or past employee
  • Health promotion: to provide information about mental health first aid
  • Volunteering and support: to enable individuals to assist us with volunteering, advocacy and other activities when we seek community’s assistance
  • Other purposes: communicating with individuals in relation to our operations, activities and objectives, to verify their identity and to comply with applicable laws
  • Privacy complaint management: receiving, investigating and taking action on complaints about how MHFA has collected or handles personal information
  • Payments: processing payments
  • General complaint management: answering queries and resolving complaints
  • Business analysis: aggregated information for business analysis.

Other activities

MHFA may also collect, hold, use and disclose personal information for other purposes explained at the time of collection or:

  • which are required or authorised by or under law (including, without limitation, privacy legislation); or
  • for which the individual has provided their consent.

3. The kinds of personal information we collect and hold

3.1. General

MHFA collects information from individuals from who we provide, and who help us provide, our programs. This includes employees, job applicants, research study participants, participants in training courses, participants in advocacy campaigns, suppliers, volunteers, users of our social media pages and applications and our service providers.

The personal information we may collect will depend on who you are and the purpose for which it is collected. We only collect personal information that is reasonably necessary to perform our functions and services.

The kinds of personal information that we may collect when dealing with you include:

  • your name, date of birth and gender
  • your contact information including address, postcode, email, telephone number and mobile number
  • your details regarding ethnicity e.g. country of birth, whether you are an Aboriginal or Torres Strait Islander or language spoken at home;
  • payment or billing information (including bank account details, credit card details,
  • billing address and invoice details) for supply of our services
  • your current location, if you are using one of our mobile applications and consent to this collection
  • details regarding to the products, programs or services we have supplied you
  • communication preferences
  • your username and password for accounts set up on our website including your Social ID if you choose to use it.

We may also collect the following types of information from you if you are a;

Job applicant or employee

  • your employment history, qualifications, resume and job references
  • your fitness for work, including police checks and security information from government
  • agencies or departments (including Working with Children checks), health assessments and other personal information as part of your job application (only if appropriate and in compliance with the law)
  • your banking details to process payments such as wages
  • government related identifiers, such as your Tax File Number in compliance with the law

Participant in a training program

  • your opinions via surveys and questionnaires
  • details relating to your participation in the training program

Research Participant

  • your opinions via surveys and questionnaires
  • lifestyle information and health information

3.2. Sensitive information

Under Australian law, sensitive information is a subset of personal information that is generally afforded a higher level of privacy protection. Sensitive information includes health and genetic information and information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual

preferences or practices, criminal record and some types of biometric information.

MHFA’s policy is only to collect sensitive information where it is reasonably necessary for our functions or activities and either:

  • the individual has consented; and
  • we are required or authorised by or under law (including applicable privacy legislation) to do so.

For example, we may collect:

  • information about dietary requirements or mobility needs when we conduct events such as conferences and seminars
  • information about medical conditions in the context of assessment, as part of a special consideration application or so that we can implement special assessment arrangements;
  • identification as Aboriginal or Torres Strait Islander
  • information with regard to criminal convictions in relation to MHFA trainers or suppliers

Our policy is not to use sensitive information except for a purpose which is directly related to the primary purpose for which the information was collected.

3.3. Health Information

Health information is personal information that is also information or an opinion about the physical, mental or psychological health of an individual, a disability of an individual, and individual’s expressed wishes for the future provision of their healthcare, or a health service provided to an individual. Our collection and disclosure of any health information will comply with the Health Privacy Principles (HPP’s).

3.4. Collection of information through our website

When you access our website, we or our third-party service providers, may use cookies and software (such as Javascript or other similar technology). A cookie is a small string of information that a website transfers to your browser for identification purposes. Depending on the surrounding circumstances, the cookies used by MHFA may or may not identify individual users who log into the website. If they do reveal your identity, they constitute personal information, and thus are the subject of the Privacy Act.

Use of cookies and software allows us to:

  • Maintain the continuity of your browsing session (eg maintaining shopping cart)
  • Remember your details and preferences when you return
  • Use Google analytics to collection information such as demographics, visits to our website, length of visit and pages viewed

Most internet browsers are set to accept cookies. If you prefer not to receive them, you can adjust your internet browser to reject cookies, or to notify you when they are being used.

Rejecting cookies can, however, limit the functionality of our website (such as preventing users from logging on and making purchases).

3.5 Collection of information through mobile applications

We may collect information from when you use our mobile applications. This may include information such as; your profile, location and other relevant information which is used by our services. By providing us with this information, you are consenting to our collection and use of this information.

3.6 What if you don’t want to provide your personal information?

MHFA’s policy is to provide individuals with the option of not identifying themselves, or of using a pseudonym, when dealing with us if it is lawful and practicable to do so. A pseudonym is a name or other descriptor that is different to an individual’s actual name.

For example, MHFA’s policy is to enable you to access our website and make general phone queries without having to identify yourself and to enable you to respond to our surveys anonymously.

In some cases, if you don’t provide us with your personal information when requested, we may not be able to respond to your request or provide you with the product or service that you are seeking.

4. How we collect personal information

4.1. Methods of collection

MHFA is required by the Privacy Act to collect personal information only by lawful and fair means. If it is reasonable and practicable, we will collect personal information we require directly from you.

MHFA collects personal information in a number of ways, including:

  • by email
  • over the telephone
  • through written correspondence (such as letters, faxes and emails)
  • on hard copy forms (including event registration forms and surveys)
  • in person (for example, at job interviews and in exams)
  • through our website (for example, if you make an online purchase or complete and submit a web form, or if you participate in a live chat)
  • at seminars and functions (for example, if you fill out an assessment form or leave us your business card)
  • as part of our training programs
  • electronic systems such as mobile applications and
  • from third parties, including:
    1. individuals or services providers that assist us in running our training programs
    2. the ATO or ASIC
    3. insurers in relation to professional indemnity insurance
    4. public sources, such as telephone directories, membership lists of business, professional and trade associations, public websites, ASIC searches, bankruptcy searches and searches of court registries.

4.2 Unsolicited information

Unsolicited personal information is personal information MHFA receives that we have taken no active steps to collect (such as an employment application sent to us by an individual on their own initiative, rather than in response to a job advertisement).

We may keep records of unsolicited personal information if the Privacy Act permits it (for example, if the information is reasonably necessary for one or more of our functions or activities). If not, the MHFA’s policy is to destroy or de-identify
the information as soon as practicable, provided it is lawful and reasonable to do so.

5. How we store and secure personal information

5.1. General

MHFA holds personal information in a number of ways, including in electronic databases, email contact lists, and in paper files held in drawers and cabinets, locked where appropriate. Paper files may also be archived in boxes and stored offsite in secure facilities.

MHFA’s policy is to take reasonable steps to:

  • make sure that the personal information that we collect, use and disclose is accurate, up to date and complete and (in the case of use and disclosure) relevant; and
  • protect the personal information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure.

You can also help us keep your information up to date; by letting us know about any changes to your personal information, such as your email address or phone number.

5.2. Security

The steps we take to secure the personal information we hold include ICT security (such as encryption, firewalls, anti-virus software and login and password protection), secure office access, personnel security and training and workplace policies.

5.3 Payment security

The MHFA processes assessment, membership and other payments using EFTPOS and online technologies. MHFA’s policy is to ensure that all transactions processed by the MHFA meet industry security standards to ensure payment details are protected.

5.4 Website security

While MHFA strives to protect the personal information and privacy of website users, we cannot guarantee the security of any information that you disclose online: you disclose that information at your own risk. If you are concerned about sending your information over the internet, you can contact MHFA by phone or post.

You can also help to protect the privacy of your personal information by keeping passwords secret and by ensuring that you log out of the website when you have finished using it. In addition, if you become aware of any security breach, please let us know as soon as possible.

5.5 Third party websites

Links to third party websites that are not operated or controlled by the MHFA are provided for your convenience. MHFA is not responsible for the privacy or security practices of those websites, which are not covered by this Privacy Policy. Third party websites should have their own privacy and security policies, which we encourage you to read before supplying any personal information to them.

6. Disclosure of personal information to third parties

6.1 General Disclosures

Under MHFA’s policy, personal information may be disclosed to the following third parties where appropriate for the purposes set out under section 2 above:

  • financial institutions for payment processing
  • insurers
  • persons involved in external dispute resolution involving the MHFA
  • universities and other educational service providers involved with or engaged by MHFA for training or research programs
  • a MHFA participant or Instructor’s employer (including to confirm status and provide training program results where the employer subsidises some or all of the individual’s fees)
  • members of MHFA committees (such as advisory committees, member and discussion groups formed to consider topics of interest to mental health first aid)
  • bodies such as the Financial Ombudsman Service for the resolution of complaints and disputes
  • ASIC and similar bodies to comply with our legal obligations
  • referees whose details are provided to us by job applicants
  • third parties who have made complaints (including to advise them of the conduct and outcome of the complaint)
  • MHFA’s contracted service providers, including:
    1. information technology service providers
    2. publishers of our newsletters, handbooks and course materials
    3. conference organisers
    4. marketing and communications agencies
    5. mailing houses, freight and courier services
    6. printers and distributors of marketing material
    7. external business advisers (such as recruitment advisers, auditors and lawyers); and
    8. transcript recording service providers, in relation to disciplinary proceedings
  • law enforcement and regulatory bodies as required by law
  • as required or authorised by or under an Australian law or the order of an Australian court or tribunal
  • other professional bodies of which MHFA is also a member in relation to disciplinary proceedings.

In the case of these contracted service providers, the MHFA may disclose personal information to the service provider and the service provider may in turn provide us with personal information collected from you in the course of providing the relevant products or services.

Personal information may also be disclosed to third parties with the consent of the record subject.

6.2 Disclosure for Research

We may disclose your personal and health information to researchers to conduct research studies into mental health first aid. Typically, information provided for research projects is de-identified unless consent is obtained. Disclosure of personal and health information for research purposes will be subject to our legal obligations, as well as our strict internal policies and codes of practice and the Australian Code for the Responsible Conduct of Research.

7. Cross border disclosure of personal information

From time to time, we may disclose personal information to individuals and organisations who are located outside Australia. They may be in locations where they are subject to laws in that location or to a binding scheme or contract with us which requires them to protect the information we disclose in a substantially similar way to the privacy obligations in Australia. Otherwise, we may disclose or transfer the information in compliance with the other provisions of APP8 (Cross-border disclosure of personal Information) and/or HPP9 (Transborder data flows) as applicable.

Parties that we may transfer/disclose information outside Australia include; the third parties noted above in 5.1, partners in our education and training programs and other affiliate Mental Health First Aid organisations. We may also disclose de-identified information to researchers in other countries.

8. Use of government related identifier

MHFA’s policy is to not:

  • use a government related identifier of an individual (such as a Medicare number or driver’s licence number) as our own identifier of individuals;
  • otherwise use or disclose such a government related identifier; and
  • unless this is permitted by the Privacy Act (for example, where the use or disclosure is required or authorised by or under an Australian law or a court or tribunal order).

9. Access and correction of your personal information

Individuals have a right to request access to the personal information that the MHFA holds about them and to request its correction at any time.


We will, upon your request, and subject to any exemptions in applicable privacy laws, provide you with access to the personal information that we hold about you. We will first need to identify you and know the type/s of information that you require access to. We will endeavour to deal with access requests within 30 days. We may provide access in the manner that you have requested provided it is reasonable and practicable for us to do so. We may however charge a fee to cover our reasonable costs of locating the information and providing it to you. Our fees are modelled on the fees applying to Australian Government Departments for FOI.


If you ask MHFA to correct personal information that we hold about you, or if we are satisfied that the personal information we hold is inaccurate, out of date, incomplete, irrelevant or misleading, the MHFA’s policy is to take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.

If MHFA corrects personal information about you, and we have previously disclosed that information to another agency or organisation that is subject to the Privacy Act, you may ask us to notify that other entity. If so, MHFA’s policy is to take reasonable steps to do so, unless this would be impracticable or unlawful.

Timeframe for access and correction requests

Except in the case of more complicated requests, MHFA will endeavour to respond to access and correction requests within 30 days.

What if we refuse your request for access or correction?

If MHFA refuses your access or correction request, or if we refuse to give you access in the manner you requested, MHFA’s policy is to provide you with a written notice setting out:

  • the reasons for our refusal (except to the extent that it would be unreasonable to do so); and
  • available complaint mechanisms.

In addition, if we refuse to correct personal information in the manner you have requested, you may ask us to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, and we will take reasonable steps to associate the statement in such a way that will make it apparent to users of the information.

10. Complaints

If you have a complaint about how MHFA has collected or handled your personal information, please contact our Privacy Officer (details under heading 12 below).

Our Privacy Officer will deal with your complaint and take any steps necessary to investigate and resolve the matter in a timely manner. This may include, for example, gathering the facts, locating and reviewing relevant documents and speaking to relevant individuals.

In most cases, we expect that complaints will be investigated and a response provided within 30 days. If the matter is more complex and our investigation may take longer, we will write and let you know, including letting you know when we expect to provide our response.

Our response will set out:

  • whether in the Privacy Officer’s view there has been a breach of this Privacy Policy or any applicable privacy legislation; and
  • what action, if any, MHFA will take to rectify the situation.

If you are unhappy with our response, you can refer your complaint to the Office of the Australian Information Commissioner. The OAIC can be contacted on 1300 363 992.

11. Retention of personal data

All personal data that has been collected from you by the MHFA will only be kept for a limited duration that is relevant to the purpose for which your personal data is to be used and for as long as required by applicable law.

12. Further information

Please contact the MHFA if you have any queries about the personal information that we hold about you or the way we handle that personal information. Our contact details for privacy queries and complaints are set out below.

Privacy Officer
Level 6, 369 Royal Parade
Parkville VIC 3052
E: [email protected]
P: + 61 3 9079 0200
F: +61 3 9347 3248

13. Changes to this policy

We may amend this Privacy Policy from time to time. The current version will be posted on our website and a copy may be obtained free of charge from our Privacy Officer.

A PDF version of this document is available for download here.

This document was last updated on 5 February 2020