VERSION 1 - LAST UPDATED: 6 JUNE 2014
1 Open and transparent management of personal information
1.1 We will take reasonable steps as to implement practices, procedures and systems to comply with the Act; including dealing with inquiries or complaints from You about Our compliance with the Australian Privacy Principles. Please see Section 15 below for procedures for making inquiries, requests or complaints.
a. the kinds of personal information that We collect and hold;
b. how We collect and hold personal information;
c. the purposes for which We collect, hold, use and disclose personal information;
d. how an individual may access their personal information held by Us and seek the correction of such information;
e. how an individual may complain about a breach of the Australian Privacy Principles, by Us, and how We will deal with such a complaint – currently we will deal with Your complaint as stated in section 15 below;
f. whether We are likely to disclose personal information to overseas recipients; and
g. if We are likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located (if it is practicable to specify those countries here).
2 Anonymity and pseudonymity
2.1 In our dealings with individuals, they will have the option of not identifying themselves, or of using a pseudonym, when dealing with Us in relation to a particular matter, unless Paragraph 2.2 applies.
2.2 Paragraph 2.1 does not apply where:
a. We are required or authorised by or under an Australian law, or a court/ tribunal order, to deal only with individuals who have identified themselves; or
b. it is impracticable for Us to deal with individuals who have not identified themselves or who have used a pseudonym, in relation to the matter; this will generally be the case in any financial transaction, any sale of goods or services where we are required by normal accounting practices to record the identity of the other party, and any transaction involving one or more of the following types of entities: a credit provider or a bank or other financial institution; an insurance company; a freight forwarder, or shipping or other transportation contractor; a legal advisor.
3 Collection of solicited personal information
3.2 If at any time We meet the definition of an “organisation” under the Privacy Act 1988, We will not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of Our functions or activities. Please see Section 14 below for the definition of the terms “organisation” and “sensitive information”.
3.3 We will not collect sensitive information about You unless:
a. You consent to the collection of the information and, if we are an organisation—the information is reasonably necessary for one or more of Our functions or activities; or
b. Paragraph 3.4 applies in relation to the information.
3.4 This Paragraph applies in relation to sensitive information about You if:
a. the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or
b. a permitted general situation exists in relation to the collection of the information by Us; or
c. We are an organisation as defined by the Privacy Act and a permitted health situation exists in relation to the collection of the information by Us.
3.5 We will collect personal information only by lawful and fair means.
3.6 Preferably, We will collect personal information about You only from You. If You expressly authorise Us to collect Your personal information from another source, but We can collect the same information from You, we will prefer to obtain that information from You except where it is reasonably necessary to collect it from the third party or where You have directed Us to do that. In an urgent or emergency situation, We may have no alternative other than to source Your personal information, such as contact details, from a third party.
3.7 This Section No.3 applies to the collection of personal information that is solicited by Us. For online payments, this information usually includes purchaser payment data. If payments to us are processed via third parties, we may not normally see or collect payment data other than what is presented in the third party’s statements or reports to us.
4 Dealing with unsolicited personal information
a. We receive Your personal information; and
b. We did not solicit the information;
We must, within a reasonable period after receiving the information, determine whether or not We could have collected the information under policy No.3.
4.2 We may use or disclose the personal information for the purposes of making the determination under Paragraph 4.1.
4.3 If We determine that We could not have collected the personal information, We must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified, except where the Act permits Us to retain the information.
4.4 If We do not destroy or de-identify the information under Paragraph 4.3, Policies 5 to 13 will apply in relation to the information in the same way as information collected under Section 3.
5 Notification of the collection of personal information
5.1 At the time that We collect Your personal information, wherever reasonably practicable, We will:
a. notify You of the matters described in Paragraph 5.2;or
b. otherwise ensure that You are aware of those matters.
5.2 The relevant matters are:
a. Our identity and contact details;
b. that We collect Your information, either from You or from another party;
c. whether we are collecting the information to comply with a law; and
d. any other matters described in Paragraph 1.4 not covered at a to c above.
6 Use or disclosure of personal information
6.1 If We hold Your personal information because it was collected for one purpose (the primary purpose), We will not use or disclose it for another purpose (the secondary purpose) unless:
a. You have consented; or
b. paragraphs 6.2 or 6.3 apply.
Note: Section 8 applies to the disclosure of personal information to a person who is not located in Australia.
6.2 The Act permits us to use or disclose Your personal information for secondary purposes in certain circumstances. For example, we may do so if it is reasonable for us to assume you would consent to that use or disclosure.
6.3 In some circumstances, the Act requires us to de-identify Your personal information before using or disclosing it for a secondary purpose.
6.4 If We use or disclose personal information in accordance with Paragraph 6.2, We will record the use or disclosure.
6.5 If We acquire Your personal information from a related body corporate; we will treat it as personal information we have collected ourselves.
6.6 This Section 6 does not apply to the use or disclosure by Us, if we are an organisation within the meaning of the Privacy Act, of:
a. personal information for the purpose of direct marketing; or
b. government-related identifiers.
7 Direct marketing
7.1 If We hold Your personal information, We must not use or disclose the information for the purpose of direct marketing, except as permitted by Paragraph 7.2.
7.2 Despite Paragraph 7.1, We may use or disclose Your personal information (other than sensitive information) for the purpose of direct marketing if:
a. We have collected the information from You; and
b. You would reasonably expect Us to use or disclose the information for that purpose; and
c. We provide a simple method for You to request not to receive direct marketing communications from Us; and
d. You have not made such a request to Us.
7.3 Despite Paragraph 7.1, if We are an organisation within the meaning of the Act, We may use or disclose Your personal information (other than sensitive information) for the purpose of direct marketing if:
a. We have collected the information from You;
b. You would reasonably expect Us to use or disclose the information for that purpose;
c. You have consented to the use or disclosure of the information for that purpose; or it is impracticable to obtain that consent; and
d. We provide a simple means by which You may easily request not to receive direct marketing communications from Us; and
d. in each direct marketing communication with You:
i. We include a prominent statement that You may make such a request; or
ii. We otherwise draw Your attention to the fact that You may make such a request; and
e. You have not made such a request to Us.
7.4 Despite Paragraph 7.1, if We are an organisation We may use or disclose Your sensitive information for the purpose of direct marketing if You have consented to the use or disclosure of the information for that purpose.
7.5 Despite Paragraph 7.1, if We are an organisation within the meaning of the Act, We may use or disclose Your personal information for the purpose of direct marketing if We are a contracted service provider for a Commonwealth contract; and
a. We have collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and
b. the use or disclosure is necessary to meet (directly or indirectly) such an obligation.
7.6 If We are an organisation within the meaning of the Act and We use or disclose personal information about You:
a. for the purpose of direct marketing by Us; or
b. for the purpose of facilitating direct marketing by other organisations; You may:
c. if sub-paragraph (a) applies—request not to receive direct marketing communications from Us; and
d. if sub-paragraph (b) applies—request Us not to use or disclose the information to facilitate direct marketing by other organisations; and
e. request the Us to provide the source of the information.
7.7 If You make a request under Paragraph 7.6, We will not charge You for the making of, or giving effect to, the request and:
a. if the request is as described in paragraphs 7.6(c) or (d)— We will give effect to the request within a reasonable period; and
b. if the request is as described in Paragraph 7.6(e)— We will, within a reasonable period, notify You of the information’s source unless doing so is impracticable or unreasonable.
7.8 This Section No.7 does not apply to the extent that any of the following apply:
a. the Do Not Call Register Act 2006;
b. the Spam Act 2003;and
c. any other law applied by the Privacy Act.
8 Cross-border disclosure of personal information
8.1 Before We disclose personal information about You to a person (the overseas recipient):
a. who is not in Australia (including an external Territory); and
b. who is not Us or You;
We must take whatever steps are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Principle 1) in relation to the information.
Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C of the Privacy Act, to have been done, or engaged in, by Us and to be a breach of the Australian Privacy Principles.
8.2 Paragraph 8.1 does not apply to the disclosure of Your personal information by Us to the overseas recipient if:
a. We reasonably believe that:
i. the recipient is subject to a law, or a binding scheme, that effectively protects the information in a substantially similar way to the Australian Privacy Principles; and
ii. there are mechanisms that You can access to enforce the protection of the law or binding scheme; or
b. both of the following apply:
i. We give you the opportunity to consent to the disclosure of the information, and you so consent; and
ii. We inform You that, because of Your consent, Paragraph 8.1 will not apply; or
c. the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
d. the Act otherwise authorises the disclosure. Note: section 16A of the Act authorises disclosure in certain circumstances.
9 Adoption, use or disclosure of government-related identifiers
9.1 We will not adopt a government-related identifier issued to You, such as Your Medicare number, as Our identifier for You unless that action is expressly authorised by law.
10 Quality of personal information
10.1 We will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that We collect is accurate, up-to-date and complete.
10.2 We will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that We use or disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
10.3 We request that You assist Us to keep Your personal information accurate and up to date by alerting us of any errors or other problems in a timely manner. Please refer to Section 15 below for instructions on how to contact Us.
11 Security of personal information
11.1 If We hold personal information, We will take such steps as are reasonable in the circumstances to protect the information:
a. from misuse, interference and loss; and
b. from unauthorised access, modification or disclosure.
a. We hold personal information about You; and
b. We no longer need the information for any purpose for which the information may be used or disclosed by Us under the Act; and
c. the information is not contained in a Commonwealth record; and
d. We are not required by or under an Australian law, or a court/tribunal order, to retain the information; We will take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
12 Access to personal information
12.1 If We hold Your personal information, We will, on Your request, give You access to the information.
12.2 If We refuse:
a. to give You access to the personal information; or
b. to give You access in the manner You request;
We will take such steps (if any) as are reasonable in the circumstances to give You access in a way that meets Your needs and Ours.
12.3 Without limiting Paragraph 12.1, access to Your personal information may be given through a mutually agreed intermediary.
12.4 If We charge You to access Your personal information, the charge will not be excessive and will not apply to making of the request. Currently, Our policy is to request You to pay a reasonable administration fee where Your request will involve more than a negligible amount of time, effort or expense to retrieve and provide you with Your requested personal information. Any fees that we request are proportional to the amount of time, effort and expense involved in meeting Your request, and are intended to do no more than defray the relevant costs.
12.5 If We refuse to give You access to personal information, or to give access in the manner requested by You, We will give You a written explanation of:
a. the reasons for the refusal (except where it is not reasonably necessary to explain those reasons in any further detail); and
b. how you can complain about the refusal; and
c. any other matter required by the Act.
12.6 We can refuse to give You access to Your personal information on grounds of commercial sensitivity where that reason is permitted by the Act.
13 Correction of personal information
a. We hold Your personal information; and
i. We are satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; or
ii. You request Us to correct the information; We will take such reasonable steps (if any) to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
a. We correct Your personal information that We previously disclosed to another entity; and
b. You request Us to notify the other entity of the correction; We will take reasonable steps to give that notification except where impracticable.
13.3 If We refuse to notify another entity of a correction of personal information as requested by You, We will give You an explanation of:
a. the reasons for the refusal (except where is not reasonably necessary to explain those reasons in any further detail); and
b. how You can complain about the refusal; and
c. any other matter required by Act.
a. We refuse to correct Your personal information as requested by You; and
b. You request Us to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; We will take such reasonable steps as are necessary to associate the statement in a way that makes the statement visible to users of the information.
13.5 If a request is made as described in paragraphs 13.1 or 13.4, We:
a. must respond to the request within a reasonable time; and
b. must not charge You for making the request, for correcting the personal information or for associating a statement with the information (as the case may be).
13.6 You can communicate with Us regarding any correction that you seek to Your personal information via the methods set out in Section 15 below.
14.1 Definition of personal information
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a. whether the information or opinion is true or not; and
b. whether the information or opinion is recorded in a material form or not.
14.2 Definition of sensitive information
Sensitive information means:
a. information or an opinion about an individual’s:
i. racial or ethnic origin; or
ii. political opinions; or
iii. membership of a political association; or
iv. religious beliefs or affiliations; or
v. philosophical beliefs; or
vi. membership of a professional or trade association; or
vii. membership of a trade union; or
viii. sexual orientation or practices; or
ix. criminal record;
that is also personal information; or
b. health information about an individual; or
c. genetic information about an individual that is not otherwise health information; or
d. biometric information that is to be used for the purpose of automated
biometric verification or biometric identification; or
e. biometric templates.
14.3 Definition of “Organisation”
(a) an individual; or
(b) a body corporate; or
(c) a partnership; or
(d) any other unincorporated association; or
(e) a trust;
that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.
Note: Regulations may prescribe an instrumentality by reference to one or more classes of instrumentality. See subsection 13(3) of the Legislative Instruments Act 2003.
Example: Regulations may prescribe an instrumentality of a State or Territory that is an incorporated company, society or association and therefore not a State or Territory authority.
A legal person can have a number of different capacities in which the person does things. In each of those capacities, the person is taken to be a different organisation.
Example: In addition to his or her personal capacity, an individual may be the trustee of one or more trusts. In his or her personal capacity, he or she is one organisation. As trustee of each trust, he or she is a different organisation.
14.4 Definitions of “permitted general situation” and “permitted health situation”
The “permitted general situations” are the seven situations defined by s.16A of the Act, namely:
• lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety (see APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d))
• taking appropriate action in relation to suspected unlawful activity or serious misconduct (see APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d))
• locating a person reported as missing (see APPs 3.4(c), 6.2(c) and 8.2(d))
• asserting a legal or equitable claim (see APPs 3.4(c) and 6.2(c))
• conducting an alternative dispute resolution process (see APPs 3.4(b) and 6.2(c))
• performing diplomatic or consular functions — this permitted general situation only applies to agencies (see APP 3.4(b), 6.2(c) and 8.2(d))
• conducting specified Defence Force activities — this permitted general situation only applies to the Defence Force (see APP 3.4(b), 6.2(c) and 8.2(d))
The “permitted health situations” are defined in s.16B of the Act and are:
• the collection of health information to provide a health service (s 16B(1)) (see APP 3.4(c))
• the collection of health information for certain research and other purposes (s 16B(2)) (see APP 3.4(c))
• the use or disclosure of health information for certain research and other purposes (s 16B(3)) (see APP 6.2(d))
• the use or disclosure of genetic information (s 16B(4)) (see APP 6.2(d))
• the disclosure of health information for a secondary purpose to a responsible person for an individual (s 16B(5)) (see APP 6.2(d)).
15.1 If You have any inquiry, complaint, or request for access to Your personal information to make to Us, please direct it to:
HELENA ZIELINSKI (ABN 77 140 667 012) trading as LAKE VESSEL, PO Box 417, Mundaring, Western Australia, 6073, Australia.
15.2 We prefer communications by e-mail. Please send Your e-mail to: firstname.lastname@example.org