1. Introduction
1.1 From time-to-time, the Australasian Corrosion Association (“the Association”) is required to collect, hold, use and/or disclose personal information relating to individuals (including, but not limited to its employees, members, customers, contractors, and suppliers) in the performance of the Association’s activities.
1.2 Information collected by the Association will, from time-to-time, be accessible to certain individuals that are employed or engaged by the Association who may be required to use the information in the course of their duties as designated by the Association.
1.3 This document sets out the Association’s policy in relation to the protection of personal information, as defined, under the Privacy Act 1988 (Cth) the (“Act”), which includes the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and the Australian Privacy Principles (“APP”). The APPs regulate the handling of personal information. For New Zealand, the New Zealand Privacy Act 2020 details the protection of personal information.
1.3.1 Further information relating to the Privacy Act is attached as follows:
- Attorney General’s Department on Privacy
- Federal Register of Legislation – Privacy Act
- Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)
- Australian Privacy Principles
- New Zealand Privacy Act 2020
- New Zealand Office of the Privacy Commissioner
1.4 The obligations imposed on the Association under this policy are also imposed on any individual employed or engaged by the Association in a contracted arrangement.
1.5 This policy outlines the Association’s requirements and expectations in relation to the handling of personal information.
2. Scope
2.1 This policy applies to all Members, independent contractors, consultants, and other workers engaged by the Association and who have access to personal information while performing their duties. This further includes personal information that is provided to the Association by external persons through channels such as the Association’s website, social media, or any other forms of other medium in which personal information may be recorded.
2.2 This policy has been developed to protect the personal and professional interests of the Association and interacting parties. No party herein subject to this policy is to exploit or profit from any of its privacy clauses. All the information protected by this policy is strictly confidential. Contravening any of its clauses will result appropriate disciplinary action where necessary.
3. What is personal information?
3.1 Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
4. What is not personal information?
4.1 An employee or contractor record is a record of any personal information relating to the employment of an employee or contractor. Examples of personal information relating to the employment of employees or contractors include, but are not limited to, health information and information about the engagement, training, disciplining, resignation, termination, and the terms and conditions of employment of an employee or contractor.
4.2 Employees and contractors, including those engaged in a supervisory, operations or human resource capacity, will have access to records that may qualify as personal information. Employees and contractors who have access to records of personal information must ensure that any personal information is handled confidentially and for proper purposes only. Records of personal information are only permitted to be collected, used, and disclosed where the act of doing so is directly related to a current or former employment relationship. Any records accrued or retained by the Association, whether employees, contractors, volunteers, clients, or any other sensitive body, are only to be used with the full consent of that person.
4.3 Employees and contractors who have access to records of personal information and who may have a question about the use or disclosure of these records should contact the Executive Officer for clarification.
5. Kinds of information that the Association collects and holds.
5.1 The Association collects personal information that is reasonably necessary for one or more of its functions or activities. The Association will consent to collect this information where obligated.
5.2 The type of information that the Association collects and holds may depend on an individual’s relationship with the Association. Examples include if the individual is a:
- i. Candidate: if a person is a candidate seeking employment with the Association, the Association may collect and hold information about that candidate, including the candidates name, address, email address, contact telephone number, gender, age, employment history, references, resume, medical history, emergency contact, taxation details, qualifications, and payment details.
- ii. Customer: if a person is a customer of the Association, the Association may collect and hold information including the customer’s name, address, email address, contact telephone number, gender and age and other sensitive information.
- iii. Supplier: if a person or business is a supplier of the Association, the Association may collect and hold information about the supplier including the supplier’s name, address, email address, contact telephone number, business records, billing information and information about goods and services supplied by the supplier.
- iv. Referee: if a person is a referee of a candidate being considered for employment by the Association, the Association may collect and hold information including the referee’s name, contact details, current employment information and professional opinion of the candidate.
- v. Sensitive information: the Association will only collect sensitive information where an individual consents to the collection of the information and the information is reasonably necessary for one or more of the Association’s functions or activities. Sensitive information includes, but is not limited to, information or an opinion about racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, membership of a trade union, sexual preferences, criminal record, health information or genetic information.
6. How the Association collects and hold personal information.
6.1 The Association will collect personal information only by lawful and fair means.
6.2 The Association may collect personal information through several means, including without limitation:
- i. through application forms, including job applications, Membership applications and renewals, and VIP and loyalty program applications;
- ii. by email or other similar forms of communication;
- iii. telephone calls;
- iv. in person;
- v. through transactions;
- vi. through the Association’s and Conference’s website;
- vii. through lawful surveillance means such as surveillance cameras;
- viii. by technology that is used to support communications between individuals and the Association, such as social media and advocacy campaigns;
- ix. through publicly available information; and,
- x. direct marketing database providers.
6.3 When the Association collects personal information about an individual through publicly available information sources it will manage such information in accordance with the APPs.
6.4 When the Association collects personal information, as soon as it is reasonably practical, the Association will take such steps as are reasonable to either notify the individual or otherwise ensure that the individual is made aware of:
- i. the identity and contact details of the Association;
- ii. that the Association has collected personal information from someone other than the individual;
- iii. that collection of personal information is required by Australian law if necessary;
- iv. the purpose for which the Association has collected the personal information;
- v. the consequences if the Association does not collect some of or all the personal information;
- vi. any other third party to which the Association may legally disclose the personal information collected by the Association;
- vii. that the Association’s privacy policy contains information about how an individual may access and seek correction of personal information held by the Association and how an individual may complain about any breach of the APPs; and
- viii. whether the Association is likely to disclose personal information to overseas recipients and the countries in which those recipients are located.
6.5 Unsolicited personal information is personal information that the Association receives which it did not solicit. Unless the Association determines that it could have collected the personal information in line with the APPs or the information is contained within a Commonwealth record, it will destroy the information to ensure it is deidentified unless the Association determines that it is acceptable for the Association to record the personal information.
7. Use and Disclosure of personal information.
7.1 The main purposes for which the Association may use or disclose personal information may include, but are not limited to:
- i. recruitment functions;
- ii. customer service management;
- iii. training and events;
- iv. surveys and general research;
- v. promotional endeavours; and,
- vi. business relationship management.
7.2 The Association may also collect, hold, use and disclose personal information if an individual consents or if is required or authorised under law.
7.3 Direct marketing:
- i. the Association may use or disclose personal information other than sensitive information about an individual for the purpose of direct marketing. An example is advising a customer about new goods and services being offered by the Association;
- ii. the Association may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose; and,
- iii. an individual can opt out of receiving direct marketing communications from the Association by contacting the Marketing Department in writing, or if permissible accessing the Association’s website and unsubscribing through the appropriate channels.
8. Disclosure of personal information.
8.1 The Association may disclose personal information for any of the purposes for which it was collected, as indicated under clause 6 of this policy, or where it is under a legal duty to do so.
8.2 Disclosure will usually be internally and to related entities or to third parties such as contracted service suppliers.
8.3 If a Branch Committee Member discloses personal information to a third party in accordance with this policy, the Branch Committee Member must take steps as are reasonable in the circumstances to ensure that the third party does not breach the APPs in relation to the information.
8.4 The Association may be required to disclose personal information to overseas recipients. Before a Branch Committee Member discloses personal information about an individual to an overseas recipient, the Branch Committee Member will take steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the information.
8.5 The country or countries in which overseas recipients are likely to be located include the United States.
9. Access to personal information
9.1 If the Association holds personal information about an individual, the individual may request access to that information by putting the request in writing and sending it to the Chief Executive Officer. The Association will respond to any request within a reasonable period, and a charge may apply for giving access to the personal information where the Association incurs any unreasonable costs in providing the personal information.
9.2 There are certain circumstances in which the Association may refuse to grant an individual access to personal information. In such situations the Association will provide the individual with written notice that sets out:
- i. the reasons for the refusal; and
- ii. the method available to you to make a complaint.
9.3 If you receive such a request, please contact the Executive Officer.
10. Collection of personal information
10.1 If the Association holds personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading, it must take steps as are reasonable to correct or delete the information.
10.2 If the Association holds personal information and an individual makes a request in writing addressed to the Executive Officer to correct the information, the Association will take steps that are reasonable to correct the information respond to any request within a reasonable period.
10.3 There are certain circumstances in which the Association may refuse to correct the personal information. In such situations the Association will give the individual written notice that sets out:
- i. the reasons for the refusal; and
- ii. the mechanisms available to the individual to make a complaint.
10.4 If the Association corrects personal information that it has previously supplied to a third party and an individual requests the Association to notify the third party of the correction, the Association will take such steps as are reasonable to give that notification unless it is deemed impracticable or unlawful to do so.
11. Integrity and security of personal information
11.1 The Association will take such steps as are reasonable to ensure that any personal information that it collects is accurate, up-to-date, and complete.
11.2 Employees and contractors must take steps as are reasonable in the circumstances to protect their personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure.
11.3 If the Association holds personal information and it no longer needs the information for any purpose, the information is not contained in any Commonwealth record, and the Association is not required by law to retain the information, the Association will take such steps as are reasonable in the circumstances to destroy the information or to ensure it is deidentified.
11.4 If employees or contractors are unsure whether to retain personal information, they shall contact the Chief Officer to resolve any concerns.
12. Data breaches and Notifiable Data Breaches
12.1 A “Data Breach” occurs where personal information held by the Association is accessed by, or is disclosed to, an unauthorised person or is lost. An example of a Data Breach may include:
- i. Lost or stolen laptops or tablets;
- ii. Lost or stolen mobile phone devices;
- iii. Lost or stolen USB data storage devices;
- iv. Lost or stolen paper records or documents containing personal information relating to employees, members, customers, contractors, and suppliers;
- v. Employees or contractors mistakenly providing personal information to the wrong recipient (i.e. payroll details to wrong address);
- vi. Unauthorised access to personal information by an employee or contractors;
- vii. Employees or contractors providing confidential information to the Association’s competitors;
- viii. Credit card information lost from insecure or stolen files;
- ix. Where a database has been compromised to illegally obtain personal information; and,
- x. Any incident or suspected incident where there is a risk that personal information may be misused or obtained without authority.
12.2 If you are aware of or reasonably suspect a data breach, you should report the actual or suspected data breach to the Executive Officer as soon as practicable and not later than twenty-four hours after becoming aware of the actual or suspected Data Breach.
12.3 A “Notifiable Data Breach” occurs where there is a data breach, and:
- i. a reasonable person would conclude that the unauthorised access or disclosure would likely result in serious harm to the relevant individual, inclusive of harm to their physical or mental well-being, financial loss, or damage to their reputation); or
- ii. in the case of loss, such as leaving an unsecure laptop containing personal information on in public, unauthorised access or disclosure of personal information is likely to occur as a result of the data breach, and a reasonable person would conclude that the unauthorised access or disclosure would likely result in demonstrable harm to the relevant individual, inclusive of harm to their physical or mental well-being, financial loss, or damage to their reputation.
12.4 A notifiable data breach does not include a data breach where the Association has been successful in preventing the likely risk of serious harm by taking remedial action.
12.5. 1 If the Association is aware of any actual or suspected data breach, it will conduct a reasonable and expeditious assessment to determine if there are reasonable grounds to believe that the data breach is notifiable or not.
12.6 Subject to any restriction under the Act, if the Association is aware of a notifiable data breach, the Association will, prepare a statement outlining details of the breach and notify:
- i. the individual whose personal information was part of the data breach; and
- ii. the Office of the Australian Information Commissioner.
13. Anonymity and Pseudonymity
Individuals have the option of not identifying themselves, or utilising a pseudonym, when anonymously dealing with the Association in relation to a particular matter.
This does not apply:
- i. where the Association is required or authorised by or under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves; or
- ii. where it is impracticable for the Association to deal with individuals who have not identified themselves or who have used a pseudonym.
13.2 If an individual does not provide the Association with the personal information when requested, the Association may not be able to respond to the request or provide the individual/s with the goods or services that they are requesting.
14. Complaints
14.1 Individuals are entitled to contest the Association’s handling of personal information if the individual believes the Association has breached the APPs.
14.2 If an individual wants to make a submission to the Association contesting the handling of personal information, they should first contact the Executive Officer in writing. Submissions will be dealt with in accordance with the Association’s complaints procedure and the Association will provide a response within a reasonable tim period.
14.3 Individuals who are dissatisfied with the Association’s response to a complaint may refer it to the Office of the Australian Information Commissioner.
15. Breach of this policy
15.1 Any employees or contractors directed by the Association to do an act under this policy, and which relates to personal information, must ensure that in doing the act they comply with the obligations imposed on the Association. Any employee or contractor directed by the Association who fails to act in accordance with this policy will be deemed to have breached its containing guidelines and will be subject to disciplinary action, up to and including possible, termination of their employment.