On 12 March 2014 the Australian Privacy Principles (the Principles) entered into force. The Principles are found in Schedule 1 of the Privacy Act 1988 (Cth) (the Act). The Principles establish requirements for the way organisations collect, store and use an individual’s personal information. Industry Risk is subject to the Principles and are committed to the protection of individuals’ privacy in accordance with the Principles.
The Policy applies to personal information individuals provide to Industry Risk, whether that information is provided under any agreement, at Industry Risk’s offices, through its website, or through email, telephone or other communication with Industry Risk’s employees or agents.
1. Collection of Information
Collection of Personal Information
Industry Risk may collect the following kinds of personal information from a client’s representative(s):
- their full name;
- their employer and role;
- their contact details, including a postal and a work address, email address and telephone number(s);
- other personal information reasonably necessary for one or more of Industry Risk’s Purposes set out in clause 3 of this Policy;
- records and content of any communications between the client’s representatives and Industry Risk; and
- online tracking details obtained through ‘cookies’.
Industry Risk will only collect personal information by lawful and fair means and where that information is reasonably necessary for one or more of the Industry Risk’s functions or activities, as identified in Industry Risk’s Purposes at clause 3 of the Policy.
Industry Risk generally collects the personal information at subclauses 1(a) through (f) from individuals with their consent. Industry Risk will only collect personal information from a third party where it is unreasonable or impractical to collect the information directly from the client. Such third parties include organisations that maintain publicly accessible or fee-for-access records.
Collection of Sensitive Information
Sensitive information is defined in the Act as information about an individual’s ethnic origin, beliefs (whether political, religious or philosophical), sexual orientation, criminal history, health, genetics and membership of political or trade associations. Industry Risk is not in the business of collecting such information.
2. Storage of, and Access to, Personal Information
Storage and Security of Personal Information
Industry Risk strives to provide an environment which ensures that personal information is stored in a secure and confidential manner. Industry Risk employs a two-fold system for the storage of personal information. Personal information is securely stored in cloud-based business systems, and in hard copy documents in physical file(s) at our offices. Industry Risk has systems in place for the security of both its computer network and business premises.
Industry Risk will take such steps as are reasonable in the circumstances to protect the personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
In circumstances where Industry Risk is no longer actively working with an individual and no longer needs the information for any of its Purposes, those files are securely stored for a period of seven (7) years. Only authorised members of Industry Risk’s employees are permitted to access these storage facilities.
Destruction of Personal Information
Industry Risk ensures that personal information about an individual that has not been used or disclosed for a period of seven (7) years is destroyed.
Access to, and Correction of, Personal Information
A individual is entitled to request access to the personal information that Industry Risk holds about him or her by making a request to Industry Risk’s Privacy Officer, using the contact details specified at clause 6. Industry Risk must respond to the request and provide access to the information within a reasonable time. There will be no charges associated with the making of such a request or the subsequent provision of information.
Despite the above paragraph, Industry Risk is not required to give the individual access to personal information if any of the circumstances detailed in clause 12.3 of Schedule 1 of the Act exist.
Where an individual requests Industry Risk to correct the personal information it holds about that individual, Industry Risk must take such steps (if any) as are reasonable in the circumstances to correct the information. Industry Risk is entitled to refuse to correct the personal information, provided Industry Risk gives the individual a written notice containing the reasons for the refusal.
Where Industry Risk is satisfied that the information it holds about an individual is inaccurate, out-of-date, incomplete, irrelevant or misleading, Industry Risk must take such steps (if any) as are reasonable in the circumstances to correct the information.
3. The Purposes for which Personal Information is Collected
Industry Risk collects the personal information at subclauses 1(a) through (f) only to the extent that such information is reasonably necessary for, or directly related to, one or more of the Industry Risk’s Purposes.
The “Purposes” of the Industry Risk include (but are not limited to) the following functions and activities:
- the provision of security and business resilience consulting advice to an individual or to a company which the individual represents;
- to consider making offers of employment or to maintain details of Industry Risk’s existing employees;
- the receipt of services by an organisation or its employees;
- the provision of information on security and business resilience matters, whether through periodic Industry Risk’s marketing correspondence, seminars or other marketing events; and
- subscribing an individual to software services/products that the company offers.
4. Disclosure of Personal Information
Disclosure of Information within Australia
For Industry Risk to carry out any one or more of the Purposes, it may be necessary for Industry Risk to disclose personal information to close suppliers who play a part in facilitation of services to a client and/or their representative(s).
Industry Risk must only use or disclose personal information for the Purpose or Purposes for which it was collected. Industry Risk must not use or disclose personal information for any other purpose (a secondary purpose) unless:
- the relevant individual consents to that use or disclosure of the information;
- the individual would reasonably expect Industry Risk to use or disclose the information for the secondary purpose and the secondary purpose is related to one or more of the Purposes;
- the use or disclosure of the information is required or authorised by or under an Australian Law;
- a permitted general situation exists as defined in clause 1 of the Policy; or
- Industry Risk reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by an enforcement body.
Disclosure of Information outside Australia
Industry Risk may only disclose personal information to a person or entity that is not in Australia (the Overseas Recipient) without that client’s representative’s consent in circumstances where:
- Industry Risk reasonably believes that the Overseas Recipient is subject to a law that affords protection of personal information that is substantially similar to the protection afforded under the Act and the Industry Risk can enforce such protection under the overseas law; or
- Industry Risk takes reasonable steps to ensure that the Overseas Recipient acts in accordance with the Principles in relation to the storage, use and disclosure of the personal information.
5. Direct Marketing
Direct marketing occurs where entities use the personal information they collect to market related or other goods and services to the individual who provided the information. A common example is where an organisation emails individuals a monthly newsletter.
Industry Risk may use or disclose personal information for direct marketing only where Industry Risk collected the personal information from the individual, the individual would reasonably expect the Industry Risk to use or disclose the information for that purpose and the individual has not made a request pursuant to the below paragraph.
Requests not to receive Direct Marketing
An individual is entitled to request not to receive direct marketing communications from Industry Risk by contacting Industry Risk’s Privacy Officer, using the contact details specified at clause 6. Industry Risk will give effect to any such request.
6. Contact Details
Should you have any queries about the Policy or the Principles, or wish to lodge a complaint about a potential breach of the Principles by Industry Risk, please contact Industry Risk’s Privacy Officer using the contact details listed below.
Industry Risk Pty Ltd
Level 26, 1 Bligh Street
SYDNEY NSW 2000
Phone: 1300 299 484
Fax: 02 8078 6999
Email: [email protected]
Industry Risk will endeavour to respond to an individual communication within thirty (30) days. Should Industry Risk fail to respond within a thirty-day period, an individual may contact the Office of the Australian Information Commissioner, which can investigate queries or complaints in relation to a potential breach of the Principles.
The Policy may be updated from time to time by Industry Risk as necessary.