ALGA is committed to complying with the Privacy Act 1988 and the Australian Privacy Principles in relation to all personal information that it collects and this commitment is demonstrated in this Policy. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 incorporates the Australian Privacy Principles and personal information collected and held by the ALGA will be treated in accordance with those principles including the increased requirements that came into effect in March 2014.
This policy outlines the broad controls which ALGA has adopted to govern the way it collects and uses personal information, the circumstances in which it might disclose personal information to third parties, how individuals can access their personal information held by ALGA and the process for dealing with any complaints or issues regarding ALGA’s treatment of an individual’s personal information.
ALGA acknowledges that this policy relates to ALGA only and that its members (including mutuals) are responsible, through their respective governance structures to maintain their individual privacy policies.
“Personal Information” means information or an opinion, about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
The Australian Privacy Principles (APP) (full details can be found in Privacy Act 1988 Schedule 1) can be broadly categorised into the following groups:
- Consideration of personal information privacy
- Collection of personal information
- Dealing with personal information
- Integrity of personal information
- Access to and correction of personal information
3. WHO DOES THIS POLICY APPLY TO?
This Policy applies to any individuals in respect of whom ALGA currently holds, or may in the future collect, personal information.
4. PERSONAL INFORMATION AND ALGA
4.1 Collecting your personal information
We may only collect personal information if it is necessary for one or more of our functions or activities. The way we collect personal information must be lawful, fair and not unreasonably intrusive. ALGA uses information that is collected directly from the individual, the entity that employs or engages the individual, or from our service providers who have collected the information directly from the individual or entity.
The type of personal information we collect includes, but is not limited to:
(a) the name and contact details of ALGA conference and seminar attendees;
(b) the name and contact details of individuals who seek employment with ALGA including employment experience, qualifications and other information provided by applicants;
(c) the name and contact details of individuals who purchase goods or services from us;
(d) the name and contact details of individuals (including members) who contact ALGA seeking information or assistance;
(e) credit card and bank account information for payment of invoices;
(f) the name and contact details of individuals that are members of Reference and Advisory groups;
(g) the name and contact details of individuals who represent ALGA on external committees;
(h) the name and contact details of individuals who access information made available by us through electronic means such as the internet;
(i) the name of individuals and entities that are classified as related parties to our key management personnel (KMP);
(j) the information preferences nominated by individuals and expressed to us in writing; and
(k) historical financial data about specific transactions entered into between individuals and ALGA.
5. COLLECTION OF INFORMATION ON WEB SITE ACTIVITY
For statistical purposes, we collect information on web site activity (such as the number of users who visit the web site, the date and time of the visits, the number of pages viewed and navigation patterns) through the use of ‘cookies’. This information on its own does not identify an individual, but it does provide us with statistics that we can use to analyse and improve our web site. Cookies allow computers to identify and interact more effectively. Cookies are generated when users log onto the ALGA website at http://alga.asn.au, to facilitate authorisation into some services. However, ALGA does not use the cookies to collect data about ALGA website users. Most internet browsers are set up to accept cookies. If you do not wish to receive cookies, you may be able to change the settings of your browser to refuse all cookies or to notify you each time a cookie is sent to your computer, giving you the choice whether to accept it or not.
6. USE & DISCLOSURE OF PERSONAL INFORMATION
6.1 Holding your personal information
We must take reasonable steps to:
(a) protect the personal information we hold from misuse and loss and from unauthorised access, modification or disclosure; and
(b) destroy personal information if it is no longer needed for the purpose for which it was originally obtained.
ALGA uses physical and electronic security measures including restricting physical access to its offices, firewalls and secure databases to keep personal information secure. ALGA also destroys or permanently de-identifies personal identification which is no longer needed for the purpose for which it was originally collected. ALGA typically keeps records for its reporting obligations for seven years.
6.2 Using and disclosing your personal information
The purposes for which we collect information include organising conferences and seminars, responding to questions, circulating our newsletter.
We may disclose personal information for the purpose for which its was collected. We may disclose personal information to our service providers in order to deliver you the services requested.
We must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection unless:
(a) the individual would reasonably expect us to use or disclose the information for the other purpose and the secondary purpose relates to the primary purpose;
(b) the individual has consented to the use or disclosure;
(c) the use of the information is for the secondary purpose of direct marketing, and an opportunity has been provided to the individual to decline the use of the information for direct marketing purposes; or
(d) it is reasonably necessary for the information to be used or disclosed in the public interest or for law enforcement or public safety purposes.
We may use your personal information for the purpose of direct marketing only where we have collected the personal information from the individual, the individual would reasonably expect us to use or disclose the information for that purpose and the individual has not made a request to cease the communication.
An individual is entitled to request not to receive direct marketing communications from us by contacting our Privacy Officer.
ALGA does not have any business requirements relating to overseas parties and therefore is not likely to be disclosing personal information to any overseas recipient. However, we may disclose personal information to overseas recipients where:
(a) we have your consent;
(b) the disclosure is required by law; or
(c) the disclosure reasonably necessary to assist a law enforcement agency.
6.3 Accessing your personal information
Any individual in respect of whom we hold personal information has the right to access and correct the information. Except in circumstances specified in APP 12.3, individuals are allowed to inspect the personal information we hold about them, take notes about the information or obtain and keep copies of the information. If we need to refuse a request either for access to personal information or the manner in which the information is being sought, the individual will be informed of this. Generally, this will only be in circumstances where providing access would be unlawful or contrary to the legislation. If an individual wants to access personal information, the request for access should be directed in writing to:
The Privacy Officer
8 Geils Court
Deakin ACT 2600
* Please note that an administration fee may apply for the provision of information *
6.4 Correcting your personal information
Individuals have the right to request a correction to any personal information held by ALGA. The details of the correction should be directed to:
The Privacy Officer
8 Geils Court
Deakin ACT 2600
All corrections will be actioned within 5 business days. We may, in limited circumstances permitted by the Privacy Act, refuse to correct the information. If we refuse, you will be informed of this. All correspondence will be treated confidentially.
7. NOTIFIABLE DATA BREACH
7.1 Eligible Data Breach
An eligible data breach is unauthorised access or disclosure of information, or loss of information, that a reasonable person would conclude is likely to result in serious harm to any individuals to whom the information relates.
7.2 Suspected Eligible Data Breach
There may be reasonable grounds for us to suspect there has been a data breach and we will take all reasonable steps to carry out an assessment as soon as practicable and within 30 days after we become aware of the suspected breach as to whether or not the data breach is an eligible data breach.
7.3 Notification of Eligible Data Breach
(a) If there are reasonable grounds for us to believe that there has been an eligible data breach, and no exception under the Act applies, then we will prepare a written statement including:
(i) a description of the eligible data breach;
(ii) the kinds of information concerned; and
(iii) recommendations about the steps that individuals should take in response to the eligible data breach.
(b) If there is an eligible data breach of more than one entity, we will set out the details of those other entities in the manner described above.
(c) We will provide this statement to the Office of the Australian Information Commissioner (the Commissioner) and (if required by the Act) we will then notify the contents of the statement to each of the individuals to whom the relevant information relates and to individuals who are at significant risk from the eligible data breach.
(d) If it is not practical to contact you in this way, we may publish the statement on our website.
7.4 Exceptions to an Eligible Data Breach
There are exceptions under the Act which may not require us to notify individual/s of an eligible data breach. For example, where we have taken action before any serious harm occurs or before any unauthorised access or disclosure occurs, or where the Commissioner has declared that we are not required to give any notification.
8.1 Contacting ALGA
If an individual has a complaint concerning personal information held by ALGA, the complaint should be directed to:
The Privacy Officer,
8 Geils Court
Deakin ACT 2600
All complaints will be reviewed by our Privacy Officer and will be responded to within 30 days. You will be kept up to date with the progress of your matter and notified of any action identified to be undertaken. All complaints will be treated confidentially.
3 March 2019