This policy states DA’s commitment to safeguarding the confidentiality and integrity of the personal or sensitive information it may collect, process and store at any time in respect of any individual in accordance with the requirements of the Privacy Act 1988 (Cth). It also:
- sets out the rights and responsibilities of DA employees
- requires DA employees to understand how personal information is defined and to be aware of the applicable privacy protection principles in performing their work; and
- defines the obligations of DA’s contractors, third parties, business partners and vendors in relation to privacy.
Personal Information Definition
The Privacy Act 1988 (Cth [compilation date 6 November 2018]), defines personal information as:
- “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.”
The Privacy Act 1988 (Cth) defines the identifier of an individual as:
- “a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual, but does not include:
- the individual’s name; or
- the individual’s ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999); or
- anything else prescribed by the regulations.”
Common examples of an identifier are a Bank Account Number, a Tax File Number or Medicare Number.
Further, identification information about an individual is defined as:
- “the individual’s full name; or
- an alias or previous name of the individual; or
- the individual’s date of birth; or
- the individual’s sex; or
- the individual’s current or last known address, and 2 previous addresses (if any); or
- the name of the individual’s current or last known employer; or
- if the individual holds a driver’s licence, the individual’s driver’s licence number.”
In addition to personal information, the act also defines a subset of personal information called sensitive information. Sensitive personal information is generally given a higher level of protection under the Privacy Act than other personal information. Examples include an individual’s health, genetic and biometric information, and information about an individual’s race or ethnicity, political opinions or associations, religious or philosophical beliefs, sexual orientation or criminal record.
Roles and Responsibilities
All Data Action employees and contractors are responsible for adhering to this policy and the requirements of the Privacy Act 1988 (Cth).
Personal Information Collection
Data Action will only collect personal information by lawful means, without being unreasonably intrusive, for the purposes related to the business function or activity.
The types of personal information collected includes the following:
- Personal information supplied when contacting Data Action via email or information submitted through the “Contact Us” form or our website;
- Personal information supplied via telephone, facsimile, email or post;
- Personal information collected by our customers from their members, employees and suppliers held on databases located at one of our business operations centres;
- Data Action employee information used for the selection, employment, appraisal and remuneration of employees. The detail collected may include individual’s full name, the individual’s date of birth, individual’s sex, the individual’s current or last known address, the name of the individual’s current or last known employer, Tax File Number, superannuation and bank details, police check information and health information as required and other details about the individual;
- Personal information on the Directors or employees of our business partners, customers and suppliers. The detail collected may, amongst other information, include name, address and sex.
We will endeavour to collect personal information directly from the individual. However, in the course of operating our business, we may collect personal information from third parties such as suppliers, recruitment agencies, contractors, our clients and business partners.
Non-Disclosure of Personal Information
Data Action contractors and third parties, business partners and vendors may require access to our customer data on a daily basis in the conduct of their business operations.
All contractors and third parties, vendors and business partners are required to sign a Non-Disclosure Agreement(s) prior to commencement of contractual obligations and are bound to keep data confidential and may not use it for any purpose other than to fulfil their function.
All Data Action employees are required to sign and comply with confidentiality clauses as part of their employment contracts.
Use of Personal Information
Data Action will limit the collection and use of any personal data for the primary purpose for which it was collected, except:
- where the purpose is related to the main purpose and is that which is assumed necessary for valid business purposes; and
- where our customer consents to us using it for any purpose to meet customer business requirements; and
- where personal information may be subject to disclosure to government agencies pursuant to judicial proceeding, court order or legal process.
Data Action is the custodian of its customers’ data and is not responsible for the type and use of the data collected, processed and stored by its customers.
Data Action does not sell or trade personal identification information with others.
Quality and Security of Personal Information
DA will take all reasonable steps to ensure:
- personal information is accurate, up to date and complete; and
- protection of personal information from misuse, interference and loss or from unauthorised access, modification, disclosure or other misuse
Access to information stored electronically is restricted to employees whose job purpose requires access.
DA uses secure methods to destroy or de-identify any personal information when the law permits, provided the information is no longer needed by us or our customers for any purpose..
When the Data Action website is visited, information such as date and time, server IP address, pages accessed, browser type and time spent may be recorded. This data is used for statistical purposes and cannot personally identify an individual.
Access and Correction of Personal Information
Individuals have a right to request access to their personal information and to request that it is corrected if it is out of date or incorrect.
A reason is not required when requesting access to personal information. However, identification may be required before the personal information is released. A reasonable fee may be charged if providing access is manifestly unfounded, excessive, or requires significant amount of time in order to provide it in an appropriate format.
Our Privacy Officer can be contacted in order to request access or correction of personal information. These requests will be addressed in a timely manner, and if we are unable to provide access, we will inform the requestor of the reason for the decision.
Data Action will not provide access to, or correct, personal information collected by our customers from their members, employees and suppliers, except for accepted business as usual activities, or as directed by the client in writing, or unless as directed by law.
Data Action employees can access and update their personal information through Payroll Self Service or by contacting Human Resources, to ensure that, having regard to the purpose for which it is held, the information is accurate, current, complete, relevant and not misleading.
Where Human Resources refuse access to personal information, the employee must be provided the reasons for the refusal in writing which includes:
- the reasons for the refusal except to the extent that it would be unreasonable to do so; and
- the mechanisms available to complain about the refusal; and
- any other matter prescribed by the regulations.
Data Action is committed to dealing with complaints in relation to privacy and resolving issues in a reasonable timeframe.
If there are, at any time, questions or complaints in relation to privacy, please contact our Privacy Officer .
Any privacy related complaints by our customers in relation to the services we provide should be logged via the standard support channel. Data Action employees or contractors should direct any privacy related complaint to Human Resources.
If you are not satisfied with the handling of the complaint, you may refer your concerns to the Office of the Australian Information Commissioner at www.oaic.gov.au or on 1300 363 992.