Approved: December 2001
Updated: May 2004
Updated: January 2013
Updated: November 2016
Re-issued: March 2017
THE AUSTRALIAN INDUSTRY GROUP
1. What this Policy is about
Our membership's and clients' commercial confidentiality and the privacy of the individuals in those businesses are important principles for The Australian Industry Group (Ai Group) and our contracts and commercial dealings with third parties are carefully reviewed with regard to safeguarding those interests.
This Policy sets out how Ai Group through its officers and staffexpressly manages the collection disclosure storage and use of personal information (PI) of members, clients, suppliers, contractors and subcontractors and other individuals (including visitors to our websites, forums, and training services) having regard to the Act, the APPs and other relevant statutory requirements. References in this policy to "you " mean the individual concerned who 'owns' the PI.
Note: This Policy no longer deals with the privacy issues of employees under the Act. Staff should seek further information from the Head of People and Culture. This Policy deals only with the protection of personal data of individuals who are not employees of Ai Group (or any of its related parties).
2. Why NOT to breach privacy laws
Direction on how to treat PI, the consequences of infringing this Policy or the APPs that this Policy seeks to address, and changes to its scope may be issued by the Chief Executive (or with the authority of the National Executive, by the Risk Management Committee) from time to time.
Internally, infringements of statutory requirements and or significant policy matters could lead to disciplinary action, termination of contract or other lawful actions.
In addition, there are externally enforced consequences: serious breaches of privacy legislation can involve the individuals knowingly concerned in the infringement in penalties of more than $100,000 and for Ai Group itself, the penalty can be $1.7million, in Australia.
This Policy and any procedural guides issued in connection with its implementation should be considered in light of affiliated policies and regulatory matters such as use of emails, Spam Act, Facebook Protocols (and our social media T&Cs), and even the Do Not Call Act. Most of these mentioned may not necessarily directly deal with 'personal information' as defined in the Act but extends to uses of data that may incidentally include PI.
The personal information collected and used by Ai Group can be provided or used electronically or by conventional methods and the principles of protection outlined in this Policy apply equally to all information mediums.
3. When does Ai Group use PI?
Ai Group is a corporate membership-based not-for-profit. We provide a range of services to our members and third parties focusing on the employer's workplace and its position as a business in industry generally within Australia and internationally. Most of our membership and clientele are companies but nevertheless, regardless of the type of vehicle adopted by our members and other third parties in delivering their own businesses' products and services, when we communicate with any corporate entity, we inevitably are dealing with an individual - a person who embodies the corporate personality and a 'mind' with whom we can engage.
The essence of our business is communication and so we collect the PI of individuals from our websites, our servers (emails) and other electronic means like telecommunication facilities. We also collect it through exchange of business cards, referrals from other individuals, attendance registers and sometimes we purchase databases for particular purposes.
Our related parties provide legal services2; training services3; and recruitment and labour hire4 services. Each of them has different obligations because the context of their business and the expectations of their markets demand different approaches to the PI being collected or used.
In every mode of collection or use, we follow the guidelines and rules laid down by the Australian Privacy Principles, and this Policy outlines how we comply. Obviously, our compliance procedures can be overridden by legal process - law enforcement, regulatory intervention, and emergency health or safety issues all take priority to our protocols and procedures.
Our Policy (and the PPS) are subject to updating as the law itself evolves in respect of the protection of all forms of personal data. Our internal compliance units are responsible for the administration of the privacy principles and for securing compliance in our contractual documentation, our modes of communication and marketing and holding third parties who may be providers or suppliers of software or communication services accountable in observing the principles when dealing with data we may have collected or stored.
Ai Group has appointed a Chief Privacy Officer to address enquiries, complaints or concerns about how your personal data is being managed. Contact details can be found at the end of this Policy and through any office of Ai Group.
4. Ai Group's Approach to the APPs
APP 1 - Open and transparent management of PI
Ai Group's primary purposein collecting personal information is to focus our communications in an orderly and efficient manner so as to deliver our services and respond to our membership's and stakeholders' expectations and needs promptly and efficiently. Our services are based around the exchange of information and advice on industry, workplace and employment related matters affecting businesses in Australia. Most of the personal information about individuals that we collect in whatever form and from whatever source, is used only so that we can communicate more effectively and efficiently with them, and numerous clients, contractors, government departments and agencies in the performance of our contractual obligations.
For our membership, both written and electronic application forms and incidental material all contain express details on why we need some personal information concerning the various persons in authority and how we can communicate effectively with that business through its authorised employees or in some cases, their contractors. Ai Group's constitution also provides for mechanisms that entitle Ai Group to treat persons who are purportedly authorised by their corporate entity(employer) to deal with us, as having the requisite authority and where their employer provides us with the individuals' information, we can safely assume that the employer has obtained the relevant consent from the individual to use collecting and using the information for our membership and related purposes.
Our membership pages on our website and our internal databases and information access facilities all provide individuals whose data is stored and used by us with options to access. remove, alter and update their personal data. All forms of collection facilities like emails, invitations, registration forms, purchase orders and even subscribed marketing material carry the 'unsubscribe' facility. Our Database team has also been trained in the Privacy APPs and the compliance processes and we have formal internal controls in place to mitigate human error wherever reasonably practicable.
Our information systems have both built in controls wherever possible but we have an overlay of monitoring and audit processes, both an in-house team and external providers who are regularly briefed on privacy and data protection issues and are required to implement additional security and controls where needed.
Ai Group's Risk Management Committee which reports directly to the committee of management (our Board) is also briefed on privacy and data protection issues as they arise and a risk monitor on privacy is included in the Risk Register.
Ai Group's General Counsel provides updates and advice to the Chief Executive to facilitate training in new policies and procedures and to secure the chain of effective supervision of database and marketing personnel involved in the collection or use of personal data. Our internal corporate documentation including our agreements and arrangements with external persons are subject to regular review and updating. In particular, the recent amendments to the mandatory notification of data breaches introduced to the Privacy Act in early 2017 are being incorporated by way of covenants and warranties in our risk management of those relationships.
APP 2 - Anonymity and pseudonymity
The scope of personal information that maybe collected from you includes: Names, employment addresses and sometimes home addresses, title or positions and qualifications you hold or have held, terms of service with employers or others, positions held on other bodies (outside your current employment) including statutory agencies, governments and advisory boards, telephone and mobile numbers, personal relationships (for compliance purposes) credit card details for payment of a service (see also information on storage and retention rights).
We do not collect tax file numbers or other government identifiers of individuals, except as a legal necessity, if you are an individual carrying on a business we will collect and use the ABN of that business for our business and tax requirements.
If you want to communicate with us on a particular matter you may ask to remain anonymous or use a pseudonym but it will be rarely appropriate in your dealings with us due to the nature of the relationship we have with you. We can refuse to deal with you anonymously if we are collecting your personal information like your real name because we:
- need to verify membership of or your business relationship with Ai Group and your authority to act on behalf of a subscriber or a purchaser of our services;
- collect it for compliance purposes with any law or regulation
- need it to properly provide whatever service or advice you are seeking from us and it is impracticable for us to do that using a pseudonym or anonymity;
- to verify or assist you with passwords or other security matters or other technical services like internet access;
- ensure quality controls within our services; or
- we are required or authorised by law or a court or tribunal to identify you.
We only collect the information we need to provide you with the services you seek or are likely to be interested in due to the nature of our relationship. Generally, it's to administer that relationship, whether in membership (and delivery of membership services), or for supplies, acquisitions or disposals of assets or interests, potential clients, contractual or legal compliance and insurance purposes.
With respect to your membership, we are contractually committed to protecting the confidentiality of your business and we implement a number of governance measures to help protect the privacy of the individuals representing our subscribers when dealing with us. For that reason, we need to know that the information or advice we provide is going to the right person within the subscriber entity. Accordingly, it will be only in isolated cases (e.g. when we are doing industry wide surveys) that your personal information can be obscured by anonymity or aliases.
We collect the information in numerous ways - telephone, internet, email, and written correspondence. Other sources of collection of that personal information include -
- registration forms, invitations and expressions of interest forms for briefings, interest groups, training courses
- membership applications, notices, invoices and order forms
- forms and notices for statutory compliance purposes (such as consents to act)
- surveys and questionnaires
- project and consultancy proposals and contracts for services
- telephone enquiries to our offices
- email broadcasts
- business cards
- publicly available directories and publications.
In some cases, we collect it using the services of a formal personal information collection agency or third party. (We will tell you when it comes from someone other than you). Where you provide us with personal information about someone else, you must ensure you have that individual's consent to giving it to us, especially if it is an employee or contractor to you. You should tell them it's going to Ai Group (and its related parties) and that they can get a copy of our PPS on our internet site.
Collection of PI from anyone other than the individual themselves is considered to be 'unsolicited information' which is expressly covered by APP 4.
Our on-line infrastructure facilities such as web browsers, log information collectors and cookies do not collect personal data about individuals. You can disable cookies and opt out of on-line advertising, but there is a risk that in doing so, you and your business may not receive the services you have sought from us or updates or other information pertinent to our relationship with you.
APP 3 - Collecting solicited PI
PI we solicit and collect directly from you or from another entity about you can only be the PI that is reasonably necessary for us to do our job for you for our functions and our activities and not for someone' else's. However, Ai Group also undertakes to deliver a number of government funded programs from time to time on behalf of either a State/Territory or the Commonwealth or one of their agencies. Government agencies are subject to a more stringent test for the collection of PI: the PI must be reasonably necessary or directly related to the agency's functions or activities. That obligation is passed through to Ai Group in the delivery contract between the agency and us. Ai Group cannot use that PI in that circumstance for Ai Group's own purposes or for marketing (see APP 7) without the individual's express consent.
Unless we satisfy one of the statutory exemptions5, we cannot collect any sensitive PI without the express consent of the individual. (there are some clear exceptions such as where the sensitive information is necessary for the safety or health of an individual). Sensitive information includes racial and religious backgrounds, political and union affiliations, health matters, and the like.
Clearly, we are bound to collect the information by lawful and fair means and this too is built into our procedures and our controls.
A core principle of the APPs and the current legislation is the obligation to collect PI only from the individual concerned unless either there are express exceptions in the Act or its unreasonable or impracticable to do so.
The APP also distinguishes between collection (which is the gathering acquiring or obtaining of PI for inclusion in a record or a generally available publication) and solicitation (which involves an entity (us) requesting another entity to provide PI about an individual or to supply information which might ordinarily include PI). A 'request' in this context means any active step to acquire the PI.
Examples of solicited PI collected by us could include:
- personal information provided by an individual in response to a request, direction or order
- personal information about an individual provided by another entity in response to a request, direction, order or arrangement for sharing or transferring information between both entities
- personal information provided at a business meeting, where it relates to the subject matter of the meeting, including business cards exchanged at the meeting
- a completed form or application submitted by an individual
- a record of a credit card payment
- video footage that identifies individuals.
- an employment application sent in response to either a job advertisement published by an entity or an expression of interest register maintained by the entity.
Understanding the scope of 'reasonably necessary collection' is also relevant to this Policy: examples provided by the OAIC include -
- collecting personal information about a group of individuals, when information is only required for some of those individuals
- collecting more personal information than is actually required for a function or activity. For example, collecting all information entered on an individual's driver licence when the purpose is to establish if the individual is aged 18 years or over
- collecting personal information that is not required for a function or activity but is being entered in a database in case it might be wanted in the future (this is to be distinguished from the situation where personal information is required for a function or activity, but is not being used immediately)
- Ai Group collecting personal information for or on behalf of a related body corporate where the collection of that personal information is not reasonably necessary for our own functions or activities.
One of the important exemptions to apply in APP 3 in respect of the collection of sensitive information is that found in APP 3.4 (e) which entitles a non- profit organisation (Ai Group) to collect sensitive information if the information relates to the activities of Ai Group and it relates solely to our membership or to individuals who have regular contact with us in connection with our activities. Given Ai Group's primary business relates to workplace relations and the issues arising between employers and their workforces, any sensitive information will always be collected solely for the purpose of assisting or providing services to our membership and clients in respect of that activity or a closely connected activity (e.g. workplace training requirements dependent on religious or ethnic needs of the employees concerned).
APP 4 - Unsolicited PI
Sometimes we receive personal information that we have not asked for directly from the individual concerned (unsolicited). When that happens, we will determine whether that information could have been collected directly by us from you. If we could not have collected it directly, and the information is not part of a Commonwealth record (e.g. a document or record held by a government agency, which is very broadly defined by the Archives Act), then we are required to destroy it or de-identify it as soon as practicable (provided that would be lawful and reasonable to do in the circumstances).
Unsolicited information that may be relevant to our relationship with you is any personal information that we receive but have taken no active steps to collect. Examples include:
- misdirected mail
- unsolicited correspondence to us
- an employment application sent to us on your own initiative and not in response to an advertised vacancy
- a promotional flyer containing your personal information, that has been sent to in connection with your business or services.
It is our responsibility to determine if the PI we have collected through any unsolicited means could have been lawfully collected under any of the ways permitted under APP 3. If that is not open to us, then we have to destroy or de-identify the PI as soon as is reasonable unless either:
- we collected it because we are a contracted service provider to the Government and the PI is contained in a Commonwealth record; or
- it would be unlawful or unreasonable to do so.
A complicated set of rules is required by APP 4 follows from our determination about how we collected the unsolicited PI.
Essentially, if the unsolicited PI -
- could have been collected by us under APP 3, or
- is contained in a Commonwealth record, or
- we are not required to destroy or de-identify it because it would be unlawful or unreasonable to do so
then we may be entitled to retain it but we then have to ensure we comply with APPs 5-13. These APPs involve the following issues to be considered and implemented:
- a 'collection notice' under APP 5 may be required to be given to you
- it may only be used or disclosed for the primary purpose for which it was collected unless an exception applies
- we have to ensure that the PI is kept secure and protected
- you are entitled to request access to the PI and to have any of the PI corrected.
Before we use the PI or disclose the PI to anyone else, we have to review the reasons why we are holding it - unless its contained in a Commonwealth record or cannot be destroyed or de-identified because it would be unlawful or unreasonable to do so - and was it collected for our primary purpose?
We also have to be mindful of APP 11 - even if all these other conditions are satisfied, we must destroy all PI that is no longer necessary for the purpose for which it was collected (unless, again, it is contained in a Commonwealth record or we are required by or under an Australian law, or a court/tribunal order, to retain the information.)
APP 5 - Collection notices
As soon as practicable after we have collected your PI (solicited or unsolicited) APP 5 obliges us to inform you of various matters relating to the PI and the way we protect your PI, the way you can access your PI and how to contact us or the regulatory authorities in relation to a privacy concern. This is the collection notice and can be located on our websites, attached or referenced in application forms, emails, and other modes of collection.
While the circumstances of each 'collection' may require some change to the way we reply to the APP 5 questions from time to time, the following addresses the general ways or 'default' responses to those issues in the absence of any more specific communication:
Who we are and how you can contact us
The Australian Industry Group or Ai Group is a not for profit organisation of employers incorporated under the relevant Commonwealth Fair Work (Registered Organisations) Act in effect from time to time. This means we are incorporated but we are not a government agency or a charity or an incorporated association. Our webpage - www.aigroup.com.au - provides you with more detail on who we are.
Our contact details are available from the website or from any communication you have with us. Details of the particular persons with responsibility for the management of the compliance issues of the Privacy Act are set out at the end of this Policy and in the PPS.
How, when and from where is your PI collected?
Unless you are the individual who provided us with the PI (and therefore know when and how we collected it), we will advise you of the how and when, if practicable. We will also tell you where we got it from if our use or disclosure of the collection of your PI comes as a surprise to you. Due to the nature of our business, your PI is likely to be collected by us because you are an employee or a representative of a business or employer with whom we are dealing or expecting to deal. Your PI may in those cases have been provided to us by your employer or business or another business who has had dealings with your business or, as a consequence of our primary purpose (the exchange of information and advice on all industry, workplace and employment related matters through membership or contracted services). Where the PI has been provided to us from a direct source such as another entity that may itself have collected your PI (e.g. a government agency or a marketing firm) then we will take all lawful steps to identify that source for you effectively.
What is the exact content of that PI?
In most cases, the PI will only involve your name and your business title or position and nowadays, your business email addresses and mobile phone numbers. Depending on the purposes for the collection, we may necessarily have to include for legal compliance purposes (e.g. if you become an officer of Ai Group), your birthdate and place, home and work addresses, personal mobile telephone numbers or direct landline numbers.
Rarely, we may have to ask for sensitive information like your affiliation or membership of a union, or your health background, in the context of employment and regulatory advice provided as part of our primary purpose. If the information is expressly required by a law or regulation relevant to our purpose, we will identify the law or regulation when we ask for the PI (e.g. in the case of Workplace Health and Safety, Fair Work or Industrial Relations, VET or EBA training). That information is treated separately and more confidentially and is destroyed as soon as it is no longer needed for the purpose. We also require your written consent to the disclosure of PI that contains sensitive information. (See APP 6 for more details).
Why we have to collect it.
In most cases, it is self-evident in the context. But as explained in APP 2 above, the nature of our business and the purposes of our communications with you mean it is rare that we will be able to deal with you if you insist on anonymity or use a pseudonym: first, if you represent a member of ours, we have to have the proper details of the person with whom we are dealing to ensure that you are entitled as an authorised representative of that member to receive the information or advice from us or that we can deal with you without breaching confidentiality obligations. If it is compliance related, or has a legal process element to the dealing, then it would not be lawful to pretend you are someone else or to give us an alias.
What are consequences of you not giving us the PI?
The most obvious reason as outlined above in paragraph 4, is that if we do not know who you are or how to contact you or how to provide you with the service you or our business seeks from us, or cannot verify it from our records, then either you or your business may not get the relevant information necessary for you to comply with legal process, regulation or other workplace related matters; we cannot keep you up to date with relevant matters; and you or your business may miss out on significant regulatory or government-sponsored activities. In that case, while we do take as many actions as reasonable and practicable to get the relevant PI, we cannot be liable to you or your business for the consequences of not having relevant and up to date contact details in our records. Those consequences could involve statutory fines, damages or losses arising from contractual, award or other arrangements to which you are a party.
How and in what circumstances would your PI be disclosed?
Disclosure to third persons could include regulatory and other government agencies connected with the subject matter of our dealings with you and contracted service providers who are undertaking a service on our behalf.
How you can access the PI we hold and to whom you and complain - internally and externally.
All you need to do to access or correct any of your PI we hold is to contact any office of Ai Group and ask to be put through to our central database manager. All contact details are available on our website. If you are in email contact with Ai Group already, then submit your request to your usual contact and copy email@example.com. If you have a concern or complaint about how your PI is being handled by Ai Group, then you must ask to speak to the Chief Privacy Officer (again, details are available on our website or at the end of this policy) and again copy or send an email to firstname.lastname@example.org marked PRIVACY -URGENT and this will be referred internally as appropriate.
Note that this APP 5 cannot apply where the collection itself arises in the course of possible litigation or other legal process and the disclosure of our collection may jeopardise professional standards, confidentiality, privilege or put the legal process or any person's health or safety at risk.
APP 6 - Hold, Use, Disclose, and Purpose
If we hold your personal information for a particular purpose this is the primary purpose and we cannot use it for any other reason (a secondary purpose) unless:
- you have consented to that use or disclosure; or
- you would have reasonably expected it to be used for that secondary purpose.
We will always try and get your consent wherever practicable. We also try not to deal in sensitive information like health or criminal records or matters of that kind unless it's necessary for the service we provide or we are compelled to do so for legal reasons. If we do have to collect your sensitive information, then your written informed consent will be obtained before it's disclosed.
If we collect personal information from one of our related parties or they collect it from us, then the primary purpose of the collector is considered to be the primary purpose for the related party. In this respect, as outlined in this Policy, our related parties may provide specific expert services in connection with or directly related to our membership services or they may provide those services directly to one of our clients or customers because it's a necessary part of the relationship we have with that client, subscriber or other person.
However, we cannot share your personal information with our related parties if the purpose involves direct marketing unless you have requested or consented to it.
APP 7 - Direct Marketing
It is important that you be aware that the Act and particularly the APPs prohibit the use or disclosure of personal information for the purpose of direct marketing unless:
- We have collected the data directly from you and you would reasonably expect us to use or disclose it for that purpose. In that case, we will always provide you with an easy way of requesting us not to bother you again with any marketing material. This is in the form of a telephone call, an email, or sometimes an electronic opt out/unsubscribe facility, provided we can verify the caller. We will immediately take steps to remove you from our marketing communications.
- We collected it -
from you (but you would never reasonably expect to receive marketing material from us or for your data to be disclosed for that purpose)
we collected it from someone else
in either case, you have consented to the use or disclosure or it's impracticable to get your consent.
(In either of these instances we will offer you the same easy means of removing yourself from that marketing list and we will include a prominent statement in every such communication that you can request to be so removed.)
- In the case where we are a contracted service provider to a government agency under a Commonwealth contract and we have collected the personal information for the purpose of meeting our obligations under that contract and the use of your personal information is in fact necessary to so meet that obligation.
In all cases where we use or disclose personal information for the purposes of our own direct marketing or to facilitate another organisation's direct marketing, and the consent express or implied has been obtained in accordance with this APP, you can always request that you be removed from the marketing list and or ask us not to disclose your data to the other organisation(s) for that purpose and also require us to tell you where we got the information from. There is no charge for you to action this right.
(Note that the Spam Act and the Do Not Call Register Act both continue to apply regardless of the APPs.)
APP 8 - Cross border disclosures
We endeavour to bring cost effective and timely service to our membership and clients and this necessarily involves us in reviewing our providers and the providers' service deliverables regularly. So, while most of our data is presently residing in datacentres in Australia, there may be times when, due to the nature of the transaction you seek with us or the communication facility used, your data is available to overseas recipients. The purpose of these sorts of disclosures are for software solutions, help desk support or for simply storage purposes through contracted service providers or facilities we use that include cloud options.
We will take all reasonable steps to find out if any of our telecommunications providers or their contractors and other service providers use cloud or any service that may involve our data (which could include your personal information) being disclosed to overseas recipients, where they are located and why they may get access if the data is more than simply routed through an offshore provider. These are required by APP 8.1. But the reality and practicalities of modern technologies means that in most cases this is going to be impracticable as the breadth of service and the subcontracting within specialist fields of service puts Ai Group far from the actual datacentre provider.
So, it is imperative that you be aware that by using our telecommunication facilities and specifically internet access, you will be consenting to the possibility of the data we collect for the service transaction or relationship being disclosed overseas and to unknown destinations and in that case, you will have consented to APP8.1 not applying. This covers those cases where we are simply undertaking normal business activity.
Obviously, if we learn of a risky destination and our providers advise us of either changes they will adopt or they want us to adopt to ensure that we maintain our high standards of security, or that our data may have been put at risk, then we will take all reasonable actions to prevent the continuing possible infringement of our confidentiality and your privacy. Nevertheless, we cannot guarantee or assure you that there is no risk or that we will be able to take any remedial action.
On the other hand, if the very service or transaction you are requiring from us involves you necessarily providing us with your personal data that needs to be sent overseas, (e.g. in a trade or international service) then we will be acting as your agent in the transfer and you will need to be comfortable with the destination of, and the people who will have access to, that information. Where we can help, we will certainly direct you to government sites that may provide some assistance in this respect so that you may make an informed decision about your disclosure overseas but in any case, APP8.1 will expressly not apply to Ai Group. Your consent will be part of the request for us to take the action on your behalf. If you are concerned about the potential for that personal information to be misused overseas and withdraw your consent, then we will be unable to complete the service or activity on your behalf. We cannot be held responsible for the consequences of your decision in that case.
APP 9 - Government identifiers
Ai Group does not use government identifiers (e.g. Medicare numbers, Tax File Numbers, etc.) for the purpose of identification of individuals in our membership or client base. As mentioned earlier, if an individual carries on a business which is registered with an Australian Business Number (ABN) then that ABN will necessarily be stored and used by us for financial and taxation purposes only.
APP 10 - Quality of PI held
APP 11 - Security
APP 12 - Access
APP 13 - Correction
We use strict protocols to guard the integrity and quality of and access to the personal information we collect or hold. We review our service providers' contracts to ensure as far as practicable that they have implemented the security measures appropriate to reasonably protect us and you from misuse, interference and loss and particularly from unauthorised access amendment or disclosure. In particular, credit card and financial information is held under strict security until able to be deleted or destroyed: unless you tell us to do so, we do not retain such information for future transactions.
We have implemented procedures that facilitate the destruction or de-identification of personal information when it is no longer necessary for the purposes for which it was collected (unless it is needed for legal reasons).
Accessing your personal information for verification amendment or removal can be effected in any of the ways mentioned above including emailing the database management (email@example.com) or a membership executive if appropriate, telephoning any of our offices, writing to the Privacy Officer at Ai Group, or when you are on line (if you are an authorised representative of a subscriber).
There is no charge for this service and we promise to action your request as promptly as possible (subject only to the usual qualifications like legal compulsion or compliance obligations). You should note that some personal data is automatically destroyed or deleted after set periods of time or as a requirement of a contract or government program. In other cases, archived material may be deleted as a matter of technology, efficiency or space requirements. Membership records including details of persons allocated to fulfill positions in Ai Group's governance boards or committees are required to be retained under our governing statute as a continuing record of membership even when the subscriber ceases to be part of our membership. Deletion or destruction of a Commonwealth record or a statutory record is not legally permissible without a court order or other due legal process.
PART 111C - Notifiable breaches
In early 2017 an amendment was made to the Privacy Act to incorporate a new division - Part IIIC - which deals with notifiable breaches. That division will not take effect until 2018. Nevertheless, Ai Group has already instigated some internal controls and processes to address the identification and notification rules that will apply to us as an entity subject to the Act. In the interim stages before the Act takes effect, Ai Group has incorporated a risk management process that will seek to incorporate the principles of mandatory notification of breaches of the Act into new contracts with service providers or anyone who may have access to control over or management of our databases.
When the finer details of the new Part IIIC regime are published by the OAIC, there may be further amendments made to this Policy and to the relevant PPS. Until then, the following is a snapshot of how notifiable breaches will work for you and how Ai Group (an "affected entity ") intends to manage the obligations of the amendments.
- All affected entities must notify 'eligible data breaches' they experience to the Information Commissioner and to relevant individuals in connection with information they hold about the individuals.
- The threshold for notification is where serious harm to any of the individuals is likely. The threshold tests which trigger the notice obligations are based on an objective test of what a reasonable person would conclude.
- An 'eligible data breach' occurs when, in respect of personal information, credit reporting information, credit eligibility information or tax file number information held by an entity required to comply with data security obligations in the Privacy Act, the following conditions are satisfied:
- there is unauthorised access to, or unauthorised disclosure of, the information, or where the information is lost, unauthorised access to, or unauthorised disclosure of, the information, is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to which the information relates (in the case of lost information assuming that unauthorised access or unauthorised disclosure were to occur).
- There are some important exceptions to notification, in particular where remediation taken by the affected entity has reduced the risk of serious harm.
- Most critically the unauthorised loss, access or disclosure of the information will not be an eligible data breach where, as a result of remedial action taken by the relevant entity in relation to the breach, before it results in serious harm to any individual to whom the information relates, a reasonable person would conclude that the loss, access or disclosure of the information is unlikely to result in serious harm to any of those individuals. Similarly, if such action were taken in respect of particular individuals prior to serious harm occurring and a reasonable person would conclude that, as a result the loss, access or disclosure would not be likely to result in serious harm to those particular individuals, the entity will not be required to notify those individuals of the loss, unauthorised access or unauthorised disclosure.
- Serious harm is broadly construed. The explanatory memorandum to the amendment explains that serious harm could include serious physical, psychological, emotional, economic and financial harm as well as serious harm to reputation. There is also a non-exhaustive list of relevant matters to have regard to when determining whether access or disclosure would likely to result in serious harm:
- the kind and sensitivity of the information;
- whether the information is protected by security measures and the likelihood any such security measures would be overcome including the use of an encryption key to circumvent the encryption technology or methodology;
- the persons or kinds of persons who have or could obtain the information;
- the likelihood that any persons who have or could obtain the information could obtain information or knowledge or circumvent any security technology or methodology applied to the information with the intent to cause harm;
- the nature of the harm; and
- any other relevant matters.
Where legal enforcement obligations or secrecy provisions apply to the PI the subject of the notifiable breach, then the provisions of Part IIIC will not be applicable to that part of the PI.
If a notifiable breach occurs which is not subject to an exception or exemption, then a formal notification statement must be issued to the Office of the Australian Information Commissioner as well as the individuals concerned as soon as practicable. Where the actual identity of a single individual is not the issue (i.e. where a group of individuals or a class of persons in a data holding centre may have been subject to a breach) then the statement will be published on our website and in any other format required by the OAIC without identifying the individuals themselves.
Finally, if you have a complaint or a concern or an enquiry, then contact us first. If we cannot help or resolve your issue, then we can offer a number of dispute resolution processes or you can apply directly to the OAIC for assistance or action. OAIC is the Office of the Australian Information Commissioner - refer to www.oaic.gov.au.
The Australian Industry Group
51 Walker Street North Sydney NSW Australia 2060
The Privacy Officer
PO Box 7622, Melbourne Victoria Australia 8004
Telephone: (+61) 1300 55 66 77
go to the contacts list on our website: www.aigroup.com.au.
All enquiries relating to the commercial aspects of the privacy legislation is so far as they impact on Ai Group's own business activities should be referred to the Chief Privacy Officer of Ai Group. NB: The Chief Privacy Officer of Ai Group cannot advise members on their own privacy policies or the effect of the Act on their business activities - the Chief Privacy Officer is required to handle complaints and enquiries regarding Ai Group's implementation of the Act only.
- Wholly owned subsidiaries of Ai Group are AiGTS (Australian Industry Group Training Services Pty Ltd), AiGGE (Australian Industry Group Graduate Employment Pty Ltd), and Ai Group Legal (Ai Group Legal Pty Ltd).
- Ai Group Legal Unit Trust (trustee is Ai Group Legal Pty Ltd)
- Australian Industry Group Training Services Trust (Trustee is Ai Group Training Services Pty Ltd) - operates both a registered training organisation (RTO) for VET and accredited courses a general training and short course business workplace development (outside VET) and a trainee and apprenticeship group training company.)
- Australian Industry Group Graduate Employment Trust (Trustee is Australian Industry Group Graduate Employment Pty Ltd)
- See comment below on 'Exemptions'