In Australia, privacy law generally relates to the protection of an individual’s personal information. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. The Privacy Act includes thirteen (13) Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for the handling, holding, accessing and correction of personal information (including sensitive information).
that meets the APP’s however, we choose to do so.
This policy is based on the thirteen (13) APP’s that came into force on 12 March 2014 through the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and details how Avrior complies with each of these APP’s.
The Directors of Avrior should ensure that all staff of AVRIOR undertake awareness training in this policy and its underpinning legislative requirements, and comply with this policy at all times. The Directors should also ensure that all clients of Avrior have an awareness of this policy.
Consideration of Personal Information Privacy
Open and Transparent Management of Personal Information
The Directors of AVRIOR must:
Disclosure of User Information.
For our Online Training Portal, we collect, use and hold information in relation to: • Name; • Email Address; • Phone Numbers • Physical Address; • IP Address; • Host Name; • Browser Information; • During exhibitions, Avrior may collect information, use and hold personal information including: • Name; • Contact Details; • Products and Services interested in; • Any information required for any competition we may be running at the time for which you will have provided consent. • For the purpose of subscribing to the Avrior Newsletter or Social Media sites, we collect, use and hold the following information: • Name; • Email Address. • When visiting the Avrior website, if an individual is logged in to the website under their user registration, Avrior collects and holds: • The individual’s access time; • IP Address; • Visitor behaviour (e.g. what pages you may have visited to enhance the customer’s visit and preferences). • For employees or sub-contractor’s of Avrior, Avrior collects, uses and holds the following private information: • Employment Contract or Sub-Contracting Agreement; • Banking Details; • Next of Kin and Emergency Contact Information (where relevant); • Curriculum Vitae; • Qualifications, Permits, Licenses, etc. • Third Party Reference Checks; • Contact Details; • Any relevant sensitive information such as health and / or medical; • Tax File Number; • Superannuation Details; • Australian Business Number or Australian Company Number; • Eligibility Testing; • Application for Employment or Sub-Contracting; • All communications that are hard copy or electronic; • Medical Certificates, etc. where relevant; • Supervisory and/or performance management reports; • Attendance records; • Complaints and Appeals lodged and received against the individual where relevant; • All work related login and password details. • Any information that is collected, held and used by Avrior is subject to this policy and where required, this policy will be updated to include any changes to the types of information that are collected, held or used by Avrior.
Purpose of Collecting Personal Information
Avrior collects, holds and uses the previously mentioned personal information and records for the purposes outlined above but specifically to support the work that it is engaged by the client to undertake (submit applications to regulatory authorities on their behalf), keep Avrior clients and VIP clients up to date with changes to the industry and to facilitate the transmission of quotes, project requirements, contractual arrangements and payment processing. Avrior only collects information as and when required by requesting it to be submitted by the individual with their consent in writing (this consent may be in the form of an application for enrolment or employment). Information can be collected by Avrior through:
Dealing with Personal Information Use and Disclosure of Personal Information
Avrior will not use or disclose personal or sensitive information for any purpose other than what it was collected for unless the relevant person has provided written consent to use or disclose the information in circumstances that are different to those for which it was collected. The circumstances where there may be an exception to this are: • Where the use or disclosure of this information is required or authorised by or under an Australian law or a court/tribunal order; • The individual would reasonably expect Avrior to use or disclose the information for the secondary purpose; • A permitted general situation exists in relation to the use or disclosure of the information by Avrior Doctor; • A permitted health situation exists in relation to the use or disclosure of the information by Avrior; • Avrior reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by or on behalf of, an enforcement body. Where Avrior uses an individual’s personal information under this clause, Avrior must obtain consent in writing to release, use or disclose the personal information. • Where the individual chooses to maintain anonymity or use a pseudonym and this is not detrimental to their engagement with Avrior and it does not inhibit Avrior’s adherence to legislative compliance, Avrior will act upon the individual’s request as is reasonable in relation to the requested and particular matter.
Where Avrior holds personal information and excluding any sensitive information about an individual, Avrior will not use or disclose this information for the purpose of direct marketing unless the following circumstances apply: • Written consent has been collected by the individual; • The individual would reasonably expect Avrior to use or disclose the information for that purpose; • Avrior provides an opt-out method that is easily accessible for individuals to request not to receive direct marketing communications from Avrior; • The individual has not made such a request to Avrior.
Where Avrior does have written consent for the collection, holding and use of their personal details (excluding sensitive information), Avrior must provide a simple means by which the individual can easily request not to receive direct marketing communications from Avrior. Avrior provides this through an unsubscribe function on it’s newsletter and social media sites or by contacting Avrior directly and requesting that direct marketing that the individual believes it has not consented to or no longer wishes to receive to cease. This policy is also supported by and does not replace or supersede the following legislation: • Do Not Call Register Act 2006; • Spam Act 2003; or • Any other legislative document of the Commonwealth government.
Cross-Border Disclosure of Personal Information
Adoption, Use or Disclosure of Government Related Identifiers
Avrior must not adopt a government related identifier of an individual as its own identifier of the individual unless: • The adoption of the government related identifier is required or authorised by or under Australian law or a court/tribunal order; or • The identifier is prescribed by the regulations and the adoption, use or disclosure occurs in the circumstances prescribed by the regulations. At Avrior such government identifiers would include (but are not limited to): • RTO Identification Numbers; • Application Numbers; • Legal Records and Case numbers.
Avrior must not use or disclose a government related identifier of an individual unless it is in the circumstances described under the exceptions to ‘Dealing with Personal Information’ previously.
Integrity of Personal Information Quality of Personal Information
Security of Personal Information
Avrior must take steps that are reasonable in the circumstances to protect the information from misuse, interference and loss as well as unauthorised access, modification or disclosure. Avrior achieves this by: • Ensuring any hard copy files containing physical, hard copy personal information is held in a secure home office with lockable doors and windows and security alarms at all times, including where this information is archived. This would include records such as old training and assessment documentation, archived application documents in draft format, etc. Under no circumstances does Avrior store financial information in this manner. • All electronic payment transactions are conducted on a securely hosted website with appropriate intrusion protection and logical system access requiring each user to enter a user name and password for access. • The Avrior Online Store through its hosted payment gateway provides real time credit card processing, 256 bit SSL certificate with all data encrypted over 3DES & PCI standard. • All physical, hard copy sensitive personal information is to be stored in a lockable filing cabinet in the Director’s secure home offices (as described previously). • All archived documentation and back ups that Avrior maintains on behalf of clients is stored in Google Drive in the Avrior secure account or, alternatively on the Avrior external independent Server which only has secure access by the Directors and resides at the Founding Director’s secure home office. • Where the user is physically absent from the personal information or sensitive personal information for any period of time (for example when Avrior or its representatives are on site with a client and must leave their computer momentarily), that individual must return the personal information or the sensitive personal information to its secure storage area in accordance with these instructions. • Avrior will conduct regular audits, either combined with or separate to its internal audits for registration purposes to confirm compliance with this policy and the Australian Privacy Principles.
If Avrior holds personal information and an individual and: • Avrior no longer needs the information for any purpose for which the information may be used or disclosed by Avrior; and • The information is not contained in a Commonwealth record; and • Avrior is not required by or under an Australian law, or court/tribunal order, to retain the information; Avrior must take such steps as are reasonable in the circumstances to destroy the information or to ensure the information is de-identified. In relation to Avrior, clients usually request (and expect) Avrior to keep a secure copy of any documentation that it creates on behalf of the client in the event of their data failure. Consistent with the expectations of our clients, Avrior does store all client information for this purpose however, should a client wish for us to not store their personal information in this way, they can advise us in writing and request that it be securely destroyed.
Access to, and Correction of, Personal Information
If Avrior holds personal information about an individual, Avrior must, upon request by the individual, give the individual access to the requested information.
Exception to Access
If despite the above clause Avrior is not required to give the individual access to the personal information to the extent that: • The Avrior reasonably believes that giving access would pose a serious threat to the life, health or safety of an individual, or to public health or public safety; or • Giving access would have an unreasonable impact on the privacy of other individuals; or • The request for access is vexatious or frivolous; • The information relates to existing or anticipated legal proceedings between Avrior and the individual and would not be accessible by the process of discovery in those proceedings; or • Giving access would reveal the intentions of Avrior in relation to negotiations with the individual in such a way as to prejudice those negotiations; or • Giving access would be unlawful; or • Denying access is required or authorised by or under an Australian law or a court/tribunal order; or • Both of the following apply: o Avrior has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to Avrior’s functions or activities has been, is being or may be engaged in; o Giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or o Giving access would likely prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or o Giving access would reveal evaluative information generated within Avrior in connection with a commercially sensitive decision-making process.
Dealing with Requests to Access
Avrior must respond to the request within a reasonable period after the request is made and give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
Other Means of Access
If Avrior refuses: • To give access to the personal information for reasons previously outlined; or • To give access in the manner requested by the individual. Access may be given through the use of a mutually agreed intermediary.
As an organisation Avrior may charge for giving access to the personal information however the charge must not be excessive and must not apply to the making of the request. Where Avrior charges a fee to give access to personal information held about the individual, this charge will be provided up front and will only cover the cost of providing the information where this is reasonable for photocopying and printing, as well as postage if required.
Refusal to Give Access
If Avrior refuses to give access to the personal information because of any of the reasons outlined previously under ‘Exception to Access’, or where Avrior refuses to give access in the manner requested by the individual, Avrior must give the individual a written notice that sets out: • The reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and • The mechanisms available to complain about the refusal; and • Any other matter prescribed by the regulations.
If Avrior refuses to give access to the personal information because giving access would reveal evaluative information generated within Avrior in connection with a commercially or legally sensitive decision-making process, the reasons for the refusal may include an explanation for the commercially or legally sensitive decision.
Correction of Personal Information
If Avrior holds personal information about an individual, and is either satisfied that having regard to a purpose for which the information is held, the information is inaccurate, incomplete, irrelevant or misleading or the individual requests that Avrior correct the information, Avrior must take such steps as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.
Refusal to Correct Information
If Avrior refuses to correct the personal information (including a request to associate a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading) as requested by the individual, Avrior must give the individual a written notice that sets out: • The reasons for the refusal except to the extent that it would be unreasonable to do so; and • The mechanisms available to complain about the refusal; and • Any other matter prescribed by the regulations.
Where Avrior is required to provide a statement, Avrior must take steps that are reasonable in the circumstances to associate a statement in such a way that will make the statement apparent to users of that information.
Avrior must issue the statement within a reasonable period after the request is made and must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be). For further questions or clarity regarding this new legislation, please contact: Office of the Australian Information Commissioner Telephone: 1300 363 992 Email: firstname.lastname@example.org visit the website http://ww.oaic.gov.au