The Privacy Act 1988 (Cth) and related Australian Privacy Principles outline mandatory requirements of organisations and individuals to ensure the privacy and security of information.
The Company and its employees must take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised modification or disclosure.
The Company and its employees must also take reasonable steps to destroy or otherwise de-identify personal information we hold when it is no longer needed.
Failure to comply with this Policy and the Privacy Act increases the risk of personal data being compromised. This could result in reputational damage, as well as penalties of up to $1.8million.
This Policy applies to;
In this Policy, the following definitions apply:
“Personal Information” means any information or opinion about an identified individual, such as: an individual’s name, signature, address, phone number, email, date of birth, bank details, employment details, commentary or opinion about a person.
“Sensitive Information” means any information or an opinion about an individual’s: racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health, genetic or biometric.
“Unauthorised access” of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking).
Example: an employee browses sensitive customer records without a legitimate purpose, or a computer network is compromised by an external attacker resulting in personal information being accessed without authority.
“Unauthorised disclosure” occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.
Example: an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.
“Loss” refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.
Example: where an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. The Company’s aim is to reduce the risk of such loss and breaches, which can incur significant financial penalties as well as brand and reputational damage.
Examples of a data breach include:
The Privacy Act 1988 (Cth) requires organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The Company may be required to notify the Australian Information Commissioner in the event of a data breach.
The Company collects a range of personal and sensitive information on our clients, buyers, suppliers, prospects, competitors, and employees. This is often collected through email, phone calls, contracts, web enquiries, and in-person.
This information includes:
This information is used for purposes such as:
To ensure a high level of security of personal information, only the Company’s approved IT systems are to be used for storage of personal information. These include;
Unauthorised systems include personal databases in Excel or Word, stored locally or in Cloud based applications. If in doubt, speak to the Company’s Privacy Officer or Legal team, or refer to the Acceptable Computer Use Policy.
Personal data on employees and contractors should only be stored in approved HR and Finance systems.
It is the responsibility of all employees and contractors to ensure the safety and security of personal and sensitive information of our customers, clients, prospects, suppliers, and employees. You must take all reasonable precautions to protect and secure personal and sensitive information in your control, including;
To reduce risk or unauthorised access, loss, or other breach, and to comply with the Privacy Act and Privacy Principles, if you collect personal or sensitive information, you are required to destroy or delete when it is no longer required.
To reduce the impact of any potential loss or breach, you must contact IT immediately if you suspect there has been accidental disclosure, unauthorised access, or loss of personal information, either accidental or otherwise, including situations where:
Notifying IT can reduce risks by having your accounts locked, disabling your building access pass, and your phone contents deleted, etc.
Customers or clients may request access to, or alterations of data we keep.
Complaints or requests beyond updating contact information or property requirements should be referred to the Chief Privacy Officer.
For more information on this Policy or privacy requirements, contact the Chief Privacy Officer:
Telephone: +61 2 9257 0222
The Chief Privacy Officer
Level 30, Grosvenor Place,
225 George Street,
Sydney NSW 2000