Haze Media Pty Limited (“HAZE”) is committed to compliance with its obligations under the Privacy Act 1988 (Cth) (as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth)) (the “Act”).
HAZE, like all businesses in Australia, is subject to the Act. The collection and use of personal information by HAZE is regulated by the Act, and failure by HAZE to observe its obligations under the Act would create substantial legal risk exposure for HAZE.
One of the requirements of the Act is to appoint a Privacy Officer for the Company and that Privacy Officer will be Andrew Hazelton.
This policy sets out in general terms HAZE’s approach to the collection and use of personal information. All HAZE staff must read this policy and must act in accordance with it at all times when dealing with personal information. Any staff members who are unsure about their obligations regarding privacy and personal information, or who require clarification of anything contained in this policy should contact our office on +612 9213 3750.
What is personal information?
Personal information is information in any form regarding an individual that enables the individual to be identified. Some examples of personal information are names, addresses, telephone numbers, e-mail addresses, credit history information, financial details and photographs. The definition of personal information, for the purposes of the Act, is very wide – as a general rule, HAZE staff should err on the side of caution when considering whether or not any particular information is personal information.
In the course of employment with HAZE, staff members are often required to deal in various ways with personal information. In all such instances, HAZE staff members must have regard to this policy.
The National Privacy Principles
The fundamentals of HAZE’s obligations under the Act are contained in the ten National Privacy Principles (“NPP”s). It is crucial that all collection and use of personal information by HAZE is done strictly in accordance with the NPPs.
The following is a brief overview of the NPPs and what they require of HAZE in relation to personal information.
The NPPs require transparency and openness in relation to the collection of personal information. As a general rule, HAZE should not deal with personal information regarding any individual unless that individual has been given full disclosure of the nature and purpose of the relevant dealing. Personal information must never be collected covertly or compulsorily and in most cases individuals should be given the option to interact with HAZE without providing any personal information.
Also, personal information should only be collected to the extent that it is necessary for one or more of HAZE’s functions or activities.
Before any collection or recording of personal information regarding any individual, that individual must be clearly informed of:
- the fact that personal information regarding that individual is about to be collected;
- exactly what personal information is to be collected and how it will be recorded;
- the reason why the relevant personal information is being collected;
- the fact that it is HAZE collecting the personal information; and
- whether there are any consequences for the individual if they decide not to provide some or all of the personal information proposed to be collected.
Having complied with these disclosure obligations, if HAZE then proceeds to collect personal information regarding an individual, that individual must be told:
- that he or she may gain access to the personal information collected by HAZE; and
- how he or she should contact HAZE in relation to personal information collected by HAZE.
Personal information generally should not be collected unless the relevant individual gives his or her informed consent to the proposed collection.
Use and disclosure
Again, HAZE’s obligations centre upon transparency and openness. As a general rule, HAZE is free to use personal information that it has collected as long as:
- the way in which the personal information is used is legitimately in the course of HAZE’s business; and
- the personal information is only used in a way that has been disclosed and consented to by the relevant individual.
It is not acceptable to collect personal information for one purpose (which is consented to) and then use that personal information for another purpose. Once personal information regarding an individual has been collected, the relevant individual must be informed of and consent to each and every use of that personal information.
Under no circumstances should personal information regarding an individual be passed on to or disclosed to the public or any third parties without the express informed consent of the relevant individual.
HAZE is obliged to take reasonable steps to ensure that the personal information it collects, uses, or discloses is:
- complete; and
Secure storage of all personal information collected is another of HAZE’S fundamental obligations. Regardless of whether personal information is stored electronically or in hard copy, HAZE must take steps to prevent:
- misuse or loss of the personal information; and
- unauthorised access, modification, or disclosure of the personal information.
Personal information should not be stored other than in such secure electronic or hard copy locations as are from time to time designated by HAZE as appropriate for such storage.
Further, HAZE is not permitted to retain personal information if it is no longer needed by HAZE for legitimate business purposes. Personal information that is no longer useful to HAZE must be destroyed or “de-identified” (meaning that it can no longer identify the individual to whom it relates).
As a matter of both policy and legal obligation, HAZE must at all times apply principles of openness and transparency in relation to all personal information that it collects and retains.
HAZE’s policy is always to seek to assist persons who inquire about HAZE’s personal information management practices. General inquiries regarding the personal information collection, use, and disclosure practices of HAZE should be answered promptly and accurately, as should specific inquiries from individuals in relation to personal information regarding those individuals.
Access and correction
Generally, individuals should always be given full access to personal information held by HAZE in relation to them. Individuals have a legal right to such access, and HAZE is obliged to grant it upon request.
In most cases, individuals also have the right to have personal information held about them corrected or updated if it contains any inaccuracies.
If any HAZE staff members are unsure about whether access should be granted or corrections made in any particular case, they should refer the matter to our office on +612 9213 3750.
“Identifiers” refers to things such as tax file numbers and other numbers issued by Government agencies. HAZE is not permitted to adopt as its own, for its own purposes, identifiers that have been assigned to individuals by government agencies.
There will be circumstances in which the collection of identifiers will be legitimate (as long as the other NPPs are complied with), but to the extent that any identifiers are collected, they must not then be used as identifiers by HAZE.
If it is possible, individuals must be given the option to conduct business or otherwise interact with HAZE on an anonymous basis. Clearly, this will not in all circumstances be practical. However, if individuals wish to deal with HAZE but do not wish to disclose any personal information to HAZE, they should be permitted to do so (unless there are unavoidable practical difficulties with allowing such interaction in particular cases).
Under the Act, sensitive information is defined as follows:
sensitive information means:
- information or an opinion about an individual’s:
- racial or ethnic origin; or
- political opinions; or
- membership of a political association; or
- religious beliefs or affiliations; or
- philosophical beliefs; or
- membership of a professional or trade association; or
- membership of a trade union; or
- sexual preferences or practices; or
- criminal record;
- that is also personal information; or
- health information about an individual.
Particular care needs to be taken regarding sensitive information. HAZE is subject to stringent obligations regarding the collection, use and disclosure of sensitive information.
As a practical matter sensitive information should only be collected if it is absolutely necessary for a legitimate business purposes, and the relevant individual has given his or her fully informed consent. This principle applies also to using, transferring or disclosing sensitive information.
Following is a Summary of NPP obligations, which is an easy-reference guide to HAZE’s obligations. This guide should be checked each time any staff member of HAZE proposes to undertake any action whatsoever in relation to personal information.
Summary of NPP obligations
- If it is lawful and practicable to do so, give people the option of interacting anonymously with you.
- Only collect personal information that is necessary for your functions or activities.
- Use fair and lawful ways to collect personal information.
- Collect personal information directly from an individual if it is reasonable and practicable to do so.
- Get consent to collect sensitive information unless specified exemptions apply.
- At the time you collect personal information or as soon as practicable afterwards, take reasonable steps to make an individual aware of:
- why you are collecting information about them;
- who else you might give it to; and
- other specified matters.
- Take reasonable steps to ensure the individual is aware of this information even if you have collected it from someone else.
- Only use or disclose personal information for the primary purpose of collection.
- Take reasonable steps to ensure the personal information you collect, use or disclose is accurate, complete and up-to-date. This may require you to correct the information.
- Take reasonable steps to protect the personal information you hold from misuse and loss and from unauthorised access, modification or disclosure.
- Take reasonable steps to destroy or permanently de-identify personal information if you no longer need it for any purpose for which you may use or disclose the information.
- Have a short document that sets out clearly expressed policies on the way you manage personal information and make it available to anyone who asks for it.
- If an individual asks, take reasonable steps to let them know, generally, what sort of personal information you hold, what purposes you hold it for and how you collect, use and disclose that information.
- If an individual asks, you must give access to the personal information you hold about them unless particular circumstances apply that allow you to limit the extent to which you give access – these include emergency situations, specified business imperatives and law enforcement or other public interests.
- Only adopt, use or disclose a Commonwealth Government identifier if particular circumstances apply that would allow you to do so.
- Only transfer personal information overseas if you have checked with corporate head office.