Privacy Policy

ELITE CAIRNS PTY LTD and/or WHITE WHINE PTY LTD is committed to complying with the Privacy Act’s Information Privacy Principles which enable individual’s to exercise greater control over how our organisation collects, uses and discloses personal information that relates to them. The Information Privacy Act has implemented ten Information Privacy Principles (IPP’s) to describe how personal information and sensitive information is to be handled.

A breach of this Policy may have serious consequences including termination of employment.

 

The following 10 Information Privacy Principles must be followed by all Employees and the Company generally.

 

IPP1 – COLLECTION

Our Company must only collect personal information if it is necessary for our functions and activities.

It is not acceptable for our Company to collect information simply because we would like to have it, or because it might be needed at some time in the future. Information is necessary only if there is legitimate justification for its collection. 

Our Company must only collect information by lawful and fair means and not in an unreasonably intrusive way.

To decide whether something is fair, lawful and not intrusive, consider whether relevant laws are complied with, is the individual made aware of the collection or do we have an unfair advantage when collecting information e.g. unequal relationship such as children/adult, non-English speaking people or traumatised individual. 

At or before the time of collection, Employees must take reasonable steps to inform individuals of the following matters:

•              The identity of our Company and how to contact it

•              The fact that he or she is able to gain access to the information

•              The purposes for which the information is collected

•              To whom, or the types of organisations to whom, our Company discloses information of this kind

•              Any law that requires the particular information to be collected 

•              The main consequences (if any) for the individual if all or part of the information is not provided 

Our Company has created standard wording on relevant documents that are used for the purpose of collecting information about individuals which complies with the above requirements. No changes to the wording are to occur unless it is changed by the Privacy Contact Officer. 

If it is reasonable and practicable our Company must only collect personal information about an individual only from the individual. However, if our Company collects personal information about an individual from a third party, we must take reasonable steps to inform the individual of the matters outlined above, unless this would pose a serious threat to the life or health of any individual.

 

IPP2 – USE AND DISCLOSURE

Our Company may only use or disclose personal information about an individual for the primary purpose for which it was collected or a related purpose (directly related for sensitive information) the individual would reasonably expect. 

To determine how personal information can subsequently be used and to who it can be disclosed, requires an understanding of the primary purpose that the information was collected. If the requirements of IPP1 have been met, the primary purpose should be clear and should have been communicated to the person at the time of collection. 

If in doubt about whether a use or disclosure falls within the secondary purpose obtain consent from the individual or seek advice from the Privacy Contact Officer. 

Personal information can also be used or disclosed for a secondary purpose if the individual has consented to the use or disclosure. 

It is preferable to obtain written consent. In some circumstances, written consent is not practicable. Verbal or implied consent can be relied upon however if a dispute were to arise it would be more difficult to prove that we had obtained consent. 

It is important to consider the elements of consent when obtaining consent:

•              Individual must have capacity to consent

•              Consent must be voluntary

•              Consent must be informed

•              Consent must be specific

•              Consent must be current 

The use or disclosure is required or authorised by or under law. A law enforcement agency has requested personal information and authorisation has been first obtained from the relevant individual or our Company’s Privacy Contact Officer to assist the law enforcement agency. 

The law relating to use and disclosure of personal information to a law enforcement agency (e.g. Police, Australian Federal Police) is complex and advice must be obtained from the Privacy Contact Officer prior to releasing information. 

TIP: If you are in doubt about whether you can use or disclose personal information in accordance with Information Privacy Principle 2 (IPP2) obtain the consent of the individual for the use or disclosure of information or alternatively, contact the Privacy Contact Officer for advice.

 

IPP 3 – DATA QUALITY

•              Our Company must take reasonable steps to make sure that personal information that it collects, uses or discloses, is accurate, complete and up to date.

•              The accuracy, completeness and currency of the information should be established at the time of collection, and reviewed when the information is used or re-used, and when it is disclosed to another organisation. Organisations do not have to monitor data quality when information is dormant. Personal information collected and used for a particular purpose and then archived does not need to be constantly checked for accuracy.

•              Employees are encouraged to keep their personal information accurate by directly updating their information with the HR Manager.

 

IPP 4 – DATA SECURITY

Our Company must take reasonable steps to protect personal information from:

•              Misuse

•              Loss

•              Unauthorised access

•              Unauthorised modification

•              Unauthorised disclosure 

Personal information must be protected from misuse, loss, unauthorised access, modification or disclosure both within our Company as well as from misuse, loss etc. to external parties.

 

There are a number of things that individual Employees can do to enhance compliance with this privacy principle which include:

•              Locking offices when unattended

•              Not leaving personal information lying around

•              For open plan offices, staggering lunch breaks to ensure someone is always present in the office

•              Storing sensitive or confidential personal information in locked filing cabinets

•              Changing passwords on computers regularly

•              Activating a screen saver on computers

•              Employees must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed 

Personal information must be destroyed securely when it is no longer needed. Examples of secure destruction include shredding or disintegration of paper files or contracting an authorised disposal company for secure disposal.

 

IPP 5 – OPENNESS

•              Our Company must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

•              Our Company’s Privacy Policy is available on our website. It can also be obtained by contacting the Privacy Contact Officer.

•              On request by a person, our Company must take reasonable steps to let the person know generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. If a request of this type is received from a member of the public, please refer them to the Privacy Contact Officer. If the request is made by an Employee, please refer them to the Privacy Contact Officer.

 

IPP 6 – ACCESS AND CORRECTION

•              Individuals have the right to seek access to their personal information and make corrections. Our Company will, on request, provide the public and Employees with access to information it holds about them and allows them to make corrections unless an exemption applies at law.

•              To make an application for formal access to your personal information, please see the Privacy Contact Officer.

 

IPP 7 – UNIQUE IDENTIFIERS

•              ‘Unique identifiers’ are numbers or codes which are assigned to an individual to assist with identification. Examples of common unique identifiers used by our Company are Client and Tenant Codes.

•              Our Company must only assign unique identifiers if it is necessary for it to carry out any of its functions efficiently.

•              Our Company must not adopt as its own unique identifier of an individual, the unique identifier of the individual which has been created by another organisation unless it is necessary to enable our Company to carry out any of its functions efficiently, or it has consent from the individual for the use of the unique identifier. Examples of unique identifiers which have been created by other organisations are Drivers Licence number, tax file number or Medicare number.

 

Our Company can only use or disclose a unique identifier that has been assigned to an individual by another organisation in the following circumstances: 

•              The use or disclosure is necessary for our Company to fulfil its obligations to the other organisation

•              We have the consent of the individual to the use or disclosure

•              We believe the use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or a serious threat to public health, public safety or public welfare

•              We have reason to suspect that unlawful activity has been or is being engaged in and uses or discloses the personal information to investigate the matter or to report concerns to relevant persons or authorities

•              The use or disclosure is required or authorised by or under law

•              A law enforcement agency has requested personal information and authorisation has been obtained from our Company’s Privacy Contact Officer to assist the law enforcement agency 

Our Company must not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law or the provision is in connection with the purpose (or a directly related purpose) for which the unique identifier was assigned. 

In most cases, the requirement to provide a unique identifier to our Company is required by law (e.g. tax file number for employment) or is in connection with the purpose for which the unique identifier was assigned. If you are unsure as to whether the provision of a unique identifier by an individual is in accordance with the laws please contact the Privacy Contact Officer. 

IMPORTANT NOTE:  Photographic images of a property that may have anything in it to identify a person e.g. car registration number plates, family photos, medication, bills or mail, are strictly prohibited by our Company. Property Owners and Tenants must first have given our Company their written authority for photography of the property, and if authorisation is given, be asked to remove any personal items before the authorised photos are taken.

 

IPP 8 – ANONYMITY

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into a transaction with our Company. 

As a general rule, it is not lawful and practicable for individuals to remain anonymous when dealing with our Company. For example it is not possible for a person to inspect, lease, sell or buy a property without knowing who they are. Examples of situations where individuals remain anonymous are the making of general enquiries such as ‘What time are you open?’

 

IPP 9 – TRANSBORDER DATA FLOWS

Our Company may only transfer information about an individual to someone (other than the individual or our Company) who is outside of our State or in a foreign country if one or more of the following applies:

•              Our Company reasonably believes the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of information that are substantially similar to the Information Privacy Principles.

•              Commonwealth government organisations, companies with annual turnover of more than $3 million, some state government agencies or a selection of other types of organisations have equivalent privacy laws and therefore transfers to these types of organisations located outside of our State comply with this Trans border Data Flow principle.

•              Some countries have equivalent privacy laws in place (e.g. United Kingdom) and transfer can occur under this provision. However, many countries do not have equivalent privacy laws (e.g. no laws in Malaysia or South Africa) and a transfer must fall within one of the following categories in order to comply with this principle.

•              The individual consents to the transfer. 

When obtaining consent from the individual to transfer information to an organisation who is located outside our State, the individual must be made aware of whether the privacy protection will travel with the information for legitimate consent to be obtained. 

The transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request. 

The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party.

 

All of the following apply:

•              The transfer is for the benefit of the individual

•              It is impracticable to obtain the consent of the individual to that transfer

•              If it were practicable to obtain that consent, the individual would be likely to give it

•              The organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles.

•              If a transfer of personal information outside of the State does not fall within any of the above categories, then this category can be complied with if the recipient of the information is requested to sign a contract which binds them to comply with the Information Privacy Principles. Refer to the Privacy Contact Officer.

 

IPP 10 – SENSITIVE INFORMATION

Our Company must not collect sensitive information about an individual unless:

•              The individual has consented e.g. implied consent by including details on form

•              The collection is required under law

•              The collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns is physically or legally incapable of giving consent to the collection or physically cannot communicate consent to the collection

•              The collection is necessary for the establishment, exercise or defence of a legal or equitable claim 

If you would like to collect sensitive information to provide additional services, for statistical analyses or for any other purpose which is not required under law, ensure that the question is made optional. If the person chooses to complete an optional question we have implied consent to use the sensitive information for the purposes outlined in the privacy notice required by IPP 1. 

An example of sensitive information our Company may collect includes taking or holding a copy of a person’s driver licence which details an organ donor status. This is health information and is classed as ‘sensitive’ under the Privacy Act. Such sensitive information must be kept secure and destroyed by shredding when not required. 

Refer also refer to the Digital Photocopier section in the Technology Policy.

 

PRIVACY CONTACT OFFICER

For more information, queries or clarification on this Privacy Policy and our Company’s practices to ensure compliance is met; refer to our Company’s Privacy Contact Officer.  

Privacy Contact Officer – Greg Clyde-Smith – 0740538400