1. OVERVIEW OF THIS POLICY

    This Policy details how we comply with the Privacy Act, including the Australian Privacy Principles and the Credit Reporting Code, which have been introduced under the Privacy Act.

    This Policy does not apply to the collection or use of information about corporations.

    If you would like a hardcopy of this Policy, please contact Joanne D’Andrea, General Counsel, on 03 5272 9223.

  2. DEFINITIONS

    1. APPs means the Australian Privacy Principles introduced under the Privacy Act;
    2. Credit Related Information is used in this Policy to describe Credit Information, as defined in the Privacy Act, including, where the context requires, information obtained from, or give to Credit Reporting Bodies, as defined in the Privacy Act;
    3. Information is used in this Policy to describe Personal Information, Sensitive Information and Credit Related Information collectively;
    4. Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
      1. whether the information or opinion is true or not; and
      2. whether the information or opinion is recorded in a material form or not;
    5. Policy means this Privacy & Credit Reporting Privacy Policy;
    6. Privacy Act means the Privacy Act 1988 (Cth) as amended from time to time;
    7. Sensitive Information is defined in the Privacy Act to include things such as race, sexual orientation, political opinions, members of a trade association or trade union, criminal record or health information.
  3. THE TYPE OF INFORMATION WE COLLECT

    1. Personal Information

      Personal information that we collect and hold is information that is reasonably necessary for the proper performance of our functions and activities as a supplier of services.

      Generally the type of Personal Information we collect and hold will include:

      1. identification information, such as your name, date of birth and address;
      2. telephone numbers and e-mail addresses;
      3. licence details;
      4. credit information, such as details relating to credit history, transaction history, credit capacity, and eligibility for credit;
      5. credit card and other banking information;
      6. Government identifiers (such as your tax file number);
      7. insurance information;
      8. association membership details;
      9. personal references;
    2. Sensitive Information

      We may at times, subject to this Policy, also collect and hold Sensitive Information.

    3. Credit Related Information

      The type of Credit Related Information we collect and hold includes:

      1. identification information, such as age, date of birth, drivers licence number;
      2. credit-related information, such as:
        1. the type of credit you have obtained and the terms upon which it was obtained;
        2. the day on which the credit is entered into and the day on which it is terminated or otherwise ceases to be in force;
        3. repayment history information and default information;
        4. scores, ratings, summaries, evaluations and other information relating to your credit worthiness;
      3. certain administrative information relating to credit;
      4. information which has bearing on your creditworthiness which is relevant to evaluating your eligibility for credit, such as:
        1. insolvency information;
        2. credit infringement information;
        3. court judgments made in relation to your past or present credit arrangements.
  4. COLLECTION

    We collect Information only by fair and lawful means where it is reasonable and practicable to do so. We do so in order to conduct our business, to provide and market our services and to meet our legal obligations.

    If you do not provide us with Information we reasonably request, we may not be able to provide the requested services to you. We also may not be able to provide you with the information about the services that you may want.

    1. How we Collect Information
      1. We collect Information that you provide:
        1. when visiting our website (www.awh.com.au);
        2. when attending events we may organise, such as auctions;
        3. in applications or resumes you lodge with us;
        4. during telephone, or in person, conversations with us; and
        5. in written correspondence to us (including email correspondence).
      2. We also collect Information provided by other people when it is necessary for a specific purpose, such as checking information that you have given us or where you have consented, or would reasonably expect us, to collect your Information in this way.

        If it is unclear to us whether you have consented to the collection of Information from a third party, we will take reasonable steps to contact you to ensure that you are aware of the reason and purpose of the collection.

        If we collect Information from a third party, we will inform you that the Information has been collected and the circumstances of such collection.

      3. We will also collect Information about you if we are required to do so under an Australian law. If so, we will inform you of this, including details of the law requiring the collection.
      4. We may also collect Information about you from a range of publicly available sources including newspapers, journals, directories, the internet and social media sites.
    2. Specific Technology Issues

      It is important that you understand that there are risks associated with use of the internet and you should take all appropriate steps to protect your Information. You can contact us by land line telephone or post if you have concerns about making contact via the internet.

      We may use cookies when you visit our website (www.awh.com.au) and, as a consequence, we may collect certain information from you such as:

      1. your browser type;
      2. your location;
      3. your IP address;
      4. information about when and how you use our website; and
      5. information about your past internet usage, such as websites you visit before coming to our website and documents you have downloaded.

      Our website may contain links to other sites.   AWH is not responsible for the privacy practices or the content of any sites linked to our website.

    3. Unsolicited Information

      Where we receive unsolicited Information about you, we will check whether that Information is reasonably necessary for our functions or activities. If it is, we will handle this Information in the same way we do other Information we seek from you. If not, we will destroy or de-identify it.

  5. REASON FOR COLLECTION & USE

    1. Personal Information

      We may use and disclose your Personal Information for the primary purpose for which it is collected, for reasonably expected secondary purposes which are related to the primary purpose and in other circumstances authorised by the Privacy Act. In general, we use and disclose your Personal Information to:

      1. conduct our business;
      2. provide and market services;
      3. communicate with you and assist you with enquiries;
      4. purchase from you;
      5. comply with our legal obligations;
      6. help us manage and enhance our services;
      7. gain an understanding of your needs;
      8. establish an account for you;
      9. give you access to specific sections of our website; and
      10. improve your online experience with us.
    2. Sensitive Information

      We will not collect Sensitive Information about you unless:

      1. we obtain your explicit consent to collect and use such Sensitive Information, or:
      2. the Sensitive Information is reasonably necessary for one or more of our functions or activities; or
      3. the collection of the Sensitive Information is required or authorised by or under Australian law or a court/tribunal order; or
      4. a permitted general situation exists in relation to the collection of the Sensitive Information by us; or
      5. a permitted health situation exists in relation to the collection of the Sensitive Information by us.
    3. Credit Related Information

      We collect, use and hold your Credit Related Information:

      1. to determine payment terms for the services we provide;
      2. for day to day administration purposes; and
      3. to satisfy our legal obligations.

      In addition, we use Credit Related Information that we obtain from Credit Reporting Bodies to derive information in relation to your creditworthiness and eligibility for credit. This is known as “Credit Eligibility Information”.

  6. DISCLOSURE

    1. Disclosure of Personal Information

      Where necessary for our business we may disclose Personal Information to other non AWH organisations in Australia, such as:

      1. service providers to AWH;
      2. financial institutions;
      3. Credit Providers, Credit Reporting Bodies;
      4. insurers; and
      5. nominated referees.
    2. Disclosure of Credit Related Information

      We may disclose Credit Related Information about you to Credit Reporting Bodies and debt collection companies where you are in payment default. We will only make a disclosure in these circumstances if we have given you written notice of our intention to disclose and at least 14 days has passed since giving you such notice.

      The types of Credit Related Information that we may disclose includes:

      1. identification information; and
      2. information that you have defaulted on a payment due to us and the amount of the default.

      Subject to paragraph 6.3, we will not disclose Credit Related Information, including Credit Eligibility Information, about you unless you have authorised the disclosure or it is otherwise in accordance with Australian law.

    3. Disclosure to Related Entities

      We may disclose Information to our related entities.

  7. MARKETING

    We may use and/or disclose your Information in order to:

    1. provide you with news and information about our services;
    2. provide you with marketing and promotional material that we believe you may be interested in; or
    3. seek your feedback on our services.

    Only with your express consent will we use or disclose Information about you for the purposes of direct marketing. You can ask us not to do this at any time by writing to Joanne D’Andrea, General Counsel, AWH Pty Ltd, PO Box 283, Lara, Victoria, 3212.

    We will not sell your Information. 

  8. SECURITY & MANAGEMENT

    We take reasonable steps to protect your Information against misuse, interference, loss, unauthorised access, modification and disclosure.   The protective steps we take include:

    1. confidentiality requirements of our employees;
    2. document storage security policies;
    3. security measures for restricted access to our systems; and
    4. deletion, destruction or de-identification of Information where it is no longer required by us.
  9. CORRECTION

    We aim to ensure that the Information we hold is accurate, complete and up-to-date. We encourage you to contact us in order to update any Information we hold about you. Our contact details are set out at the end of this Policy.

    If you contact us regarding an apparent inaccuracy in relation to your Information and we are satisfied that the Information is inaccurate, out-of-date, incomplete, irrelevant or misleading, then reasonable steps will be taken to correct the Information within 30 days, or a longer period as we agree with you in writing.

    We will not charge you for a correction.

    If we determine that the correction is not required, we will provide you with written notice stating the reasons why the correction was not made and refer you to our complaints procedure.

    If a correction is made to any Information that was previously disclosed to a third party, as long as it is reasonable to do so, we will give each such recipient written notice of the correction within a reasonable period. We will also notify you that the correction has been made.

  10. ACCESS TO YOUR INFORMATION

    You are entitled to access your Information held by us.

    If you wish to access your Information, you must lodge a request for access by contacting Joanne D’Andrea, General Counsel, by post at AWH Pty Ltd, PO Box 283, Lara, Victoria, 3212; or by email on joannedandrea@awh.com.au.

    We may charge a fee to cover our reasonable costs in meeting an access request. You will be provided with access to your Information within 30 days of the request (unless unusual circumstances apply).

    We are not required to give you access to your Information if:

    1. it would be unlawful to do so; or
    2. denying access is required or authorised by Australian law or a court/tribunal order; or
    3. to do so would likely prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
    4. If we do not give you access to your Information you will receive written notice that explains the reason for the refusal.
  11. COMPLAINTS

    Complaints about alleged breaches by us of the Privacy Act, the APPs, the Credit Reporting Code or this Policy can be made by contacting Joanne D’Andrea, General Counsel, by post at AWH Pty Ltd, PO Box 283, Lara, Victoria, 3212; or by email on joannedandrea@awh.com.au.   If you do not consider that your complaint has been adequately dealt with by us, you may make a further complaint to the Office of the Australian Information Commissioner, which has complaint handling responsibilities under the Privacy Act.

  12. ACCESS TO THIS POLICY

    This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and practices and the changing business environment.

    The most current version of this Policy will be uploaded to our website (www.awh.com.au) or can be obtained by contacting our Privacy Officer:

    E-Mail: joannedandrea@awh.com.au

    Phone: 5272 9223

    Facsimile: 03 5274 2221

    Postal Address: PO Box 283, Lara, Victoria, 3212

  13. FURTHER INFORMATION

    If you have any questions about privacy-related issues please contact our Privacy Officer.

    For further information about privacy, the protection of privacy and credit reporting can also be found on visit the Office of the Australian Information Commissioner’s website at www.oaic.gov.au

ANNEXURE – NOTIFIABLE DATA BREACHES – POLICY & RESPONSE PLAN

  1. PURPOSE

    The purpose of this annexure to the Privacy Policy is to ensure there are clear procedures in place for the management and notification of data breaches in order to comply with the Privacy Amendment (Notifiable Data Breaches) Act 2017 (an amendment to the Privacy Act 1988) effective 22 February 2018.

  2. POLICY STATEMENT

    AWH is committed to ensuring an environment with clear procedures and processes for privacy data breaches. AWH has obligations under the Privacy Act to put in place reasonable security safeguards and to take active steps to protect the personal information that it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

  3. SCOPE

    This policy applies to, but is not limited to all:

    1. employees, agents, directors and officers of AWH; and
    2. third party suppliers and contractors who provide services to AWH.
  4. NOTIFIABLE DATA BREACHES

    AWH is required to comply with the Privacy Act.

    The Notifiable Data Breach scheme obliges all organisations required to comply with the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach.

    1. What is a notifiable data breach?

      A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

      A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples of a data breach include when:

      1. a device containing customers’ personal information is lost or stolen
      2. a database containing personal information is hacked
      3. personal information is mistakenly provided to the wrong person.
    2. What is “serious harm”?

      “Serious harm” is not defined in the Privacy Act.

      In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial or reputational harm.

      Whether a data breach is “likely to result” in serious harm to an individual whose information was part of the data breach requires an objective assessment from the perspective of a reasonable person. Under this scheme a “reasonable person” means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available and/or following reasonable inquiries or an assessment of the data breach.

      The phrase “likely to result” means the risk of serious harm to an individual is more probable than not.

      In assessing whether a data breach is “likely to result” in serious harm the following needs to be considered:

      1. the type or types of personal information involved in the data breach;
      2. the circumstances of the data breach; and
      3. the nature of the harm that may result from the data breach.

      Assessing the degree of harm caused as a result of a data breach – and whether the data breach is notifiable – will be undertaken by the Data Breach Response Team.

  5. RESPONSE TO DATA BREACHES

    AWH has a robust approach to protection of personal information and this is reflected in our Incident Response Plan at Attachment 1 and Incident Reporting Plan at Attachment 2 .

    We are committed to following this policy and the Incident Response Plan for a number of reasons including:

    1. mandatory compliance with the Privacy Act;
    2. maintaining the protection of the personal information of all stakeholders; and
    3. instilling confidence in our capacity to protect personal information as well as responding appropriately to a data breach.
  6. DATA BREACH RESPONSE TEAM

    The Data Breach Response Team is comprised of the individuals across AWH who are best placed to determine the response to a potential data breach. The Data Breach Response Team will be coordinated by General Counsel but at a minimum, the team includes:

    1. General Counsel
    2. Chief Information Officer
    3. General Manager (of the AWH sector with the relevant breach).
  7. ROLES AND RESPONSIBILITIES

    This section outlines the responsibilities of management and staff in relation to notifiable data breaches. (Refer to Attachments 1 and 2)

    Role

    Responsibility

    All Staff

    Escalate a data breach, or suspected data breach, to their Manager (or General Counsel if their Manager is unavailable) as soon as it becomes known

    Manager

    Escalate the data breach, or suspected data breach, to General Counsel and the CIO

    CIO

    Contain (if possible) the breach and prevent additional information loss; start forensic examination into the source, and extent, of the breach; implement measures to prevent a further data breach; liaise with third party I.T. providers as required

    General Counsel

    Assess the extent and cause of the breach and any potential serious harm to any individual(s); brief the CEO; determine which individuals and (possible) organisations (including insurers) are required to, or should, be notified; consider any legal or contractual obligations that may arise

    Data Breach Response Team

    Assess and contain the breach as soon as possible; notify the individual(s) affected if required; notify any relevant organisations if appropriate; notify the Office of the Information Commissioner if required

    CEO

    Ensure AWH has an appropriate policy and response plan in place to comply with the Privacy Act

  8. DEFINITIONS

    1. APPs means the Australian Privacy Principles introduced under the Privacy Act;
    2. Notifiable Data Breach means a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. It occurs when personal information held by AWH is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
    3. OAIC means the Office of the Australian Information Commissioner
    4. Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
      1. whether the information or opinion is true or not;
      2. whether the information or opinion is recorded in a material form or not; and
    5. Privacy Act means the Privacy Act 1988 (Cth) as amended from time to time.
  9. INTERACTING POLICIES AND LEGISLATION

    This policy should be read in conjunction with the Privacy Act 1988 (Cth)