FPES Privacy Statement

Table of contents

1.    Introduction.

2.    How do we manage and secure the personal information we collect?

3.    What kinds of information might we collect and hold?

4.    How and when do we collect personal information?

5.    How do we hold personal information?

6.    Why do we collect, hold, use or disclose personal information?

7.    Will we disclose personal information outside Australia?

8.    How do you make complaints or access and correct your personal information?

9.    In case of an information security breach?

10.  Changes to the policy.

11.  Related Sample Documentation/ Further reading.

1.Introduction

This Privacy statement reflects how we manage and protect staff and client information and incorporate the Australian Privacy Principles. It is intended to outline, at a high level, how we ensure the privacy and security of your information.

1.1 Who does the privacy policy apply to?

This policy applies in respect of personal information we clients use our services.

1.2 Generally what information does our privacy policy apply to?

Personal Identifiable Information (PII) or Personal data is any information that relates to an identified or identifiable individual.

Different pieces of information, which collected together can lead to the identification of a particular person, also constitutes personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person, remains personal data and falls within the scope of the law.

The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to protection.

Personal data includes, but is not limited to;

·         a name and surname

·         a home address

·         contact details

·         an email address such as name.surname@company.com

·         an identification card number, including

  • medicare or private health funds identification

  • credit card

  • driver’s or other license

  • School or university identification

·         location data (for example the location data function on a mobile phone or rideshare from and too travel)

·         Passport details

·         Bank account details

·         Social security details

·         Internet Protocol (IP) address

·         Computer Cookie

·         the advertising identifier of your phone

·         data held by a medical facility or doctor, which could be a symbol that uniquely identifies a person (e.g. tattoos, scars, implants, blood test results, implant serial numbers etc.)

·         commentary or opinion about a person

·         criminal record

·         religious beliefs

·         health information (e.g. blood type, allergies, history of procedures, list of other specialist(s) seen by the individual) 

·         racial or ethnic origin

·         sexual orientation

·         education status

·         employment history

·         financial situation

·         disabilities

·         government reference numbers

·         biometric information

·         any similar information about family or partners

 

In certain circumstances personal data could include;

·   Phone or other device IME number

·   Photographs or videos

·   Personal tax file identification

 

Examples of non private (or open source information) data includes

·         a company registration number and ABN

·         an email address such as info@company.com

·         anonymized data

·         Anything that can be accessed through publicly available channels e.g. google search, social media, library etc.

 

3. What kinds of information might we collect and hold?

3.1 We may collect and hold personal information about you, which may include (but is not limited to):

a) Contact information

b) date of birth;

c) email addresses

d) phone number

Sensitive information

3.2 Sensitive information is a subset of personal information and includes personal information that may have serious ramifications for the individual concerned if used inappropriately.

3.3 However, we may collect sensitive information about contractors and agents, prospective employees and clients , such as: Your medical history, or medical procedures history

4. How and when do we collect personal information?

4.1 Our usual approach to collecting personal information is to collect it directly from the individual concerned, where possible, or if not possible, from other service providers with your permission.

5. How do we hold personal information?

5.1 Our usual approach to holding personal information includes holding that personal information:

a) physically, at our premises; and

b) electronically, on secure servers; and

c) in a private cloud.

5.2 We secure the personal information we hold in numerous ways, including:

a) using security systems to limit access to data/documents (e.g. locked filing cabinet ) and premises outside of business hours;

b) using secure servers to store personal information;

c) using unique usernames, passwords and other protections on systems which can access personal information; and two factor authentication

d) Encryption

e) Anonymising information where feasible

f) Extensive Privacy and Security training to all staff, at the minimum annually.

6. Why do we collect, hold, use or disclose personal information?

6.1 We take reasonable steps to use and disclose personal information for the primary purpose for which we collect it.

6.2 Personal information will only be used or disclosed by us for secondary purposes that are within an individual’s reasonable expectations and that are related to the primary purpose of collection, or with your expressed consent.

6.3 We may disclose client’s personal information In compliance with our legal obligations

6.4 Will we disclose personal information outside Australia?

We will take reasonable steps to ensure this personal information is handled in a safe and secure manner E.G. TRANMITTED VIA MULTI FACTOR AUTHENTICATION, AND the use of NDAs, as well as, anonymisation, where possible.

7. How do you make complaints or access and correct/update your personal information?

7.1 It is important that the information we hold about you is up-to-date. You should contact us if your personal information changes.

Access to information and correcting personal information

7.2 You may request access to your personal information held by us or ask us for your personal information to be corrected by using the contact details in this section.

7.3 We will grant you or your parent/guardian (if underage) access to your personal information as soon as possible, subject to the request circumstances.

7.4 In keeping with our commitment to protect the privacy of personal information, we may not disclose personal information to you without sufficient proof of identity.

7.5 We may deny access to personal information if:

a) the request is unreasonable;

b) providing access would have an unreasonable impact on the privacy of another person;

c) providing access would pose a serious and imminent threat to the life or health of any person; or

d) there are other legal grounds to deny the request.

7.6 We may charge a fee for reasonable costs incurred in responding to an access request. The fee (if any) will be disclosed before it is levied.

7.7 If the personal information we hold is not accurate, complete and up-to-date, we will take reasonable steps to correct it so that it is accurate, complete and up-to-date, where it is appropriate to do so.

8. In case of an information security breach?

Although we have never had a breach of privacy, we never the less have a specific Information Security Compliance Privacy Breach Reporting Process, which is designed to meet the requirements of the Australian Privacy Act 1988, as amended 2017 and the European GDPR, as well as a number of other jurisdictions.

This not only includes, taking preventative actions, and reporting any Privacy breach issues to the various government bodies, but to the public and to any individuals who might be effected.

Complaints/Enquires

8.1 If you want to enquire about your privacy, including complaints, please follow the following process:

(a) The complaint/enquiry must first be made to us in writing, using the contact details in this section. We will need a reasonable time to respond.

(b) If the privacy issue cannot be resolved, you may take your complaint to the Office of the Australian Information Commissioner, via this link; https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB

Who to contact

8.2 A person may make a enquiry/complaint or request to access or correct personal information about them held by us. Such a request must be made in writing to the following address:

Postal Address: PO Box 856, Cronulla 2230 NSW

Telephone number: 1300 653 239

Email address: fpes@fpes.com.au

9. Changes to the policy

9.1 We may update, modify or remove this policy at any time without prior notice. Any changes to the privacy policy will be published on our website.

9.2 This policy is effective from 1 October 2015. If you have any comments on the policy, please contact our privacy officer using the contact details in section 8.7 of this policy.

10. Related Sample Documentation/ Further reading

Type & Description

ISO207001 standards

http://www.iso27001security.com/html/iso27000.html

Standard for protecting privacy in the cloud

https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/?icn=free-blog-27001&ici=bottom-iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud-txt

2018 reform of EU data protection rules - General Data Protection Regulation (GDPR)

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

2018 GDPR personal data definition

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

Privacy Act 1988

https://www.oaic.gov.au/privacy-law/privacy-act/

HRIP Act

https://www.ipc.nsw.gov.au/hrip-act

Queensland Legislation

https://www.health.qld.gov.au/global/privacy

Australian Data breach process

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme#data-breach-response-summary

Privacy Regulation 2013

https://www.oaic.gov.au/privacy-law/privacy-act/privacy-regulations

Australian Notifiable Data Breaches scheme

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

Australian Privacy Principles

https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles

New Australian Mandatory Data Breach Notification Legislation

https://www.natlawreview.com/article/new-australian-mandatory-data-breach-notification-legislation

GDPR Privacy breach notification process

https://gdpr-info.eu/art-33-gdpr/

Guide to undertaking privacy impact assessments

https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments

Information Privacy Act Australian Capital Territory 2014

http://www.legislation.act.gov.au/a/2014-24/default.asp

Guidance for conducting police checks

https://vpsc.vic.gov.au/html-resources/guidance-for-conducting-police-checks/

Healthcare Identifiers Act 2010

https://www.legislation.gov.au/Series/C2010A00072

Data protection in the United States

https://uk.practicallaw.thomsonreuters.com/6-502-0467?transitionType=Default&contextData=(sc.Default)&firstPage=true&bhcp=1

Australian Tax office Keeping your tax records

https://www.ato.gov.au/General/Other-languages/In-detail/Information-in-other-languages/Record-keeping-for-small-businesses/

ISO

Keeping data safe - what's your back up?

https://www.iso.org/news/2015/01/Ref1926.html