1.1 Customology Pty Ltd ACN 611 188 393 (Customology) offers a range of products and services relating to communication, interior design, printing, recruitment, marketing and data intelligence in Australia.
1.3 We are committed to complying with the Privacy Act 1988 (Cth) (Privacy Act) in relation to all personal information we collect. Our commitment is demonstrated in this policy. The Privacy Act incorporates the Australian Privacy Principles (APPs). The APPs set out the way that personal information must be treated.
1.5 This policy applies to any person in relation to whom we currently hold, or may in the future collect, personal information.
1.6 This policy applies to personal information. In broad terms, ‘personal information’ is information or opinions relating to a particular individual who can be identified.
1.7 Information is not personal information where the information cannot be linked to an identifiable individual.
2. HOW DO WE MANAGE THE PERSONAL INFORMATION WE COLLECT?
2.1 We manage the personal information we collect in numerous ways, such as by:
(a) implementing procedures for identifying and managing privacy risks;
(b) implementing security systems for protecting personal information from misuse, interference and loss from unauthorised access, modification or disclosure such as by storing paper and electronic records in facilities that are only accessible by staff members who have a genuine ‘need to know’ as well as ‘right to know’;
(c) providing staff with training on privacy issues;
(d) appropriately supervising staff who regularly handle personal information;
(e) implementing mechanisms to ensure any agents, contractors or service providers who deal with us comply with the APPs;
(f) implementing procedures for identifying and reporting privacy breaches and for receiving and responding to complaints; and
(g) appointing a privacy officer within the business to monitor privacy compliance.
2.2 Subject to our professional obligations, we will take reasonable steps to destroy or de-identify personal information as soon as possible after that information is no longer needed for the purposes for which we are authorised to use it and usually within a maximum of seven years from collection, unless the law requires otherwise.
2.3 In limited circumstances it may be possible for you to use a pseudonym or remain anonymous when dealing with us. If you want to use a pseudonym or remain anonymous when dealing with us, you should notify us when making first enquiries or providing initial instructions. We will use our best endeavours to accommodate your request, subject to our ability to provide the products and perform the services for you without using your name.
3. WHAT KINDS OF INFORMATION DO WE COLLECT AND HOLD?
3.1 The personal information we may collect and hold about you differs, depending on whether you are a sole trader customer of Customology, an employee of a business that engages us, a client of a business that engages us (Contact), a service provider, contractor, agent (and their employees) or a prospective employee or a prospective service provider or a prospective contractor, but may include:
(a) sensitive information (see below);
(b) your contact details, including your name, address, telephone number and/or email address;
(c) information we may require to verify your identity, including your date and place of birth;
(d) your business name;
(e) financial and credit information;
(f) information in publicly available company records about you;
(g) employment arrangements and history;
(h) insurance information;
(i) banking details; and
(j) any other personal information required to provide our products and services to you or engage you.
3.2 ‘Sensitive information’ is a subset of personal information and includes personal information that may have serious ramifications for the individual concerned if used inappropriately.
3.3 Generally, we do not collect sensitive information about our customers, their employees, or Contacts.
3.4 However, we may collect sensitive information if it is relevant in providing you with our products and services or engaging you, which may include any of the following:
(a) health information;
(b) racial or ethnic origin;
(c) criminal history;
(d) membership of professional or trade associations; and
(e) membership of trade unions.
3.5 We will not collect sensitive information without the individual’s consent to which the information relates unless permitted under the Privacy Act.
4. HOW AND WHEN DO WE COLLECT PERSONAL INFORMATION?
4.1 Our usual approach to collecting personal information is to collect it directly from the individual concerned through:
(a) forms (both paper and online, electronic forms);
(b) face to face meetings;
(c) communications via telephone, email or facsimile;
(d) interaction with our websites; and
(e) via our social media accounts.
4.2 We may also collect personal information in other ways, such as:
(a) from paid search providers and public registers;
(b) when our customers provide their contact lists or integrate their products or services with our platforms or online services;
(c) through referrals from individuals or other entities;
(d) from your other advisers;
(e) from our related entities;
(f) from banks and financial institutions;
(g) from other credit providers;
(h) through direct marketing and business development events; and
(i) from third party providers, suppliers and creditors.
5. HOW DO WE HOLD PERSONAL INFORMATION?
5.1 Our usual approach to holding personal information includes holding that personal information:
(a) physically, at our premises; and
(i) on secure online servers;
(ii) on a private cloud; and
(iii) with a third party data storage provider;
5.2 We secure the personal information we hold in numerous ways, including:
(a) using security systems to limit access to premises outside of business hours;
(b) using secure servers to store personal information;
(c) using unique usernames, passwords and other protections on systems that can access personal information; and
(d) holding certain sensitive documents securely.
6. WHY DO WE COLLECT, HOLD, USE OR DISCLOSE PERSONAL INFORMATION?
6.1 We take reasonable steps to use and disclose personal information for the primary purpose for which we collect it. The primary purpose for which information is collected varies, depending on the particular service being provided and the individual from whom we are collecting the information but is generally as follows:
(a) in the case of sole trading customers and the employees of businesses that engage us – to provide you with our products and services and to manage our contractual relationships;
(b) in the case of Contacts – to provide our products and services to our customers;
(c) in the case of contractors, service providers and agents – to assist us in providing our products and services to our customers;
(d) in the case of potential employees and potential service providers and potential contractors – to assess your suitability for employment or engagement.
6.2 Personal information may also be used or disclosed by us for secondary purposes that are within an individual’s reasonable expectations and that are related to the primary purpose of collection.
6.3 We may also collect and use the personal information of our sole trading customers, the employees of the businesses that engage us and Contacts:
(a) to assess eligibility for credit;
(b) to keep records of transactions to assist in future enquiries;
(c) to provide support and respond to enquiries from you about our products and services;
(d) to enhance our customer relationship with you;
(e) to verify your identity;
(f) to provide updates and alerts that are relevant to our customers;
(g) to improve our products and services;
(h) to send special offers in relation to our services;
(i) to refer our customers to other advisers;
(j) to invite you to events; and
(k) to enforce compliance with our terms of engagement and use;
(l) to comply with the law.
6.4 We may collect and use the personal information of our contractors, service providers and agents:
(a) to conduct checks to ensure that the contractor, service provider, agent or prospective employee, contractor and service provider can perform and is performing the services and delivering the products to our standards; and
(b) for payment purposes.
6.5 We may disclose personal information to:
(a) contractors, service providers and agents including third party technology providers we engage from time to time, such as our data storage providers and email filter providers;
(b) employers of individuals;
(c) government bodies (such as WorkCover, Centrelink, the Australian Taxation Office, police departments, workplace health and safety authorities);
(d) your advisors or other service providers or referral partners in the course of providing our products and services to you, or to assist our functions or activities (such as advisers and public relation firms);
(e) our external auditors;
(f) our related entities; and
(g) insurance providers and brokers.
6.6 Otherwise, we will only disclose personal information to third parties if permitted by the Privacy Act.
7. DIRECT MARKETING
7.1 We may send you direct marketing communications and information about our products and services that we consider may be of interest to you. These communications may be sent in various forms, including mail and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth). If you indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so.
7.2 In addition, at any time you may opt-out of receiving marketing communications from us by contacting us (see details below), or by using opt-out facilities provided in the marketing communications and we will then ensure that your name is removed from our mailing list.
8. WILL WE DISCLOSE PERSONAL INFORMATION OUTSIDE AUSTRALIA?
8.1 We generally do not disclose personal information outside of Australia.
8.2 Your personal information will not be disclosed to overseas recipients unless we are satisfied that the recipient is subject to privacy protection laws that offer substantially similar levels of protection as those required under the Australian Privacy Principles or if we have taken reasonable steps to ensure this personal information is handled in a safe and secure manner and that overseas entity is aware of the obligations relating to the information under the APPs.
9. HOW DO WE MANAGE YOUR CREDIT INFORMATION?
What kinds of credit information may we collect?
9.1 We generally do not collect credit information about Contacts, our contractors, service providers, agents and their employees or prospective contractors, prospective service providers or prospective employees.
9.2 However, in the course of providing our products and services to a customer, we may collect and hold the following kinds of credit information about our sole trader customers:
(a) identification information;
(b) information about any credit that has been provided;
(c) their repayment history;
(d) information about overdue payments;
(e) the terms and conditions of credit arrangements with us;
(f) if any court proceedings have been initiated against them in relation to your credit activities;
(g) information about any bankruptcy or debt agreements involving them;
(h) any publicly available information about their credit worthiness; and
(i) any information about whether they may have fraudulently or otherwise committed a serious credit infringement.
9.3 In some limited circumstances, we may incidentally obtain credit information about Contacts from the businesses that engage us.
How and when do we collect credit information?
9.4 In most cases, we will only collect credit information directly from a sole trader customer.
9.5 Other sources we may collect credit information from include:
(a) our related entities;
(c) Regulatory bodies;
(d) other individuals and entities via referrals;
(e) the businesses that engage us;
(f) banks and other credit providers;
(g) your suppliers and creditors; and
(h) our contractors, service providers and agents.
9.6 We do not collect or hold credit information from credit reporting bodies.
How do we store and hold the credit information?
9.7 We store and hold credit information in the same manner as outlined in section 5 of this policy.
Why do we collect the credit information?
9.8 Our usual purpose for collecting, holding, using and disclosing credit information about you is to enable us to provide you with our products and services.
9.9 We may also collect the credit information to:
(a) process payments; and
(b) assess eligibility for credit.
Overseas disclosure of the credit information
9.10 We generally do not disclose credit information overseas but we may engage software providers that store information in public clouds with data centres located overseas. We have outlined this in detail in section 8 of this policy
How can I access my credit information, correct errors or make a complaint?
9.11 You can access and correct your credit information, or complain about a breach of your privacy in the manner set out in section 11 of this policy.
10. HOW DO WE HANDLE DATA BREACHES?
10.1 A data breach occurs when personal information is lost or subjected to unauthorised access, use, modification or disclosure or other misuse or interference.
10.2 We have implemented a data breach response plan to assist us to effectively contain, evaluate and respond to data breaches in order to mitigate potential harm to any persons affected by a data breach.
10.3 In summary, our data breach response plan:
(a) directs our staff as to the steps they should take in the event of an actual or suspected data breach;
(b) appoints a team to handle data breaches;
(c) specifies a strategy for assessing and responding to data breaches;
(d) sets out the process for notifying any affected persons, the Privacy Commissioner and other relevant parties; and
(e) outlines the review process to help prevent data breaches in the future.
10.4 We will generally notify you if we reasonably believe that your personal information has been subjected to a data breach if:
(a) there is a risk of serious harm to you;
(b) notification could enable you to avoid or mitigate serious harm;
(c) the compromised personal information is sensitive or likely to cause humiliation or embarrassment to you; or
(d) we are required to notify you by law.
10.5 We will also notify the Privacy Commissioner if we reasonably believe that your personal information has been subjected to a data breach that is likely to result in serious harm to you.
10.6 Where appropriate, we may also notify other third parties of a data breach.
11. HOW DO YOU MAKE COMPLAINTS OR ACCESS AND CORRECT YOUR PERSONAL OR CREDIT INFORMATION?
11.1 It is important that the information we hold about you is up-to-date. You should contact us if your personal information changes.
Access to information and correcting personal information
11.2 In the case of Contacts –
(b) If you no longer want to be contacted through our services by one of the businesses that engages us, please unsubscribe directly from that business’ mailing list or contact the business directly to update or delete your data. If you contact us directly, we may remove or update your information within a reasonable time and after providing notice to the relevant business of your request.
11.3 In the case of individuals that we collect personal information from other than Contacts:
(a) You may request access to the personal information held by us or ask us for your personal information to be corrected by using the contact details in this section.
(b) We will grant you access to your personal information as soon as possible, subject to the request circumstances.
(c) In keeping with our commitment to protect the privacy of personal information, we may not disclose personal information to you without proof of identity.
(d) We may deny access to personal information if:
(i) the request is unreasonable;
(ii) providing access would have an unreasonable impact on the privacy of another person;
(iii) providing access would pose a serious and imminent threat to the life or health of any person; or
(iv) there are other legal grounds to deny the request.
11.4 We may charge a fee for reasonable costs incurred in responding to any access request. The fee (if any) will be disclosed before it is levied.
11.5 If the personal information we hold is not accurate, complete and up-to-date, we will take reasonable steps to correct it so that it is accurate, complete and up-to-date, where it is appropriate to do so.
11.6 If you want to complain about an interference with your privacy, you must follow the following process:
(b) In the case of individuals that we collect personal information from other than Contacts:
(i) complaint must first be made to us in writing, using the contact details in this section. We will have a reasonable time to respond to the complaint.
(ii) If the privacy issue cannot be resolved, you may take your complaint to the Office of the Australian Information Commissioner.
Who to contact
11.7 A person may make a complaint or request to access or correct personal information about them held by us. Such a request must be made in writing to the following address:
Postal Address: 61 Southgate Avenue Cannon Hill QLD 4170
Telephone number: 07 3902 7700
Email address: firstname.lastname@example.org
12. CHANGES TO THE POLICY
12.2 This policy is effective from August 2018. If you have any comments on the policy, please contact our privacy officer using the contact details in section 11 of this policy.