1. What do we do?
Riverside Marine is committed to the protection of personal information in a manner consistent with the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs).
2. Why is it important?
The Policy is intended to provide information on the following:
- What information is collected by Riverside Marine
- How Riverside Marine collects and holds personal information
- How Riverside Marine uses personal information
- How Riverside Marine handles data breaches that include personal information
- Riverside Marine’s treatment of the APPs’ requirements
The Policy also informs individuals how they may access their personal information collected by Riverside Marine and request corrections if necessary. The Policy also advises how individuals may lodge complaints regarding Riverside Marine’s conduct with personal information.
3. What and who does this apply to?
This Policy applies to personal information collected by Riverside Marine. The requirements under this policy apply to all employees and contractors employed (past or present) or engaged by Riverside Marine. Personal information is defined in the Privacy Act as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.
3.2 What information is collected?
Riverside Marine only collects personal information with consent, where the information is reasonably necessary for, or directly related to, one or more of Riverside Marine’s functions or activities. Examples include names, addresses, phone numbers, email addresses, other contact details, employment history, educational qualifications, procurement records, consultancy records, committee membership details, bank account details, superannuation details, creditor and debtor information, recruitment records and personnel records. This information is subject to the Privacy Act and Riverside Marine treats such information in a manner consistent with that Act.
3.3 What is the process for holding information?
When seeking personal information, Riverside Marine informs the individual the purpose for collecting the information, Riverside Marine’s requirements to access the information, how the information will be stored, the ramifications if Riverside Marine fails to collect the information and whether the information is required under Australian law. Riverside Marine will not collect and process information without an individual’s express and fully informed consent. Personal information will only be collected where it is necessary and for a legitimate purpose. Riverside Marine will destroy or de-identify information that is no longer needed, unless retention is required under an Australian law. If Riverside Marine receives unsolicited personal information, Riverside Marine will determine whether that information could have been collected in accordance with the APPs. If Riverside Marine determines that the information could not have been obtained in accordance with the APPs, Riverside Marine will consider whether it is obliged to retain that information. If not, Riverside Marine will destroy the information or ensure that the information is de- identified if it is lawful and reasonable to do so. Riverside Marine uses an electronic records management system for storing its information, including personal information. Hard copies that are required to be held will be subject to physical security and restricted access.
3.4 How do we use personal information?
Riverside Marine uses personal information to undertake a range of business related activities. These activities are administrative in nature and can be grouped into two categories: Personnel files Riverside Marine collects and uses personnel files in order to carry out the functions necessary as an employer. Personal information in these files may include applications for employment; terms of employment; records relating to employee’s salary, benefits and leave; medical certificates or health related information; any criminal records; contact details; taxation details and superannuation contributions. Corporate information Riverside Marine collects and uses corporate information that may contain information relating to a person in their corporate capacity. Examples of such information include contact details and job titles. Corporate information does not meet the definition of personal information under thePrivacy Act. Riverside Marine treats such information as commercial-in-confidence if it is appropriate to do so.
3.5 Who is personal information disclosed to?
Riverside Marine discloses personal information to other organisations or government agencies only with the individual’s consent, or where required by law.
3.6 How accurate and secure is held information?
Riverside Marine will take reasonable steps to ensure that personal information held by Riverside Marine is accurate, current, complete and relevant. Riverside Marine will also ensure that personal information is reasonably protected from misuse, interference, loss and from unauthorised access, modification or disclosure through a range of physical and electronic security measures including restricted physical access to Riverside Marine’s premises, security firewalls and computer user identifiers and passwords.
3.7 How can I access my personal information?
Individuals can request access to their personal information held by Riverside Marine. They can also request Riverside Marine to correct their personal information if it is incorrect. Riverside Marine provides individuals rights with regards to their personal information that are beyond the scope of the Privacy Act. These expanded rights are consistent with the EU General Data Protection Regulation and include the right be informed, to request erasure of information in certain circumstances and the right to object to the processing of data. To contact Riverside Marine regarding any privacy inquiry or complaint, or to request for access to your personal information, please contact Riverside Marine Legal Counsel on +61 7 3852 0900 or write to PO Box 2399, Fortitude Valley BC, QLD, 4006.
3.8 What happens if there is a privacy or data breach?
The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme imposes an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. In this context, serious harm refers to serious physical, psychological, emotional, financial or reputational harm to an individual or individuals.
Riverside Marine will manage all data breaches in accordance with the NDB. Figure 1 illustrates Riverside Marine’s process for managing NDB. If any suspected or known data breach occurs, the Business Unit Privacy Officer will initially respond and work with the affected area to contain further access or disclosure of the data. The Privacy Officer will then work with the Legal Counsel to determine whether serious harm is likely from the suspected or known breach. If serious harm is likely from the data breach, Riverside Marine will immediately notify the affected individuals to advise that a suspected or known data breach has occurred which includes their personal information, and actions are being undertaken to limit or mitigate the harm as much as possible. Riverside Marine will also prepare a statement to the OAIC via the NDB Statement – Form (available from www.oaic.gov.au) notifying the following to the OAIC:
- Riverside Marine’s identity and its contact details
- A description of the breach and actions being undertaken to limit the breach
- The type of information concerned
- Recommended steps for the affected individual Riverside Marine will then work with OAIC on any recommendations or directions from relating to the breach.
Riverside Marine will review the incident to determine possible causes of the breach and revise its internal policies and/or procedures to prevent reoccurrence. Possible actions will include updating policies and procedures relating to records management, updating Riverside Marine’s Agency Security Plan and additional staff training on privacy.
3.9 What principles apply?
The Australian Privacy Principles (APPs) were released by the OAIC and came into effect on 12 March 2014. The APPs include 13 principles that outline how Australian organisations should handle, use and manage personal information.