The Zip Group is a globally-orientated manufacturer of instant boiling water heaters throughout the world.
In the process of running a business the Zip Group handles personal information relating to its business and individual clients.
1. Privacy Officer
A Privacy Officer will be appointed by the Board of Zip from time to time to oversee the practices set out in this Policy. The Privacy Officer at the date of this document is Mr Dennis Knighton.
2. Collection of Personal information
The Zip Group collects information from several sources.
Zip collects information on individual clients and on employees and service providers.
Most of Zip Group's relationships are with business clients, however Zip does transact business with individuals. Zip's client records will often include limited information about individuals who are our key client contacts. Our records about these client contacts will generally include contact details, job description, and information about their interest in our products and services.
We also hold information about our employees and service providers. This information is generally limited to normal human resources information such as job applicant details, pay and superannuation records and other internal administrative information.
The Zip Group also sometimes collects personal information from other organisations. In particular, Zip sometimes obtains contact lists that it uses for promotions relating to its business products and services.
3. Use and Disclosure of Information
Personal information collected from individuals, or from other third parties about individuals, should only be used or disclosed for the express purpose for which it was collected or a purpose directly related to that purpose in respect of which the individual may reasonably expect the personal information to be used.
If an employee or agent of Zip is in doubt as to whether the intended use of personal information falls within the above permitted scope, the express consent of the individual concerned must be obtained.
In the event that an employee or agent of Zip considers that disclosure of the personal information is warranted as falling within one of the following circumstances:
(a) to lessen or prevent a serious and imminent threat to an individual's life, health or safety, or a serious threat to public health or public safety;
(b) he or she has reason to suspect that unlawful activity is or may be engaged in;
(c) the disclosure is warranted by law;
(d) the disclosure is reasonably necessary for the prevention, detection, investigation, prosecution or punishment of breaches of the law, or for the protection of public revenue, by an enforcement body; the Privacy Officer should be contacted immediately, before disclosure of the relevant personal information. In the event that the Privacy Officer is satisfied that such personal information should be disclosed, the Privacy Officer shall make the relevant disclosure and must keep detailed written notes of the circumstances of the disclosure.
4. Service Providers
Zip uses a range of service providers to help it maximise the quality and efficiency of its services and its business operations. This means that individuals and organisations outside of the Zip Group will sometimes have access to personal information held by the Zip Group and may use it on behalf of the Zip Group or a member of the Zip Group. We require our service providers to adhere to strict privacy guidelines and not to use this information for any unauthorised purposes.
5. Marketing Communications
Like most businesses, marketing is important to the Zip Group's continued success. We believe we have a unique range of products and services that we provide to customers at a high standard. It is a priority for us to inform people about how we can help them. We therefore like to stay in touch with clients and let them know about new products and services, as well as using contact lists to promote these products and services.
When a customer or prospective customer provides personal information to a member of the Zip Group, we will ask the customer to choose as to whether or not they wish to receive further information about special offers, promotions, and other parts of our business. We shall also send promotional information to other people who are not regular Zip Group clients to introduce them to our business. If a person indicates to us that they do not wish to receive this information, we will not send further communications to them.
Individuals are always welcome to accept or decline communications from Zip. At any time a person may opt-out of receiving communications. If an individual is receiving unwelcome promotional information about the Zip Group, he or she may remove his or her name from our list by contacting our Privacy Officer by writing to 67 Allingham Street, Condell Park New South Wales 2200 or calling (02) 9796 3100 and asking to be removed from our mailing list. Please allow 28 days for this request to be processed.
6. Data Quality
When personal information is collected from an individual directly, it may be assumed that the personal information given by them is accurate, complete and up-to-date. However, if personal information is collected from a third party regarding an individual, the person supplying the personal information should be asked whether such personal information is accurate, complete and up-to-date.
7. Data Security
Information must be protected against misuse, loss and unauthorised access, modification or disclosure. The procedures to be followed in order to protect such information are:
(a) Any password provided to a person for purposes of accessing such information on the Zip Group network or internet must be kept confidential at all times.
(b) Hard copies of documents containing personal or sensitive information must be kept in secure files created for this purpose.
(c) All hard copy or electronic copy documents containing personal information which are no longer required for the purpose for which such information was collected, or for any directly associated purpose or other purpose permitted in accordance with section 3 above, must be destroyed or deleted in full (as relevant unless it needs to keep it for legal reasons).
If an individual wishes to have his or her personal information deleted, he or she is entitled to let us know and we will take all reasonable steps to delete it unless we need to keep it for legal reasons.
Occasionally, information that a person requests to be removed will be retained in certain files in order to resolve disputes or for auditing purposes. In addition, information is never completely removed from our database as due to technical and legal constraints, including stored "back-up" systems.
When providing a copy of this Policy, care must be taken to provide the most up to date Policy available, as changes may be made to this document as required from time to time.
A written memorandum of supply of this Policy is to be kept by the Privacy Officer, recording the date of supply, the date on the version supplied and to whom the Policy was supplied to.
9. Access and Correction
The Privacy Act sets out the rights that an individual has to see any personal information that the Zip Group may have concerning him or her. If an individual would like to:
· see his or her personal information;
· change any inaccurate or out of date personal information;
· have his or her personal information deleted, they should contact us by writing to our Privacy Officer at 67 Allingham Street, Condell Park New South Wales 2200 or calling (02) 9796 3100.
Our file of an individual's information will be made available to an individual within 14 days. In some cases we may need to impose a charge for providing access to personal information to reflect the cost of finding this information and providing it to an individual.
No number assigned to an individual as an identifier by any organisation (for example - a tax file number or any other unique identifying number or sequence) shall be collected, used or disclosed by Zip unless such collection, use or disclosure is necessary to allow Zip to fulfill its obligations to that individual or regarding that individual.
Individuals are to have the option, wherever practicable, of whether or not to identify themselves when dealing with Zip, however where any of the Zip forms require the completion of a name then such name must be collected in order to complete the form satisfactorily.
12. Transborder Dataflows
Notwithstanding the guidelines set out in point 3 above, no person is to provide personal information regarding an individual to any person not located in Australia without first consulting the Privacy Officer. The Privacy Officer will then assess whether or not there is cause for such disclosure having regard to the provisions of the Privacy Act.
13. Sensitive Information
The Privacy Act sets out separate rules for the collection of sensitive information, as opposed to personal information.
No person is permitted to collect sensitive information regarding an individual unless that individual consents to the collection, or the collection of such information is required by law, or to prevent or lessen a serious and imminent threat to the life or health of any individual.
In the event that an individual considers that disclosure of sensitive information is warranted, the Privacy Officer should be contacted immediately, before disclosure of the relevant sensitive information. In the event that the Privacy Officer is satisfied that such sensitive information should be disclosed, the Privacy Officer shall make the relevant disclosure and must keep detailed written notes of the circumstances of the disclosure.
14. Application of the Privacy Act to Personal Information already collected by Zip
The new privacy regime that commenced on 21 December 2001 requires Zip to comply with all ten of the National Privacy Principles whenever Zip collects, uses and discloses personal information from that date onwards.
However some principles apply to all information Zip holds, regardless of whether Zip collected it before 21 December. In short:
· Zip must keep all personal information accurate and up to date, to the extent that it is using it
· Zip must keep all of personal information secure
· Zip must allow an individual access to all of the personal information about them which is in use
· Zip must explain its practices relating to all of the information which it has about individuals.
What parts of the Privacy Act do not apply to information which Zip has already collected?
The Privacy Act requirements about how Zip collects, how Zip uses and to whom Zip discloses information do not apply to information which was collected before 21 December 2001. In other words, Zip does not have to go back to a person to check whether it is OK to keep information about them on its systems, and Zip can continue to use it the way Zip always has.
However, if Zip is updating an old record because Zip has ongoing information about the customer, then in effect their record becomes "new" information, collected after 21 December 2001, whenever Zip is updating it. This means that the new provisions of the Privacy Act will apply to that information.
Which parts of the Privacy Act apply to the information we already have?
The standards required by the Privacy Act with respect to the quality and management of the stored personal information often apply regardless of when the information was collected. The specific privacy principles that can apply are as follows:
· Quality: Zip must take reasonable steps to ensure that any personal information Zip uses or discloses is accurate, complete and up-to-date. This does not mean that Zip needs to take active steps to ensure personal information such as postal addresses or phone numbers have not changed. Rather, it means that Zip is obliged to ensure that the information Zip stores does not contain errors or omissions that Zip has identified or which have been notified to Zip.
· Security: Zip must ensure that all information is protected from misuse, loss, and unauthorised access, modification and disclosure. This includes taking reasonable steps to destroy or permanently de-identify information which is no longer needed for any purpose. This involves looking at how Zip stores personal information, whether Zip needs to retain or whether Zip should destroy it, and what security measures are in place.
· Access and correction: Zip is obliged to provide individuals with access to their personal information if it is in use, even if collected before December 2001. This includes an obligation to correct that information where the individual can demonstrate that the information is erroneous. This obligation does not extend to information which is not in use. Zip does not have to provide access in all circumstances, and Zip is not obliged to provide access to information where it would place unreasonable administrative burdens on the organisation or cause it unreasonable expense.