MEGT is committed to protecting privacy and will manage personal information in an open and transparent way. MEGT will fulfil its obligations under the Privacy Act 1988 incorporating the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) by complying with the Australian Privacy Principles (APPs). These 13 principles detail how organisations should collect, update, use, keep secure or where necessary disclose and give access to personal information, as well as how complaints should be handled and how, in some circumstances, anonymity can be maintained.
This policy applies to all MEGT employees, contractors, customers, direct and third-party suppliers. It applies to the collection, updating, use, storage, disclosure and access to personal and sensitive information that can be recorded in any format including, but not limited to, information held in writing, online, digitally or by electronic means, including mobile phones and USB sticks.
3.1 Personal Information means: information or an opinion about an identified individual, or an individual who is reasonably identifiable:
1) whether the information or opinion is true or not; and
2) whether the information or opinion is recorded in a material form or not.
3.2 Sensitive Information means: information or an opinion about an individual’s:
1) racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; or criminal record; that is also personal information; or
2) health information about an individual; or
3) genetic information about an individual that is not otherwise health information; or
4) biometric information that is to be used for the purpose of automated biometric verification or biometric identification;or
5) biometric templates.
Information collected and held by MEGT could include name, current and previous address, telephone number(s), driver licence number, bank account details, Tax File Number, date of birth, diversity status, and relevant sensitive information, as well as your details obtained when trading with us e.g. numbers, financial and business details (suppliers’ and customers’) information. MEGT will:
4.1.1 where reasonable and practicable to do so, collect personal information about an individual from that individual
4.1.2 ensure that individuals are aware that, in some circumstances, information may be provided anonymously or by using a pseudonym unless (a) MEGT is required by law, to deal with individuals who have identified themselves or (b) it is impractical for MEGT to deal with individuals who have not identified themselves or who have used a pseudonym
4.1.3 not collect, update, use, store or disclose personal, health or business information to another party without written consent from an individual or business
4.1.4 only collect personal information that is necessary for its functions or activities
4.1.5 only collect information by lawful and fair means
4.1.6 take reasonable steps when, or as soon as practicable after, collecting personal information, to ensure that the individual party/s are aware of: a) MEGT’s identity and contact details b) how to access their information c) how to update or correct their information d) the purpose for which their information is collected e) the types of entities and, where relevant, the countries to which MEGT usually discloses information f) any law that requires the particular information to be collected g) the main consequences (if any) for the individual, party/s concerned if all or part of the information is not provided and i) how to complain about a breach of the Australian Privacy Principles.
4.1.7 if personal information is collected from someone other than the individual, take reasonable steps to ensure that the individual is made aware of the matters listed above except to the extent that this would pose a serious threat to the life or health of any individual
4.2 If you fail to provide personal information
4.3 Where our information comes from
MEGT collects personal information in a number of ways:
4.3.1 directly from you when you apply to us for employment as part of our recruitment process, or training services, or on an application form for training or services
4.3.2 from freely available “public domain” information sources e.g. telephone directories
4.3.3 from our own records of how and when you use our various services
4.3.4 from third parties, such as our agents, previous employers or organisations you have dealt with in the past and volunteered by you as a reference for the purposes of employment or credit checks.
4.4 Unsolicited information
If MEGT receives unsolicited personal information, we will, within a reasonable period:
1) determine whether or not the information could have been collected by lawful and fair means and apply the Australian Privacy Principles
2) determine if we could not have collected the personal information, and the information is not contained in a Commonwealth record, and only if lawful and reasonable to do so, destroy the information or ensure the information is de-identified.
4.5 Use and disclosure
4.5.1 Information use MEGT will only use information to:
1) provide the service(s) you have requested.
2) manage those services in order to provide the optimum level of service
3) conduct appropriate credit, police and/or “Working with Children” checks, and pre-employment checks e.g. reference checking or pre-employment medical advice
4) advise you of other services that MEGT provides, that may be of interest to you.
4.5.2 Information disclosure
18.104.22.168 MEGT will only disclose information about you to ‘others’ in a manner consistent with this policy or where required by law. ‘Others’ may include:
1) your authorised representative or legal advisors
2) banks or credit providers
3) government and statutory authorities
4) MEGT’s Privacy Officer / General Manager People and Safety who believes that use of the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
22.214.171.124 MEGT will only disclose personal information for a purpose (the secondary purpose) other than the primary purpose of collection if:
1) the individual has consented to the disclosure of the information or
2) the individual would reasonably expect the information to be disclosed for the secondary purpose and
3) it is directly related to the primary purpose or
4) the information is required or authorised under law or
5) a permitted general or health situation exists or
6) MEGT believes that the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
4.5.3 Record of disclosure & de-identification
If MEGT discloses personal information under the previous paragraph it will make a written note of this and will take reasonable steps to ensure that the information in de-identified before disclosure.
Use and disclosure of personal information does not apply for the purposes of direct marketing or the use of government related identifiers.
4.6 Direct marketing
4.6.1 MEGT may use or disclose personal information (other than sensitive information) about an individual for the purposes of direct marketing if, when you are not an EU resident:
a) MEGT collected the personal information from the individual and the individual would reasonably expect MEGT to use or disclose the information for that purpose or
b) MEGT collected the information from someone other than the individual and either (i) the individual has consented to the use or disclosure of the information for that purpose or (ii) it is impracticable to obtain that consent
c) MEGT may use personal contact details for the purposes of direct marketing if:
1) MEGT is a contracted service provider for a Commonwealth contract and
2) MEGT collected the information for the purpose of (directly or indirectly) meeting an obligation under the contract and
3) The use is necessary to (directly or indirectly) meet such an obligation.
d) For any of the above situations, MEGT will:
1) provide a simple means by which the individual may easily request not to receive direct marketing communications from MEGT and
2) will make reasonable efforts to ensure no further direct marketing is sent to those contact details.
4.6.2 MEGT may use or disclose personal information (other than sensitive information) about an individual for the purposes of direct marketing if, when you are a resident of the EU or the UK (or otherwise benefit from such rights by application of the EU General Data Protection Regulation), you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.
4.6.4 MEGT will make all reasonable efforts to remove the individual’s contact and personal details if the individual communicates this request the response point to the origin of the direct marketing, or through any other MEGT corporate communication media.
4.6.5 If MEGT uses personal information about an individual for the purpose of direct marketing by MEGT or to facilitate direct marketing by other organisations the individual may:
1) request not to receive direct marketing communications from MEGT
2) request MEGT not to use or disclose the information for the purpose of direct marketing by other organisations
3) request MEGT to provide its source regarding this information
4.6.6 When a request from 4.6.5 is received MEGT will:
1) not charge the individual for the making of, or to give effect to, the request to remove their details from future direct marketing and
2) make every reasonable effort to give effect to such a request within a reasonable period after the request is made and
3) if the request is to provide the information source, MEGT must notify the individual of its source unless it is impracticable or unreasonable to do so.
4.6.7 Any direct marketing conducted by MEGT will comply with:
1) the Do Not Call Register Act 2006
2) the Spam Act 2003
3) any other Act of the Commonwealth, or a Norfolk Island enactment, prescribed by the regulations.
4.7 Online Advertising and Remarketing
MEGT uses the following features markets via third-party providers it may for the purposes of promoting its services:
- Interest categories
- Similar audiences
- Interest-based advertising
- Demographic and location targeting
4.7.1 In conducting the above activity MEGT will not:
a) collect personally identifiable information (PII) including, but not limited to, email addresses, telephone numbers, and credit card numbers
b) use or associate personally identifiable information with remarketing lists, cookies, data feeds, or other anonymous identifiers
c) use or associate targeting information, such as demographics or location, with any personally identifiable information collected from the ad or its landing page
d) share any personally identifiable information with third parties through our remarketing tag or any product data feeds which might be associated with our third-party ads
e) send third parties precise location information without obtaining people’s consent.
4.7.2 MEGT will abide by the policy for sensitive categories outlined below.
a) When creating a remarketing list, we will not use any sensitive information about our site or app visitors, whether collected directly or associated with a visitor, based on the visitor’s profile or behavior on our site or app
b) Ad content will not imply knowledge of personally identifiable or sensitive information.
4.8 Data quality MEGT will:
4.8.1 take reasonable steps to ensure that the personal information we collect, use and where appropriate disclose to others is accurate, complete, and up to date, having regard to the purpose for which the information is held
4.8.2 if requested by the individual, take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading
4.8.3 take reasonable steps to give notification, unless it is impracticable or unlawful, when correcting personal information about an individual that MEGT has previously disclosed to another organisation also responded to the Australian Privacy Principles, and if the individual requests MEGT to do so
4.8.4 give the individual a written notice if MEGT refuses to correct the personal information, as requested by the individual, setting out:
1) the reasons for the refusal except when it would be unreasonable to do so and
2) the mechanisms available to complain about the refusal and
3) any other matter prescribed by the regulations.
4.8.5 if the individual and MEGT disagree about whether the information is inaccurate, incomplete, out of date, irrelevant or misleading, and the individual asks MEGT to associate with the information a statement that the information is inaccurate, incomplete, out of date, irrelevant or misleading, MEGT will take such steps as are reasonable to associate the statement in such a way that will make the statement apparent to users of the information.
4.9 Data security
4.9.1 take reasonable steps to ensure the information held is protected from misuse, interference and loss as well as from unauthorised access, modification or disclosure. Access will be given to authorised personnel only, and only where MEGT believes they reasonably need contact with that information to provide products or services or in order to do their jobs
4.9.2 have physical, electronic, and procedural safeguards in place that comply with federal regulations to protect personal and business information about you
4.9.3 take reasonable steps to destroy or permanently de-identify personal information if it is no longer required, is not contained in a Commonwealth record, and MEGT is not required by law, or to retain.
4.10.3 On request MEGT will take reasonable steps to let a person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses, updates and discloses that information about a person.
4.11 Information access and correction
4.11.1 You have the right to access any information held by MEGT about you, subject to some restrictions listed in Federal Government legislation including but not limited to:
1) providing access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
2) providing access would have an unreasonable impact upon the privacy of other individuals
3) the request for access is frivolous or vexatious
4) the information relates to existing or anticipated legal proceedings between MEGT and the individual, and would not be accessible by the process of discovery in those proceedings
5) providing access would reveal the intentions of MEGT in relation to negotiations with the individual in such a way as to prejudice those negotiations
6) providing or denying access would be unlawful
7) MEGT has reason to suspect unlawful activity, or misconduct of a serious nature has been, is being, or may be engaged in
8) providing access would be likely to prejudice the taking of appropriate action in the matter
9) providing access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body
4.11.2 If providing access would reveal evaluative information generated within MEGT in connection with a commercially sensitive decision-making process, MEGT may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
4.11.3 If MEGT is not required to provide the individual with access to the information because of one or more of the above-stated reasons, MEGT will where reasonable, give access in a way that meets the needs of both MEGT and the individual, including through the use of a mutually agreed intermediary.
4.12 Government related identifiers
4.12.1 MEGT will not adopt a government related identifier of an individual as its own identifier of the individual unless:
1) required or authorised under law or
2) the identifier is prescribed by regulations and
3) MEGT itself is prescribed by regulations, or is included in a class of organisations prescribed by regulations and
4) the adoption, use or disclosure occurs in the circumstances prescribed by those regulations.
4.12.2 MEGT will not use or disclose a government related identifier of an individual unless:
1) the use or disclosure of the identifier is reasonably necessary to verify the identity of the individual for the purposes of our activities or functions or
2) the use or disclosure of the identifier is reasonably necessary to fulfil MEGT’s obligations to a government agency of State or Territory authority or
3) the use or disclosure of the identifier is required by law or
4) a permitted general situation exists in relation to the use or disclosure of the identifier or
5) MEGT believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Wherever it is lawful and practicable, individuals will have the option of not identifying themselves, or of using a pseudonym, when dealing with MEGT, except:
4.13.1 when MEGT is required by law to deal with individuals who have identified themselves or
4.13.2 where it is impracticable for MEGT to deal with individuals who have not identified themselves or who have used a pseudonym.
4.14 Cross-border disclosure
MEGT will only transfer personal information about an individual to an overseas recipient (other than within our organisation or to the individual) if:
1) MEGT has taken reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information or
2) MEGT reasonably believes that the recipient of the information is subject to a law or binding scheme that has the effect of protecting the information in a way that is substantially similar to the Australian Privacy Principles, and
3) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme or
4) the individual consents to the disclosure, in which case
5) MEGT will expressly inform the individual that if he or she consents to the disclosure of the information, we will not take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information however we will then re-check that the individual still consents to the disclosure
6) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order or
7) a permitted general situation exists in relation to the disclosure of the information by MEGT
8) the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party or
9) MEGT reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body and
10) the recipient is a body that performs the functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.
4.15 Sensitive information
MEGT will not collect sensitive information about an individual unless:
1) the individual has consented to the collection of the information and
2) the information is reasonably necessary for one or more of MEGT functions or activities and
3) the information relates solely to individuals who have regular contact with MEGT or
4) the collection of the information is required by law or a. a permitted general or health situation exists in relation to the collection of the information
4.16 Requests for information
4.16.1 MEGT will not disclose any personal information without first establishing the identity of the person requesting the information.
4.16.2 If access to personal information held by MEGT is required, a written request specifying the information sought may be made to an individual’s usual contact at MEGT or the Privacy Officer / General Manager People and Safety. Adequate identification by or authority from an individual must be supplied to MEGT before any personal information will be provided
4.16.3 The nature and the timing of any access will be agreed between MEGT and the individual, usually within five business days of receiving a request. If this cannot be complied with MEGT will advise within this period when access will be provided.
4.16.4 MEGT may charge a reasonable fee for providing access to personal information, (but not for lodging a request for access).
4.16.5 If MEGT refuses access it will provide written notice to the individual which sets out:
(a) the reasons for the refusal except, having regard to the grounds for the refusal, it would be unreasonable to do so
(b) the mechanisms available to complain about the refusal, and
(c) any other matter prescribed by the regulations.
4.17.1 Any complaint by an individual regarding MEGT’s management or handling of personal or sensitive information:
1) should be directed to MEGT’s Privacy Officer PO Box 4069 Ringwood Vic 3134 or via email at email@example.com
2) should be made in writing, detailing the personal information involved and the contact or process that is the subject of the complaint.
3) will be acknowledged within three (3) working days of receipt by the MEGT Privacy Officer. Contact details of the individual dealing with the complaint and/or the Privacy Officer will also be advised to the individual making the complaint at this time.
4) will be responded to within fifteen (15) working days. If this is not possible the individual will be advised as to when MEGT expects to be able to respond.
4.17.2 If MEGT’s response does not resolve the complaint MEGT and the individual will, in good faith, promptly agree to a process and time frame for dealing with the complaint.
5. EU AND UK DATA PROTECTION
This section only applies to you if you are a resident of the EU or the UK (or otherwise benefit from such rights by application of the EU General Data Protection Regulation). For the purposes of this section "personal information" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
5.1 Use and disclosure
5.1.1 For the purposes of this section, to "process" personal information means to perform any operation on personal information, whether or not by automated means, such as collecting, recording, organizing, storing, adapting, using, disclosing, combining, erasing or destroying.
1) Performance of a contract: Where we need to perform the contract we have entered into with you.
2) Legitimate interest: Where it falls within the scope of our legitimate interests and your fundamental rights do not override those interests.
3) Legal or regulatory obligation: Where we need to comply with a legal or regulatory obligation.
4) Consent: From time to time, we may ask for your consent to use your information for certain specific reasons. You may withdraw your consent at any time by contacting us using the information provided below.
5.1.3 We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
5.1.4 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5.2 Certain Data Protection Rights
You have the right to:
5.2.1 request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
5.2.2 request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
5.2.3 request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
5.2.4 object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
5.2.5 request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios: 1) if you want us to establish the information's accuracy; 2) where our use of the information is unlawful but you do not want us to erase it; 3) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or 4) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.
5.2.6 request the transfer of your personal information to you or to a third party (commonly known as a "right to portability"). We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
5.3 Information Retention
We will retain your personal information for the period necessary to fulfill the purposes for which you we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if permitted at law. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements
5.4 Data Transfers
Outside of the EU or UK We are based in Australia which means our interaction with your or the nature of our business involves transferring your personal information outside the EEA or UK. Whenever we transfer your personal information out of the EEA or UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
5.4.1 European Commission Standard Contractual Clauses: We may use specific contracts approved by the European Commission which give personal information the same protection it has in Europe.
5.4.2 Privacy Shield. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal information shared between the Europe and the US. For additional information on the mechanisms used to protect your personal information, please contact us at firstname.lastname@example.org.
5.5 Data Controller
For the purposes of EU data protection law we are the data controller responsible for the personal information processed. Please direct inquiries regarding EU or UK data protection to email@example.com or: PO Box 4069 Ringwood, Vic, Australia 3134 5. RESPONSIBILITIES
5.1 Privacy Officer / General Manager People and Safety
The responsibilities of the Privacy Officer will include:
1) investigating any complaints raised with respect to privacy of a person’s information
2) reviewing the organisation’s practices and procedures to ensure compliance with this policy and current legislation
3) reviewing this policy and advising on the education of management and staff of their responsibilities under this policy and providing information on the Privacy and Health Records Acts.
All Managers are to “lead by example” and comply fully with this policy. A Manager’s responsibility extends to the implementation of the policy and ensuring that employees, contractors, suppliers and customers with whom they interact understand their obligations and are aware of the policy.
6. BREACH OF POLICY
A breach of MEGT’s policies may have unintended and harmful consequences. Breaches of this policy may lead to disciplinary action being taken, including dismissal in serious cases.
This policy is available on the MEGT intranet site and website. 8. REVIEW This policy will be reviewed every two years or sooner if requested by management.
The contents of this website are intended for informational purposes only. MEGT (Australia) Ltd shall in no event accept any liability for loss or damage suffered by any person or body due to information provided on this site or linked sites. MEGT (Australia) Ltd recommends that users exercise their own skill and care with respect to their use of this web site and that users carefully evaluate the relevance and the accuracy of the material on the web site for their purposes. MEGT (Australia) Ltd monitors the quality of information used and updates the information regularly. This website is not a substitute for independent professional advice and users should obtain any appropriate professional advice relevant to their particular circumstances.