At any time, you may withdraw consent to the continued use of your personal information, subject to legal and contractual restrictions. Please note that where you withdraw your consent, we will no longer be able to provide you with the products or services that rely on having your consent.
2 What is personal information?
Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in material form or not. Some common examples of the types of personal information include name, phone number(s), postal address and email address.
Sensitive information is a subset of Personal Information that is afforded higher levels of protection under the Privacy Act. Sensitive information means information or an opinion about an individual’s racial or ethnic origin, political opinions or memberships, religious beliefs or affiliations, philosophical beliefs, sexual orientation, criminal record, health information, genetic information or membership of a trade union.
Our general approach is not to collect, use or disclose sensitive information. However, in limited circumstances, we will collect sensitive information where it is reasonably necessary for one of our functions or activities and you have consented to the collection of that information or where the information or opinion is authorised or required by law. For example, should you apply for a job with us, and depending on the position applied for, we may be required to collect sensitive information about you, including any previous criminal convictions.
Sensitive information will be used by us only:
- For the primary purpose for which it was obtained;
- For a secondary purpose that is directly related to the primary purpose;
- With your consent; or
- Where required or authorised by law.
3 What types of personal information do we collect?
We will only collect Personal Information if it is reasonably necessary for, or directly related to one or more of our functions or activities. The type of personal information we collect from you depends on your interaction with us.
We collect personal information from:
- Shareholders: Information collected may include contact details, shareholding details, banking details and tax file numbers.
- Job applicants: We collect Personal Information of job applicants for the primary purpose of assessing their suitability for employment. Such information collected may include name, contact details, employment history and qualifications, the names of any referees and any other information that they might submit in their job application. We may also carry out screening checks (including reference, background, directorship, financial probity, identity, eligibility to work, vocational suitability and criminal record checks).
- Employees: We collect, use and disclose Personal Information about our employees in order to perform our obligations as an employer and as required by law including health information (for example if you suffer from allergies).
- Suppliers and contractors: We may collect Personal Information about contractors, vendors and suppliers who provide services to us for the primary purpose of assessing, accrediting and engaging their services or expertise and for other purposes where legally required. The information we collect is for business-related purposes but may contain some limited personal information and the contact details of the people that we deal with.
- Clients: We may collect Personal Information from our clients to deliver products or services to our clients. The information we collect is for business-related purposes but may contain some limited Personal Information and the contact details of the people that we deal with.
- Visitors: All visitors attending our secure facility must check-in at reception recording all relevant details of their visit, including their name, contact details, the organisation they represent, car registration, times of visit, purpose of visit, whom they are visiting, and signed visitor agreement. Other questions we may ask include if you have a fever or a cold or flu-like illness, or if you have been to an identified exposure site in Western Australia (see locations visited by confirmed COVID19 cases).
We also collect Personal Information from people who correspond with us, including through our website, in which case we may keep a copy of that correspondence and relevant contact details, and from people who request information updates about us through our website mailing list.
If you access our secure facility, or a room at our secure facility that requires you to swipe your identification card to gain entry, we may collect and use that information to keep an auditable record of who has had access to our facility for safety and security purposes.
4 Information collected via our website
We also share information about your use of our website with our social media, advertising and analytics partners who may combine it with other information that you have provided to them or that they have collected from your use of their services.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently to improve the user experience, as well as to provide certain information to the owners of the website.
The law states that we can store cookies on your device if they are strictly necessary for the operation of this website. For all other types of cookies, we need your permission.
This website uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
We may for example collect information about the type of device, the operating system, the screen resolution, the browser type, the IP address, the date and time, the title of the page being viewed, the URL of the page being viewed, the URL of the page that was viewed prior to the current page, the files that were clicked on and downloaded, the links clicked on to an outside domain.
Our website may contain links to other websites of third parties. These links are meant for your convenience only. We are not responsible for the privacy practises or policies of those websites.
5 How we collect Personal Information
We aim to collect your personal information directly from you when you correspond or register your details with us, through our website, during interviews and meetings with you, enter into arrangements with us, during telephone calls or provide feedback to us.
Where relevant, we will collect personal information about you from publicly available sources (such as other websites) or from third parties, such as:
- our share registrar for information regarding shareholders;
- referees or employment agencies for information regarding job applicants; and
- our related entities.
6 How we use your personal information
We use and disclose your Personal Information that we collect (and share it with related companies) for various reasons, including:
- for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use;
- for marketing purposes so we can send information we believe may be relevant to you based on your demographic information or stated preferences (you may unsubscribe from our mailing/marketing lists at any time by contacting us in writing);
- complying with our legal and regulatory obligations that we must discharge as required by applicable data privacy laws;
- protecting and/or enforcing our legal rights and interests, including defending any claim for any other purpose authorised by you, applicable data privacy laws;
- responding to communications from you, including a complaint;
- providing services and products to you;
- improving the services and products that we provide to you;
- billing and to collecting money that you owe us;
- enabling third party service providers to provide us and our related companies with services;
- recruiting and assessing potential employees;
- maintaining and updating our records; or
- as otherwise permitted or required by law.
7 Disclosing your personal information
We will only use or disclose your Personal Information for the purpose for which it was collected (known as the “primary purpose”), another purpose related to the primary purpose where you would reasonably expect it to be used or disclosed for such a related purpose (known as the “secondary purpose”), with your consent or as otherwise allowed under the Privacy Act.
In regard to Sensitive Information (which includes your health information), we will only ever use or disclosure your Sensitive Information with your consent, for the primary purpose for which it was collected or for another purpose directly related to the primary purpose where you would reasonably expect it to be used or disclosed for such a directly related purpose.
We will use and disclose your Personal Information for the purpose for which it was collected (known as the “primary purpose”) it as well as purpose related to the primary purpose, where you would reasonably expect it to be used or disclosed for such as related purpose (known as the “secondary purpose”).
We will also disclose your Personal Information when:
- you consent to the disclosure; or
- the disclosure is required or authorised by law.
To the extent permitted by law, we may also disclose information about you to third parties, including:
- our related companies;
- service providers and professional advisors including IT service providers, auditors, legal advisors, mail-house providers, debt collectors, and to share registrar management services;
- financial institutions; and
- government agencies as part of our statutory obligations.
8 Security of your personal information
We hold Personal Information electronically and, in some cases, hard copy form. We take all reasonable steps to ensure that the personal information that we hold is protected from loss, misuse, unauthorised access by ensuring that this information is stored in access-controlled facilities, or electronic databases requiring login and passwords.
We take steps to ensure that our service providers are obliged to protect the privacy and security of personal information and use it only for the purpose for which it is disclosed, and we require our third-party data storage providers to comply with appropriate information security industry standards.
We securely store and process Personal Information in Australia. Although we may utilise remote (cloud-based) servers located overseas, such data will be encrypted to prevent access by third parties.
When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the Personal Information is or will be stored for a minimum of 5 years so that we can respond to queries or concerns you may have about your past interactions with us, including any products you have purchased from us.
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
9 International transfer of data
We may disclose Personal Information we have collected to organisations located overseas. For example, disclosures when necessary for making international payments, or in complying with foreign legal or regulatory requirements. If we transfer your information outside your country or the country from which the data was provided, we will take steps to ensure that your privacy rights continue to be protected.
10 Access and correction of your personal information
You may request access to your personal information held by us, or request that it be corrected, by contacting us at the address below. For security purposes, details of your Personal Information will be passed on to you only if we are satisfied that the information relates to you.
We may refuse to provide access where we have legitimate reasons for doing so under applicable data privacy laws, and in exceptional circumstances may charge a fee for access if the relevant legislation allows us to do so, in which case we will provide written reasons for our decision.
In addition to requesting access to the personal information we hold about you, or updating/correcting your details, you may also request that we:
- erase your Personal Information;
- restrict processing of your Personal Information; and
- receive your Personal Information in a structured, commonly used and machine-readable format.
It is important to us that your Personal Information is up to date. We will take reasonable steps to make sure that your Personal Information is accurate, complete and up to date. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you. There is no fee for doing this.
We are not obliged to correct any Personal Information if we do not agree that it requires correction. If we refuse such a request, we will provide you with a written notice stating our reasons.
11 Direct Marketing
Like most businesses, marketing is important to our continued success and viability. We may use Personal Information we hold about you, from time to time, to send marketing materials to current or prospective customers. Generally, we only do so where you consent or as allowed by applicable laws. Our communications to you may be sent in various forms such as by post or by electronic means (including e-mail and SMS).
If you wish to cease receiving this marketing information, please contact us directly on the contact details listed at the end of this Policy asking to be removed from our mailing lists or use the “unsubscribe” or “update your preferences” facilities included in all our marketing communications.
We will never use sensitive information for direct marketing purposes.
12 Prospective Employees
We collect Personal Information in relation to prospective employees as part of their application. We may collect Personal Information from the individual and from third parties such as recruitment agencies, previous employers, referees, other publicly available sources and from other employees.
If you send us an application to be considered for an advertised position (or unsolicited), this information will be used to assess your application or suitability for employment with us. This information may be disclosed to our related bodies corporate and service providers for purposes such as aptitude and psychological testing or other human resources management activities.
As part of the application process, you may be asked for your specific consent to the use and disclosure of certain Personal Information about pre-employment testing. We may also ask you to consent to the disclosure of your Personal Information to those people who you nominated to provide references. A refusal to provide any of this information, or to consent to its proposed disclosure, may affect the success of the application.
- either a current or former employment relationship between us and the individual; and
- an employee record held by us relating to the individual.
For information about our practices relating to employee records, please contact us by using the contact details listed at the end of this Policy below.
13 Notifiable Data Breaches
A notifiable data breach scheme is currently in place in Australia. We are committed to adhering to this scheme as an important step in preventing and managing serious privacy breaches.
A “data breach” means unauthorised access to, or disclosure, alteration, loss, or destruction of, Personal Information or an action that prevents us from accessing Personal Information on either a temporary or permanent basis.
An “eligible data breach”, in accordance with the Privacy Act, occurs when there is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates and we are unable to prevent the likely risk of serious harm with remedial action.
We, including all our people, take breaches of privacy very seriously. If we suspect a privacy breach has occurred, our priority is to contain and assess the suspected breach. In doing so, we will:
- take any necessary immediate action to contain the breach and reduce the risk of harm;
- determine the cause and extent of the breach;
- consider the types of information involved, including whether the personal information is sensitive in nature;
- analyse the nature of the harm that may be caused to affected individuals;
- consider the person or body that has obtained or may obtain personal information as a result of the breach (if known); and
- determine whether the Personal Information is protected by a security measure.
If we believe an eligible data breach has occurred, we will, as soon as practicable, notify the Commissioner and all affected individuals or, if it is not possible to notify affected individuals, provide public notice of the breach (in a manner that protects the identity of affected individuals).
14 General Data Protection Regulation
We welcome the General Data Protection Regulation (“EU GDPR”) as an important step forward in encouraging high standards of personal data security.
Australian businesses of any size may need to comply if they have an establishment in the European Union (“EU”), if they offer goods and services in the EU (irrespective of whether a payment is required), or if they monitor the behaviour of individuals in the EU (where that behaviour takes place in the EU).
Under the EU GDPR, we may have some additional obligations with respect to the “personal data” collected from residents of the EU as a data importer.
The meaning of personal data is similar to Personal Information; however, it is broader as it includes any information relating to an identified or identifiable natural person.
Where required, we will take appropriate steps to ensure that the personal data of EU residents is:
- processed lawfully, fairly and in a transparent manner;
- collected for legitimate purposes;
- accurate and up to date;
- kept for no longer than is necessary for the purposes for which it was collected; and
- secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
We will comply with all obligations imposed on data importers under the EU GDPR with respect to the personal data of EU residents, including the EU GDPR Standard Contractual Clauses, to the extent that they may apply to us and our relationships with third parties.
The Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (“ePrivacy Directive”) was passed in 2002 and amended in 2009. It supplements (and in some cases, overrides) the EU GDPR, addressing crucial aspects about the confidentiality of electronic communications and the tracking of Internet users more broadly. In order to comply with regulations governing cookies under the EU GDPR and the ePrivacy Directive, we must:
- Receive users’ consent before we use any cookies except strictly necessary cookies;
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received;
- Document and store consent received from users;
- Allow users to access your service even if they refuse to allow the use of certain cookies; and
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
EU residents have the right to access personal data we hold about them and to request that personal data be corrected, updated, deleted or transferred to another organisation. EU residents are also able to request that the processing of their personal data be restricted or objected to their personal data being processed. To make any of these requests, please contact our Privacy Officer using the contact details set out below.
15 UK GDPR
Australian businesses must also comply with privacy laws in the United Kingdom (“UK”). The framework for data protection law in the UK is set out in Data Protection Act 2018 (“DPA 2018”); which sits alongside and supplements the UK General Data Protection Regulation (“UK GDPR”). The UK GDPR is based on the EU GDPR and sets out the key principles, rights and obligations for most processing of personal data in the UK.
In practice, there is little difference to the core data protection principles, rights and obligations between the EU GDPR and the DPA 2018.
The UK GDPR applies to the processing of personal data of data subjects who are in the UK by a controller or processor not established in the UK where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the UK; or
- the monitoring of their behaviour as far as their behaviour takes place within the UK.
Therefore, we can draw from the EU GDPR and apply the same or similar considerations in regard to personal data we collect under the UK GDPR. Additionally, in relation to the regulation of cookies, the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 aligns UK legislation with the ePrivacy Directive.
16 Data retention policy
Personal information that we collect, and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.
17 Making a privacy complaint
If you wish to make a complaint about how we have handled your Personal Information, please submit your complaint in writing to our Company Secretary. We will investigate the matters described in the complaint and provide a written response within 30 days from the date we received the written complaint.
You can contact us by:
- writing to us at Source Certain International Limited, PO Box 1570, Wangara DC WA 6947
- calling us on +61 8 6191 0608
- emailing us at firstname.lastname@example.org