YARDMILL Privacy Statement
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Privacy Act) updates the Privacy Act 1988 (Cth) and is intended to establish a comprehensive national scheme for the collection, holding, use, correction, disclosure and transfer of personal information by organisations in the private sector. This gives individuals the right to know what information an organisation holds about them and a right to correct that information if it is wrong.
This policy is to ensure TeeRoy Pty T/A YARDMILL (YARDMILL) complies with the Privacy Act established for the handling of personal information by organisations in the private sector. YARDMILL is required to ensure that it complies with the thirteen Australian Privacy Principles (APPs) set out by the Privacy Act. The Australian Privacy Principles (APPs) regulate the way YARDMILL can collect, use, disclose, amend and pass on personal information.
Responsibility and Authority
All Managers and Staff
- Ensure compliance with the policy
Privacy Compliance Officer
- Receives complaints from an individual regarding an alleged breach of privacy by
- Investigates and attempts to resolve any alleged breach of privacy complaint internally
with the individual
434 Toorak Road
Toorak, Vic 3142
Part 1 – Consideration of Personal Information Privacy
APP 1: Open and Transparent Management of Personal Information
Personal information will only be collected to the extent necessary by lawful and fair means and not in an unreasonably intrusive way for one or more of YARDMILL’s functions or activities.
At the time of collection (or as soon as practicable afterwards) YARDMILL will take reasonable steps to ensure personal information is managed is an open and transparent way. Under the Privacy Act you are entitled to:
- know the kind of information the entity collects and holds
- how the entity collects and holds personal information
- the purposes for collecting, holding and disclosing personal information
- how they can access and seek correction of such information
- how an individual may complain about a breach of the Australian Privacy Principles,
and how the entity would deal with such a complaint
- whether the entity is likely to disclose personal information overseas recipients
- if the entity is likely to disclose personal information to overseas recipients, the
countries in which such recipients are likely to be located if it is practicable to do so
YARDMILL will provide upon request from an individual or body free access to YARDMILL’s
APP 2: Anonymity and pseudonymity
Whenever it is lawful and practicable, an individual will have the option of not identifying themselves or of using a pseudonym in relation to a particular matter.
Part 2 – Collection of Personal Information
APP 3: Collection of solicited personal information
Personal Information other than Sensitive Information
YARDMILL will only collect personal information (other than sensitive information) if it is reasonably necessary for one or more of the YARDMILL’s functions or activities.
YARDMILL will not collect sensitive information about an individual unless:
- the individual has consented and the information is reasonably necessary for one or
more functions or activities;
- the collection is required or authorised by law; or
- a permitted general situation exists in relation to the collection of information by
- a permitted health situation exists in relation to the collection of information by
Permitted general situations means:
- lessening or preventing a serious threat to the life, health or safety of any individual, or
to public health or safety
- taking appropriate action in relation to suspected unlawful activity or serious
- locating a person reported as missing
- asserting a legal or equitable claim
- conducting an alternative dispute resolution process
Permitted health situation means:
- the collection of health information to provide a health service
- the collection of health information for certain research and other purposes
- the use or disclosure of health information for certain research and other purposes
- the use or disclosure of genetic information
- the disclosure of health information for a secondary purpose to a responsible person
for an individual
Personal Information means information or an opinion about an identified individual, or an
individual who is reasonably identifiable
- Whether the information or opinion is true or not; and
- Whether the information or opinion is recorded in a material form or not.
Sensitive Information: means:
(a) information or an opinion about an individual’s:
- racial or ethnic origin; or
- political opinions; or
- membership of a political association; or
- religious beliefs or affiliations; or
- philosophical beliefs; or
- membership of a professional or trade association; or
- membership of a trade union; or
- sexual preferences or practices; or
- criminal record;
- that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information.
Means of Collection
YARDMILL will only collect personal information by lawful and fair means. YARDMILL can only collect personal information about an individual from that individual unless it is unreasonable or impractical to do so.
APP 4: Dealing with Unsolicited Personal Information
Where YARDMILL receives personal information in a manner that is not compliant with APP3, that information will be destroyed and/or de-identified. If unsolicited personal information is contained in a Commonwealth record, YARDMILL is not required to destroy or de-identify that information.
APP 5: Notification of the Collection of Personal Information
At the time of collection (or as soon as practicable afterwards) YARDMILL will take reasonable steps to ensure that the individual is notified:
- The identity and contact details of YARDMILL
- That YARDMILL is or has collected information, and the circumstances of that
- YARDMILL will state when the collection of personal information is required and/or
authorised by law, and provide details of the relevant law or order.
- The purpose for which the personal information is collected
- The main consequences (if any) for the individual if some/all of the personal
information is not collected
- Of any disclosures of personal information that YARDMILL will make to any other
entity, body or person.
- How the individual can access and seek the correction of personal information
- How the individual can lodge a complaint of a breach of the Australian Privacy
Principles or a registered APP code that binds YARDMILL, and how YARDMILL will
deal with complaints.
- Whether YARDMILL is likely to disclose personal information to overseas recipients,
and if applicable, which countries.
Procedure for making a complaint
A person may make a complaint if they feel their personal information has been handled inappropriately by a private sector organisation in breach of YARDMILL’s privacy obligations under the Privacy Act.
In the first instance, complaints must be directed to YARDMILL’s Privacy Officer in writing. YARDMILL will investigate the complaint and prepare a response to the complainant in writing within a reasonable period of time
If the complainant is not satisfied with YARDMILL’s response or the manner in which YARDMILL has dealt with the complaint, the individual may make a formal complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC may investigate, resolve or close complaints based on information found during preliminary inquiries. If the OAIC believes there is enough evidence to support the complaint, it will try to conciliate the matter.
If conciliation does not resolve the complaint, depending on the circumstances, the Australian Information Commissioner may make a determination. A determination could include a requirement that YARDMILL issue an apology, improve practices to reduce likelihood of a breach of the Privacy Act, or compensation is to be paid to the complainant. A complainant may withdraw their complaint at any time.
Where OAIC has made a decision, a complainant may request OAIC to review it by a new officer. If the OAIC closes the file or the Information Commissioner makes a determination that is not legally
correct, the complainant may apply to the Federal Court or the Federal Magistrates Court by way of appeal. Either party may also appeal to the Administrative Appeal Tribunal within 28 days of a final OAIC decision for a review of any compensation amount ordered by the Information Commissioner.
YARDMILL may amend and vary this policy from time to time.
Part 3 – Dealing with Personal Information
APP 6: Use or Disclosure of Personal Information
YARDMILL will not use personal information for another purpose (secondary purpose) unless:
- the individual has consented; or
- the secondary purpose is related to the primary purpose and the individual would
reasonably expect YARDMILL to use or disclose the information for the secondary
- The use/disclosure of the information is required by law
- A permitted general/health situation exists in relation to the disclosure. Health situation
information will be de-identified before YARDMILL discloses it.
- YARDMILL believes that the use/disclosure of information is reasonably necessary for
one or more enforcement related activities conducted by/on behalf of an enforcement
Written Note of Use or Disclosure
YARDMILL will make a written note of all uses and disclosures of personal information.
Related Bodies Corporate
Where YARDMILL collects personal information from a body corporate, it will treat personal information in the same manner as stated above.
Where personal information is used or disclosed for the purpose of direct marketing or government related identifiers, the above principles do not apply.
APP 7: Direct Marketing
Direct marketing concerns the use/disclosure of personal information to communicate directly with an individual to promote goods and services. YARDMILL will not use or disclose personal information held about an individual for the purposes of direct marketing unless one of the exceptions outlined below apply.
Exceptions – Personal Information other than Sensitive Information
YARDMILL will not use or disclose personal information for the purposes of direct marketing unless:
- YARDMILL has collected the information from the individual and the individual would
reasonably expect YARDMILL to use/disclose the information for this purpose
- YARDMILL has provided a simple means where the individual may easily request not
to receive direct marketing communications, and the individual has not made such a
Where YARDMILL has collected the personal information from a third party or from the individual directly, but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing, YARDMILL will seek consent from an individual for each direct marketing communication.
Exception – Sensitive Information
YARDMILL will not use or disclose sensitive information about an individual for the purposes of direct marketing without the consent of the individual.
Exception – Contracted Service Providers
YARDMILL may use or disclose personal information for the purpose of direct marketing where:
- YARDMILL is a contracted service provider for a Commonwealth contract;
- YARDMILL collected the information for the purpose of meeting (directly or indirectly)
an obligation under the contract; and
- The use or disclosure is necessary to meet (directly or indirectly) such an obligation.
Individual may request not to receive direct marketing communications
Where an individual has requested for YARDMILL not to use or disclose their personal information for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations, YARDMILL will give effect to any such request by an individual within a reasonable period of time and without cost to the individual.
YARDMILL will, on request, notify an individual of its source of the individual’s personal information that it has used or disclosed for the purpose of direct marketing unless this is unreasonable or impracticable to do so
This does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003 or any other legislation prescribed by the regulations apply.
APP 8: Cross-Border Disclosure of Personal Information
YARDMILL will not disclose personal information to a person overseas unless reasonable steps have been taken to ensure that the recipient does not breach the Australian Privacy Principles.
This does not apply when:
- YARDMILL reasonably believes that the recipient is subject to a law or scheme that is
overall similar to the APP, and the individual can access mechanisms to enforce the
protection of that law or scheme.
- YARDMILL seeks the consent of the individual to disclose the personal information;
expressly stating that they will not take reasonable steps to ensure the recipient does
not breach the APP.
- The disclosure of information is required/authorised by an Australian law or
- A permitted general situation exists in relation to the disclosure of the information by
APP 9: Adoption, Use or Disclosure of Government Related Identifiers
Adoption of Government Related Identifiers
YARDMILL will not adopt as its own identifier an identifier that has been authorised under Australian law. Examples are an individual’s Medicare or tax file number.
Use or Disclosure of Government Related Identifiers
YARDMILL will not use or disclose an identifier unless:
- It is to verify the identity of the individual for the purposes of their activities/functions
- It is necessary for YARDMILL to fulfil its obligations to an agency or a State/Territory
- It is required/authorised by law
- A permitted general situation exists in relation to the use/disclosure of the identifier
- YARDMILL reasonably believes that the use or disclosure of the identifier is
reasonably necessary for one or more enforcement related activities conducted by or on behalf of an enforcement body
Regulations about Adoption, Use or Disclosure
YARDMILL may use/adopt or disclose a government related identifier of an individual if:
- The identifier is prescribed by regulations;
- YARDMILL is prescribed by the regulations, or is included in a class of organisations
prescribed by the regulations;
- The adoption, use or disclosure is prescribed by the regulations.
APP 10: Quality of Personal Information
YARDMILL will take reasonable steps to ensure that personal data collected, used or disclosed is accurate, up to date and complete.
APP 11: Security of Personal Information
YARDMILL will take reasonable steps to protect personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. YARDMILL will also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under Principle 3.
APP 12: Access to Personal Information
Where YARDMILL holds personal information about an individual, it will provide the individual with access to the information on request.
Exceptions to access
YARDMILL is not required to give the individual access to the personal information where:
- YARDMILL reasonably believes that giving access would pose a serious threat to the
life, health or safety of any individual/to public health/public safety;
- Giving access would have an unreasonable impact on the privacy of other individuals
- The request for access is frivolous or vexatious;
- The information relates to existing or anticipated legal proceedings between the entity
and the individual, and would not be accessible by the process of discovery in those
- Giving access would reveal the intentions of the entity in relation to negotiations with
that individual, and would prejudice those negotiations;
- Giving access would be unlawful;
- Denying access is required/authorised by or under Australian Law or a court/tribunal
- YARDMILL has reason to suspect that unlawful activity or serious
misconduct relating to YARDMILL has been engaged in, and giving access is likely to
prejudice the taking of appropriate action;
- Giving access would be likely to prejudice one or more enforcement related activities
conduced by/on behalf of an enforcement body;
- Giving access would reveal evaluative information generated within the YARDMILL in
connection with a commercially sensitive decision-making process.
Dealing with requests for access
YARDMILL must respond to requests for access to personal information within 30 days of a request by an agency, or within a reasonable time period after the request is made by an organisation.
Access to information should be given in the manner requested by the individual if it is reasonable and practicable to do so.
Other means of access
Where YARDMILL refuses to give access to personal information on a permitted ground or refuses to give access in the manner requested by the individual, YARDMILL must take reasonable steps to give access in a way that meets the needs of the individual and YARDMILL (e.g. deleting personal information for which there is a ground for refusing access and giving the redacted version to the individual, or giving a summary of the requested
personal information to the individual).
Access may be given through the use of a mutually agreed intermediary.
YARDMILL may impose a charge for giving access to personal information (such as copying costs, postage costs, costs associated with using an intermediary). This charge must not be used to discourage an individual from requesting access to personal information, and cannot be applied to the making of the request.
Refusal to give access
Refusals by YARDMILL to give access to personal information will be in writing and will state:
- The reasons for the refusal;
- The mechanisms available to complain about the refusal;
- Any other matter prescribed by the regulations.
Where YARDMILL has refused access due to evaluative information in connection with a commercially sensitive decision-making process, YARDMILL may include an explanation for the commercially sensitive decision.
APP 13: Correction of Personal Information
Where YARDMILL or an individual believes that personal information is inaccurate, out of date, incomplete, irrelevant or misleading, YARDMILL will take reasonable steps to correct that information.
Notification of Correction to Third Parties
YARDMILL will take reasonable steps to ensure that all third parties privy to personal information have been notified of a correction unless it is unlawful or unreasonable to notify.
Refusal to Correct Information
If YARDMILL refuses to correct personal information as requested by the individual, a written notice will be provided that contains:
- The reasons for refusal
- The mechanisms available to complain about the refusal
- Any other matter prescribed by regulations
Request to Associate a Statement
Where YARDMILL has refused to correct personal information and the individual has requested for an associated statement that the information is out of date, inaccurate, incomplete, irrelevant or misleading, YARDMILL will take reasonable steps to associate the statement in such a way that will make the statement apparent to users of the information.
Dealing with Requests
YARDMILL will respond to requests to associate a statement:
- Within 30 days (if request is from an agency)
- Within a reasonable period after the request is made
YARDMILL will not charge an individual for making a request, for correcting information or associating a statement with the personal information.