This standard outlines the obligations Bis Industries Limited (“Bis”) has to manage the personal information it holds about its employees, customers, suppliers and others.
Bis is bound by the Australian Privacy Principles (“Principles”) contained in the Privacy Act 1988 (Cth) (the “Act”). The Principles are designed to protect the confidentiality of information and the privacy of individual’s by regulating the way personal information is managed.
In summary, the Principles define ‘personal information’ as information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Purpose of personal information collection
Bis will only collect, use or disclose an individual’s Personal Information to the extent that this is reasonably necessary for one or more of our functions or activities.
Nature of personal information
The type of information Bis may collect and hold includes (but is not limited to) personal information about:
- customers, clients or suppliers;
- job applicants, employees and contractors; and
- other people who may come into contact with Bis.
This information may be obtained by way of forms filled out by such individuals, face-to-face meetings, interviews, telephone conversations or from a third party (for example, a reference).
We may ask for other information voluntarily from time to time (for example, through market research or surveys) to enable us to improve our service or consider the wider needs of our customers or potential customers.
Note – Bis is not bound by the Principles in relation to Company treatment of an employee record, where the treatment is directly related to the current or former employment relationship between Bis and the employee.
Method of collection
Personal Information is sourced from individuals directly unless it is unreasonable or impracticable to do so. Where this is not practical, information may be collected from third parties during the job recruitment processes for example from your nominated referees and/or through police or background checking processes or through government agencies, service providers and publicly available sources.
Use and disclosure of personal information
The Principles require Bis to use personal information only for the primary purpose for which it is collected and for such other secondary purposes, which are related to the primary purpose, unless you consent to another use or an exception under the Principles or the Act applies.
In general, Bis uses personal information for the following purposes:
- to provide you with the products or services you have requested;
- to assist the Company in the management and enhancement of its products and services, including use in analysis of future customer needs;
- to communicate;
- to provide ongoing information about its products and services to people that it believes may be interested; and
- for any other purpose permitted by law.
Depending on the product or service this means that personal information may be disclosed to:
- Bis entities;
- service providers and specialist advisers to Bis who have been contracted to provide administrative, financial, research or other services;
- insurers, credit providers, courts, tribunals and regulatory authorities as agreed or authorised by law;
- credit reporting or reference agencies, or insurance investigators; or
- anyone authorised by an individual, as specified by that individual or the contract.
Generally, we require that organisations outside Bis who handle or obtain personal information as service providers to Bis acknowledge the confidentiality of this information, undertake to respect any individual’s right to privacy and comply with the Principles and this standard.
In most cases, if you do not provide the information about yourself, which Bis has requested, Bis may not be able to provide you with the relevant product or service.
Bis may decide to buy or sell assets, which form part of or relate to the Company. In any such transaction, personal information will usually be one of the transferred assets and will be disclosed to the purchaser.
Management of personal information
Bis expects and trains its employees who handle personal information to respect the confidentiality of customer information and the privacy of individuals. Bis regards privacy very seriously and will take appropriate action, including in some cases dismissal of an employee, in response to breaches of the obligations imposed by the Principles.
Storage of personal information
Bis is required by the Principles to safeguard the security and privacy of your information, whether you interact with us personally, by telephone, mail, over the Internet or other electronic medium. This includes an obligation to take reasonable steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure. Annexure 1 to this Standard sets out how Bis will manage data breaches.
The Principles also require Bis not to store personal information longer than necessary. Where Bis no longer requires any personal information that it holds, that personal information should be destroyed or have details which may identify individuals removed.
Access & accuracy of personal information
Bis is required by the Principles to ensure that the personal information it holds is accurate and up-to-date. We realise that this information changes frequently with changes of address and other personal circumstances. Bis encourages you to contact it as soon as possible in order to update any personal information it holds about you.
If you consider that the personal information which we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, we will take reasonable steps, consistent with our obligations under the Act, to correct that information if you so request.
We will respond to all requests for access and/or correction within a reasonable time.
You may seek access to the personal information Bis holds about you, by making a request in writing. Release of this information must be authorised by, and given through, our Director – People, Culture and Markets. Depending on the nature of the request, we may ask you to complete an enquiry form and/or provide us with further information in order to verify your identity.
There may be instances where we cannot grant you access to the personal information we hold. For example, Bis may refuse to release such information where an exception in the Principles applies. If this happens we will give you written reasons for the refusal.
Generally, we will not charge you to act on your request for access and will not charge for making any corrections to your personal information. However, we reserve the right to charge an appropriate fee or seek reimbursement for reasonable costs associated with retrieving, copying or providing access to your personal information.
The information we provide will be personal to you only. We reserve the right to redact or withhold information to the extent it relates to, identifies, or is the personal information of, another person. We will provide you with the reason if we refuse to provide you with full access to or permit correction of, the personal information we hold about you.
Lodging of complaints
If you consider that any action of Bis breaches this Privacy Standard or the Principles you can lodge a complaint through our Director – People, Culture and Markets.
After Bis has completed its investigation, we will contact you, usually in writing, to advise you of the outcome and invite a response to our conclusions about your complaint. If we receive a response from you, we will assess it and advise if Bis has changed its view.
If you are not satisfied with our attempt to resolve your concern you may refer the matter to the Australian Information Commissioner. More information can be obtained through the Office of the Australian Information Commissioner at: http://www.oaic.gov.au.
You can contact Bis regarding a privacy-related issue by mail, e-mail or phone to Karen Bradshaw, Chief People and Sustainability Officer:
+61 8 9202 5821
Bis’ Privacy Standard will be reviewed from time to time to take account of new laws and technology, changes to our operations and practices and the changing business environment. If you are unsure whether you are reading the most current version, please contact the People and Culture Team.
ANNEXURE 1 – NOTIFIABLE DATA BREACHES – POLICY AND RESPONSE PLAN
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples of a data breach include when:
- a device containing customers’ personal information is lost or stolen;
- a database containing personal information is hacked; or
- personal information is mistakenly provided to the wrong person.
What is “serious harm”?
“Serious harm” to an individual may include serious physical, psychological, emotional, financial or reputational harm.
Whether a data breach is “likely to result” in serious harm to an individual whose information was part of the data breach requires an objective assessment from the perspective of a reasonable person. A “reasonable person” means a person in Bis’ position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available and/or following reasonable inquiries or an assessment of the data breach.
The phrase “likely to result” means the risk of serious harm to an individual is more probable than not (rather than possible).
In assessing whether a data breach is “likely to result” in serious harm the following needs to be considered:
- the type or types of personal information involved in the data breach;
- the circumstances of the data breach; and
- the nature of the harm that may result from the data breach.
Assessing the degree of harm caused as a result of a data breach – and whether the data breach is notifiable – will be undertaken by the Director – People, Culture and Markets.
Response Plan – Data breach has occurred or suspected to have occurred
Where there is an unauthorised access to, unauthorised disclosure of, or loss of, personal information held by Bis and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
- Step 1 – Identify a breach has occurred
- Where a privacy data breach is known to have occurred (or is suspected) any Employee who becomes aware of this must, within 24 hours, alert the Director – People, Culture and Markets.
- The Information that should be provided (if known) at this point includes:
- When the breach occurred (time and date)
- Description of the breach (type of personal information involved)
- Cause of the breach (if known) otherwise how it was discovered
- Which system(s) if any are affected?
- Whether corrective action has occurred to remedy the breach (or suspected breach)
- Step 2 – Evaluate the breach and consider whether notification is required.
- Criteria for determining whether a privacy data breach has occurred
- Is personal information involved?
- Is the personal information of a sensitive nature?
- Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?
- Criteria for determining severity
- The type and extent of personal information involved
- Whether multiple individuals have been affected
- Whether the information is protected by any security measures (password protection or encryption)
- The person or kinds of people who now have access
- Whether there is (or could there be) a real risk of serious harm to the affected individuals
- Whether there could be media or stakeholder attention as a result of the breach or suspect breach
- Having considered the matters in Step 2, the Director – People, Culture and Markets must take steps to manage the breach.
- Step 3 – Response
- Where the Director – People, Culture and Markets determines that a breach has occurred, they must:
- ensure immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and
- Prepare a report within 48 hours of receiving notification of a breach. The report must contain the following:
- Description of breach or suspected breach
- Action taken
- Outcome of action
- Processes that have been implemented to prevent a repeat of the situation.
- Recommendation that no further action is necessary
- Consider developing a communication or media strategy including the timing, content and method of any announcements to students, staff or the media.
- Step 4 – Notification
- Having regard to the actions taken in Step 4, the Director – People, Culture and Markets will determine whether there are reasonable grounds to suspect that an notifiable data breach has occurred.
- If there are reasonable grounds, the Director – People, Culture and Markets must prepare a prescribed statement and provide a copy to the Office of the Australian Information Commissioner as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).
- If practicable, Bis must also notify each individual to whom the relevant personal information relates. Where impracticable, Bis must take reasonable steps to publicise the statement (including publishing on it’s website).
- Step 5 – Review the Incident
- Conduct an in-depth review into the breach and how it was able to occur.
- Prepare a prevention plan to reduce the possibility of a future breach and mitigate potential harm.
- Review existing policies and procedures.
- Consider whether training to employees is required.