Australia

Privacy Policy

Privacy Policy Statement

APM is strongly committed to ensuring that it collects and uses information provided to us in accordance with privacy laws. APM places great importance on protecting the privacy of its employees, valued clients, customers and other stakeholders. The Australian Privacy Principles, which were established by the Privacy Act 1988, apply to APM.

Purpose

Serendipity (WA) Pty Ltd trading as APM (Advanced Personnel Management) and its related companies is strongly committed to maintaining the privacy of personal information it collects as part of the services it offers. APM places great importance on protecting the privacy of its employees, valued clients, customers and other stakeholders.

This policy relates to personal information collected through the course of APM’s business or by any other means and assumes that the information is acquired from an Australian resident.

The purpose of this policy is to:

  • Give individuals a better and more complete understanding of the kinds of personal information that APM collects and holds
  • Clearly and concisely communicate how and when personal information is collected, disclosed, used, stored and otherwise handled by APM
  • Inform individuals about the purposes for which APM collects, holds, uses and discloses personal information
  • Provide individuals with information about how they may access their personal information and seek correction of their personal information
  • Provide individuals with information about how they may make a complaint and how APM will deal with any such complaint
  • Advise individuals of the circumstances in which APM is likely to disclose personal information to overseas recipients
  • Enhance the transparency of APM's operations

Policy Statement

This policy sets out how APM will comply with its obligations under the Privacy Act 1988 (Cth) (Act). APM is bound by the Australian Privacy Principles, which regulate how APM may collect, use, disclose and store personal information, and how individuals may access and correct personal information held about them.

APM will ensure that all officers, employees and sub-contractors are aware of and understand APM's obligations and their own obligations under the Act and are provided with training to enable them to fulfil these obligations.

APM will also achieve this through maintaining internal policies and processes to prevent personal information being collected, retained, shared/exchanged, accessed or disposed of improperly.

For the purpose of this policy, the following terms will have the following meanings, as attributed to them by Section 6 of the Act:

Health information means:
(a) Information or an opinion about:
  (i) The health or disability (at any time) of an individual; or
  (ii) An individual's expressed wishes about the future provision of health services to him or her; or
  (iii) A health service provided, or to be provided, to an individual that is also personal information; or
(b) Other personal information collected to provide, or in providing, a health service; or
(c) Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) Genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

Sensitive information means:
(a) Information or an opinion about an individual's:
  (i) Racial or ethnic origin; or
  (ii) Political opinions; or
  (iii) Membership of a political association; or
  (iv) Religious beliefs or affiliations; or
  (v) Philosophical beliefs; or
  (vi) Membership of a professional or trade association; or
  (vii) Membership of a trade union; or
  (viii) Sexual orientation or practices; or
  (ix) Criminal record; or
(b) Health information about an individual; or
(c) Genetic information about an individual that is not otherwise health information; or
(d) Biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) Biometric templates

Scope

This policy applies to all APM officers, employees and sub-contractors.

For clarity, throughout this policy, where there is reference to the "individual", it is taken to include that individual's duly appointed authorised representative (where appropriate).

Collection of Personal Information

Personal information collected by APM will usually fall into one of the following categories:

  • Candidate information submitted and obtained from the candidate and other sources in connection with applications for work
  • Work performance information
  • Information about incidents in the workplace
  • Employment history
  • Staff information such as next of kin, contact telephone numbers or email addresses and tax file number
  • Information submitted and obtained in relation to absences from work
  • Information obtained to assist in managing client and business relationships
  • Information collected as part of APM’s normal communication processes, including when an individual emails APM; when an individual telephones APM, or when an individual hands an APM representative their business card

Sensitive information collected by APM will usually fall into one of the following categories:

  • Medical records and assessments
  • Information submitted and obtained in relation to absences from work due to illness, religious beliefs, or trade union activity
  • Criminal records checks

Where practicable, APM collects personal information directly from the individual. However, due to the nature of APM's business, i.e. we work with third-party intermediaries, e.g. insurance companies, employers, etc, personal information is provided to APM by these intermediaries. The third party intermediary collecting and exchanging the information has an obligation to ensure that the individual, about whom information is being exchanged with APM, has consented to the collection and provision of such information. Only in circumstances where "sensitive information" has been provided to APM by the third party intermediary will APM be required to seek direct consent from the individual to retain or use this information.

Sometimes APM will collect personal information from a third party or a publicly available source if it is unreasonable or impracticable to collect the personal information directly from the individual (e.g. checking a candidate's work history).

APM does not collect personal information unless it is reasonably necessary for, or directly related to, one or more of APM's functions or activities.

Where personal information is sensitive information, APM will only collect that information where:

  • It is reasonably necessary for one or more of APM's functions or activities; and
  • The individual consents to the collection of the information; or
  • APM is required or authorised by law to collect the sensitive information

If APM receives personal information that it did not solicit from an individual and if APM determines that it could not have lawfully collected that information as part of its functions or activities, then APM will (if it is lawful and reasonable) destroy the information or ensure that its contents cannot be identified.

An individual may choose to deal with APM anonymously or under a pseudonym where lawful and practical. Where anonymity or the use of a pseudonym will render APM unable to provide the relevant service or reasonably conduct business, APM may request that the individual identify himself or herself. 

For example, it would not be practical to deal with an individual anonymously if APM is providing assistance in securing paid employment for or providing rehabilitative services to the individual.

Use and Disclosure of Personal Information

  • Recruitment/employment services
  • Employee management
  • Injury management and assessment
  • Labour market research
  • Ergonomic assessments and advice
  • Occupational safety and health
  • Psychological assessments/counselling
  • Stress claim assessments
  • Services under the National Disability Insurance Scheme (NDIS)
  • Life insurance assessments
  • Training/education
  • Client and business relationship management
  • Research

APM will only use and disclose personal information for the primary purpose for which it was initially collected, or for purposes which are directly related to one of APM's functions or activities.

APM will not disclose personal information about an individual to government agencies, private sector organisations or any third parties unless one of the following applies:

  • The individual has consented
  • The individual would reasonably expect, or has been told, that information of that kind is usually passed on to those individuals, bodies or agencies
  • It is otherwise required or authorised by law
  • It is reasonably necessary for enforcement-related activities conducted by, or on behalf of, an enforcement body (e.g. police, government department, government agency)

Personal information provided to APM may be shared with its related companies. APM will take all reasonable and practical measures to keep such information strictly confidential.

The collection by and use of personal information by third parties may be subject to separate privacy policies and/or the laws of other jurisdictions.

APM may transfer personal information to overseas countries including, but not limited to, the UK and New Zealand in order to perform one or more of APM's functions or activities.  In these circumstances, APM will take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

Like many other businesses in Australia, APM contracts out some of its functions and relies on third-party suppliers or contractors to provide specialised services such as employment services, cloud computing technology and data storage services, legal advice, insurance broking, security services and financial services. If personal information is provided to these suppliers and contractors in order to enable them to perform the agreed tasks, APM will take reasonable measures to ensure that the supplier or contractor handles the personal information in accordance with the Act and the Australian Privacy Principles.

APM will also require all suppliers and contractors to provide privacy undertakings and enter confidentiality agreements where suppliers and contractors may have access to personal information.

APM will take active steps to ensure that all transfers of personal information to a third party and use of such information by a third party is secure and compliant with the Act. For example, all out going email transmissions from APM are SSL encrypted. However, APM will not be held responsible for the theft of data by a third party, or the consequences resulting from the loss of data where that loss is associated with technical malfunction, computer viruses, third-party interference or any action or event that is beyond the reasonable control of APM.

Accuracy of Personal Information

APM will ensure that all personal information it collects, uses or discloses is accurate, complete and up-to-date. Please contact APM's Privacy Officer (contact information below) if you are aware of any personal information that does not meet this objective.

If APM is aware that it holds personal information that (having regard to the purpose for which it was collected) is inaccurate, out of date, incomplete, or irrelevant, it will take reasonable steps to correct that information.

An individual may also seek access to, and correction of, personal information held by APM in accordance with the "Access to Personal Information" procedures, set out below.

Security

APM is committed to keeping personal information secure and safe. Security measures are in place to protect information from unauthorised access, modification or disclosure and loss, misuse and interference. APM will review and update these measures from time to time to ensure security is maintained. In addition, personal information and sensitive information held by APM will be destroyed or have identification removed when it is no longer needed for a purpose for which it was initially collected.

Personal information may be stored in documentary form, but will generally be stored electronically on APM's software or systems.

APM maintains physical security over its documentary and electronic data stores by using locks and security systems. Although APM takes all reasonable steps to secure personal information from loss, misuse and unauthorised access, there is an inherent risk of loss of, misuse of or unauthorised access to such information. APM will not be held responsible for such actions where the security of the personal information is not within APM’s control or APM cannot reasonably prevent such an incident.

Protecting and Storing Personal Information

APM is committed to keeping personal information secure and safe. Some of the ways we do this are:

  • Requiring employees and contractors to enter into confidentiality agreements
  • Secure hard copy document storage (i.e. storing hard copy documents in locked filing cabinets)
  • Security measures for access to computer systems
  • Password protected data storage devices such as lap-tops, tablets and smart-phones
  • Providing a discreet environment for confidential discussions
  • Access control for our buildings including waiting room/reception protocols and measures for securing premises when unattended
  • Security measures for our websites

Roles and Responsibilities

  • All APM officers, employees and sub-contractors are aware of their responsibility to comply with the Act
  • APM will ensure that all employees and sub-contractors required to manage personal information are appropriately trained and supervised
  • APM will conduct regular reviews to ensure that personal information is managed correctly
  • Breaches of policy or personal information management processes will be dealt with appropriately
  • APM will provide appropriate assistance to individuals and relevant third parties to make enquiries regarding personal information management
  • Personal information will be retained according to the requirements of the Act

Access to Personal Information and Correction

An individual may request access to personal information that APM holds about them.

The procedure for requesting and obtaining access is:

  • All requests for access to personal information must be made in writing and must be addressed to APM's Privacy Officer (see below for contact details). All requests should specify how the information is proposed to be accessed (photocopies, electronic copy, or visual sighting)
  • Any party making a request must provide as much detail as possible regarding the APM department or person to whom it believes the personal information has been provided and when (this will allow APM to process requests more efficiently)
  • APM will acknowledge a request within 14 days of the request being made
  • Access will usually be granted within 14 days of APM's acknowledgment; if the request cannot be processed within that time for whatever reason, APM will let the party who has made the request the anticipated time-frame for a response to be provided
  • The party making the request will need to verify identity and authority before access to personal information is granted
  • APM may charge a reasonable fee for access to personal information, which will be notified and required to be paid prior to the release of any information
  • Once the request has been processed by APM, the party making the request will be notified of APM's response and proposal for suitable access (provision of photocopies, digital copies or visual sighting, where appropriate)
  • APM may refuse to grant access to personal information under certain circumstances (see below)
  • If, as a result of access being granted, you are aware that APM holds personal information that you regard as being no longer accurate or incorrect, you may request the deletion or correction of such information
  • Upon receipt of a request to correct or delete personal information, APM will either make such corrections or deletions or provide written reasons as to why it declines to make such alterations (see below)

Under the Act, APM may refuse to grant access to personal information if:

  • APM believes that granting access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
  • Granting access would have an unreasonable impact upon the privacy of other individuals
  • Denial of access is required or authorised by law or by a court or tribunal order
  • Giving access would be unlawful
  • The request for access is frivolous or vexatious
  • Legal proceedings are underway or anticipated and the information would not be accessible by way of the discovery process in those proceedings
  • Giving access would reveal the intentions of APM in relation to negotiations between APM and the party making the request in such a way as to prejudice those negotiations
  • Giving access is likely to prejudice enforcement-related activities conducted by, or on behalf of, an enforcement body
  • Giving access is likely to prejudice action being taken or to be taken with respect to suspected unlawful activity or serious misconduct relating to APM's functions or activities
  • Giving access would reveal information in connection with a commercially sensitive decision-making process

If APM does not agree to make a correction to personal information, the party making the request may provide a statement about the requested corrections and APM will ensure that the statement is apparent to any users of the relevant personal information.

If APM does not agree to provide access to personal information or to correct the personal information, APM will provide the party making the request with written reasons for the refusal and the mechanisms available to complain about the refusal.

Privacy Officer

APM has a designated Privacy Officer who is responsible for the management of:

  • Requests for access to personal information
  • Complaints regarding APM's management of personal information
  • Coordination of staff training

For information regarding privacy, contact details for APM's Privacy Officer are:

Privacy Officer
Level 9, 87 Wickham Terrace
Spring Hill  QLD  4000

privacy@apm.net.au

07 3055 5500

Complaints

If you consider that there has been a breach of the Australian Privacy Principles, you are entitled to complain to APM.

All complaints are to be in writing and directed to the Privacy Officer. A Privacy Complaint Form can be completed. APM will acknowledge receipt of a written complaint within two business days.

APM's Privacy Officer will investigate the complaint and attempt to resolve it within 20 business days after the written complaint was received. Where it is anticipated that this time-frame is not achievable, APM will contact the person making the complaint to provide an estimate of how long it will take to investigate and respond to it.

If an individual considers that APM has not adequately dealt with a complaint, he or she may complain to the Privacy Commissioner:

Officer of the Australian Information Commissioner
GPO Box 5218
Sydney  NSW  2001

enquiries@oaic.gov.au

1300 363 992

Legislative/Certification Requirements

Australian Privacy Principles - Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)

  • Principle 1 – Open and transparent management of personal information
  • Principle 2 – Anonymity and pseudonymity
  • Principle 3 – Collection of solicited personal information
  • Principle 4 – Dealing with unsolicited personal information
  • Principle 5 – Notification of the collection of personal information
  • Principle 6 – Use or disclosure of personal information
  • Principle 7 – Direct marketing
  • Principle 8 – Cross-border disclosure of personal information
  • Principle 9 – Adoption, use or disclosure of government-related identifiers
  • Principle 10 – Quality of personal information
  • Principle 11 – Security of personal information
  • Principle 12 – Access to personal information
  • Principle 13 – Correction of personal information

Refer to Privacy Fact Sheet 17 for further details on the 13 Australian Privacy Principles.

Disability Service Standards - APM's Privacy Policy fulfils the requirements of the Australian Disability Service Standards, Standard 4 – Privacy, Dignity and Confidentiality.

Communication and Review

This policy is to be reviewed as follows:

  • Annually (as a minimum)
  • Following an information security incident
  • Following significant changes to APM systems
  • Following changes to the relevant state/territory and Commonwealth legislation

Reviews examine the appropriateness of this Privacy Policy, taking into consideration corporate, system and compliance requirement changes since the last review was undertaken.

Monitoring and Training

Compliance with this Privacy Policy is subject to internal and regulatory audit. APM will comply with all reporting requirements of the Act as they exist from time to time.

All staff will receive training with regard to privacy and the application of this Privacy Policy as part of their corporate induction.