This standard outlines the obligations Bis Industries Limited (“Bis”) has to manage the personal information it holds about its employees, customers, suppliers and others.
Bis is bound by the Australian Privacy Principles (“Principles”) contained in the Privacy Act 1988 (Cth) (the “Act”). The Principles are designed to protect the confidentiality of information and the privacy of individual’s by regulating the way personal information is managed.
In summary, the Principles define ‘personal information’ as information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Purpose of personal information collection
Bis will only collect, use or disclose an individual’s Personal Information to the extent that this is reasonably necessary for one or more of our functions or activities.
Nature of personal information
The type of information Bis may collect and hold includes (but is not limited to) personal information about:
This information may be obtained by way of forms filled out by such individuals, face-to-face meetings, interviews, telephone conversations or from a third party (for example, a reference).
We may ask for other information voluntarily from time to time (for example, through market research or surveys) to enable us to improve our service or consider the wider needs of our customers or potential customers.
Note – Bis is not bound by the Principles in relation to Company treatment of an employee record, where the treatment is directly related to the current or former employment relationship between Bis and the employee.
Method of collection
Personal Information is sourced from individuals directly unless it is unreasonable or impracticable to do so. Where this is not practical, information may be collected from third parties during the job recruitment processes for example from your nominated referees and/or through police or background checking processes or through government agencies, service providers and publicly available sources.
Use and disclosure of personal information
The Principles require Bis to use personal information only for the primary purpose for which it is collected and for such other secondary purposes, which are related to the primary purpose, unless you consent to another use or an exception under the Principles or the Act applies.
In general, Bis uses personal information for the following purposes:
Depending on the product or service this means that personal information may be disclosed to:
Generally, we require that organisations outside Bis who handle or obtain personal information as service providers to Bis acknowledge the confidentiality of this information, undertake to respect any individual’s right to privacy and comply with the Principles and this standard.
In most cases, if you do not provide the information about yourself, which Bis has requested, Bis may not be able to provide you with the relevant product or service.
Bis may decide to buy or sell assets, which form part of or relate to the Company. In any such transaction, personal information will usually be one of the transferred assets and will be disclosed to the purchaser.
Management of personal information
Bis expects and trains its employees who handle personal information to respect the confidentiality of customer information and the privacy of individuals. Bis regards privacy very seriously and will take appropriate action, including in some cases dismissal of an employee, in response to breaches of the obligations imposed by the Principles.
Storage of personal information
Bis is required by the Principles to safeguard the security and privacy of your information, whether you interact with us personally, by telephone, mail, over the Internet or other electronic medium. This includes an obligation to take reasonable steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure. Annexure 1 to this Standard sets out how Bis will manage data breaches.
The Principles also require Bis not to store personal information longer than necessary. Where Bis no longer requires any personal information that it holds, that personal information should be destroyed or have details which may identify individuals removed.
Access & accuracy of personal information
Bis is required by the Principles to ensure that the personal information it holds is accurate and up-to-date. We realise that this information changes frequently with changes of address and other personal circumstances. Bis encourages you to contact it as soon as possible in order to update any personal information it holds about you.
If you consider that the personal information which we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, we will take reasonable steps, consistent with our obligations under the Act, to correct that information if you so request.
We will respond to all requests for access and/or correction within a reasonable time.
You may seek access to the personal information Bis holds about you, by making a request in writing. Release of this information must be authorised by, and given through, our Director – People, Culture and Markets. Depending on the nature of the request, we may ask you to complete an enquiry form and/or provide us with further information in order to verify your identity.
There may be instances where we cannot grant you access to the personal information we hold. For example, Bis may refuse to release such information where an exception in the Principles applies. If this happens we will give you written reasons for the refusal.
Generally, we will not charge you to act on your request for access and will not charge for making any corrections to your personal information. However, we reserve the right to charge an appropriate fee or seek reimbursement for reasonable costs associated with retrieving, copying or providing access to your personal information.
The information we provide will be personal to you only. We reserve the right to redact or withhold information to the extent it relates to, identifies, or is the personal information of, another person. We will provide you with the reason if we refuse to provide you with full access to or permit correction of, the personal information we hold about you.
Lodging of complaints
If you consider that any action of Bis breaches this Privacy Standard or the Principles you can lodge a complaint through our Director – People, Culture and Markets.
After Bis has completed its investigation, we will contact you, usually in writing, to advise you of the outcome and invite a response to our conclusions about your complaint. If we receive a response from you, we will assess it and advise if Bis has changed its view.
If you are not satisfied with our attempt to resolve your concern you may refer the matter to the Australian Information Commissioner. More information can be obtained through the Office of the Australian Information Commissioner at: http://www.oaic.gov.au.
You can contact Bis regarding a privacy-related issue by mail, e-mail or phone to Karen Bradshaw, Chief People and Sustainability Officer:
|Phone||+61 8 9202 5882|
|Postal Address||Bis Industries|
Level 1, Brightwater House
355 Scarborough Beach Road
Osbourne Park, WA, 6017
Bis’ Privacy Standard will be reviewed from time to time to take account of new laws and technology, changes to our operations and practices and the changing business environment. If you are unsure whether you are reading the most current version, please contact the People and Culture Team.
ANNEXURE 1 – NOTIFIABLE DATA BREACHES – POLICY AND RESPONSE PLAN
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples of a data breach include when:
What is “serious harm”?
“Serious harm” to an individual may include serious physical, psychological, emotional, financial or reputational harm.
Whether a data breach is “likely to result” in serious harm to an individual whose information was part of the data breach requires an objective assessment from the perspective of a reasonable person. A “reasonable person” means a person in Bis’ position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available and/or following reasonable inquiries or an assessment of the data breach.
The phrase “likely to result” means the risk of serious harm to an individual is more probable than not (rather than possible).
In assessing whether a data breach is “likely to result” in serious harm the following needs to be considered:
Assessing the degree of harm caused as a result of a data breach – and whether the data breach is notifiable – will be undertaken by the Director – People, Culture and Markets.
Response Plan – Data breach has occurred or suspected to have occurred
Where there is an unauthorised access to, unauthorised disclosure of, or loss of, personal information held by Bis and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.