Consistent with the Code of Conduct and the Privacy Act, the purpose of this policy is to maintain and enforce strict controls around the collection, usage, disclosure and management of Personal Information.
This policy applies to all officers, employees and contractors of Picture My Picture, whether permanent, fixed or temporary, and including directors, executives and managers. In this policy, the term employee includes all these persons.
Picture My Picture places a high priority on the privacy and integrity of the Personal Information it collects and strives to ensure confidentiality of such information.
4 Objectives and strategies
Picture My Picture requires all employees with access to Personal Information to act with integrity when dealing with Personal Information on behalf of Picture My Picture so as to ensure Personal Information is
managed securely, and personal privacy is maintained.
This policy mandates that any proposed collection, use, disclosure or management of Personal Information by Picture My Picture must be carried out in accordance with this policy and Picture My Picture’s Privacy Guidelines. This policy also mandates compliance with:
- the Privacy Act – within Australia
- the applicable laws – outside Australia.
Picture My Picture will only collect, use and disclose personal information as necessary for the performance of business activities, if required by law, or if consent is obtained from the relevant person. Sensitive Information cannot be collected, used or disclosed without the individual’s express consent.
5 Definitions Term Meaning
Personal Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.
Privacy Act The Privacy Act 1988 (Commonwealth) as amended and, where the context permits, includes the Australian Privacy Principles (APPs) contained in the Act.
Picture My Picture respects the confidentiality of Personal Information and takes privacy seriously. Consistent with the Code of Conduct and as required by the Privacy Act, Picture My Picture maintains and enforces strict controls around the collection and use of Personal Information.
These guidelines apply to Personal Information collected by Picture My Picture, in any jurisdiction, whether Picture My Picture has asked for the information or not.
The non-Australian operations of Picture My Picture may adopt a different level of data management to that set out in these guidelines, if that is necessary to reflect local law and local business practice. However, at a minimum, the employees of those non-Australian operations must comply with these guidelines.
3 Definitions Word/Term Meaning
Consent Means express consent or implied consent and includes written or verbal consent.
Identifiers Means an identifier used to identify an individual (eg Credit Card Number).
Privacy Officer Means the officer appointed within Picture My Picture to undertake the duties set out in these guidelines.
5 Responsibilities and authorities
Any employee who is involved in collecting, using, disclosing and managing the Personal Information of others has the responsibility to comply with these guidelines.
6 What information does Picture My Picture collect and why?
Picture My Picture will only collect Personal Information to the extent that it is reasonably necessary for the purposes of the business carried on by Picture My Picture.
Types of Personal Information that may be collected for such purposes include:
- name, addresses, e-mail address, telephone numbers, bank account details,
Note that when providing Personal Information, individuals have the right to interact anonymously with Picture My Picture, or to use a pseudonym, whenever it is lawful and reasonably practicable to do so.
7 How does Picture My Picture collect personal information?
Picture My Picture collects Personal Information orally, in writing, by telephone, via e-mail and via its website.
At or before the time when Personal Information is collected, or as soon as practicable after collection, Picture My Picture must advise the relevant individual of the existence (and provide a copy if requested) of the Privacy Statement. These guidelines can also be made available to external parties upon request.
8 Use and disclosure of personal information
Personal Information collected by Picture My Picture must only be used or disclosed for:
- the primary purpose for which it was collected
- a secondary purpose that the individual would reasonably expect if the secondary purpose is related to the primary purpose (or directly related in the case of Sensitive Information). An individual must give consent before the information can be used for any non-related purpose
- any other purpose permitted by law, eg if it is necessary to prevent serious threats to health or safety, Picture My Picture is investigating suspected unlawful activity or the disclosure is required or authorised by law.
In general terms, that means that Picture My Picture will not use or disclose Personal Information for any purpose other than for the performance of business activities or if required by law.
9 Management of personal information
Picture My Picture must protect and diligently manage the collection, use and disclosure of Personal Information by taking reasonable steps to ensure that Personal Information is:
- current and correct before it is used or disclosed
- not misused or lost, or accessed, modified or disclosed without authorisation.
When no longer required, Picture My Picture must ensure that Personal Information is destroyed or alternatively, that all identifiers are permanently removed.
10 Electronic Documents
Electronic documents containing Personal Information must be secured by password and accessible only by authorised personnel. Electronic documents are to be backed-up on a periodic basis to facilitate the recovery of information in the event of a data loss event.
Personal Information in electronic form that is no longer required (or is contained in equipment that is being disposed of) must be erased to the greatest extent possible so that it is not recoverable, other than through the authorised use of the electronic archive system. Deleting items to the recycle bin is not acceptable; the recycle bin must also be emptied and/or relevant documents deleted from the recycle bin.
11 Access to Personal Information by individuals upon request
The right of access and correction can only be exercised by the person whose information is contained in the record and may be exercised by making application to the Privacy Officer. The Privacy Officer must act reasonably in considering applications and must comply with the Privacy Act.
12 Internal access protocols
Employee access to the Personal Information of others must be:
- strictly limited to a ‘need to access’ basis and not a ‘want to access’ basis
- regularly audited by the Privacy Officer to ensure that an employee’s ability to access
Personal Information is aligned to the employee’s roles and responsibilities
- adjusted upon termination or alteration of employment.
Where practical, employees should be regularly reminded of the need to protect and respect Personal Information to which they have access. Reminders can be in the form of e-mails, ‘pop up’ screens on systems (which appear when a user logs on), face-to-face training, or in user guides.
13 Disclosure of Personal Information to third parties and overseas
Picture My Picture has operations in countries outside Australia. Picture My Picture may disclose Personal Information to third party service providers and business associates who provide services in connection with Picture My Picture business and these third parties may be located in Australia or overseas.
The overseas entities to which Personal Information may be disclosed by Picture My Picture may be located in (without limitation) USA, UK and Europe
There are certain safeguards which must be met before transferring Personal Information outside Australia and these are set out in the Privacy Act, including a requirement to take reasonable steps
to ensure that the recipient will handle the information in a manner consistent with the Privacy Act.
Note however, that if Sensitive Information is proposed to be disclosed to a third party, whether they are located within Australia or overseas, express consent must also first be obtained from the relevant individual. Separate operating companies within Picture My Picture must also obtain express consent before sharing Sensitive Information within Picture My Picture.
16 Complaints Procedure
If any person thinks that their Personal Information or Sensitive Information is being mishandled, they can lodge a Privacy Act Complaint Form with the Company Director via email at firstname.lastname@example.org.
The Company Director will investigate and where possible, resolve the matter. If the person is not satisfied with the internal resolution, they may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
17 Breach of privacy
A breach of these guidelines is a breach of the Code of Conduct and may lead to disciplinary action.
Actual or suspected breaches of privacy should be immediately reported to the Company Director. Further, the OAIC is empowered to investigate complaints and may make determinations and findings. An appeal can also be made to the Federal Court. Although no criminal penalties apply for non-compliance, compensation may be awarded and Picture My Picture’s reputation may also be damaged.