CLUB POLICY ON PRIVACY PROTECTION

Purpose

Blacktown Workers Club is committed to the protection of personal privacy as required under the Privacy Act 1988 (“the Privacy Act”) and has adopted a set of privacy principles based on the National Privacy Principles contained in Schedule 3 of the Privacy Act. Any personal information provided by you to the Club, including information collected by your membership card being placed in a gaming machine or other club machine linked to a member loyalty system that may provide a benefit or service to you, will be protected.

Policy

This policy sets out Blacktown Workers Club’s Privacy Protection Principles. These are the principles that the Club has adopted in order to protect information about individuals. These principles deal with the collection, use and disclosure of personal information, as well as access to information and intrusion issues. It also sets out the principles that the Club will adopt when considering the introduction of new services. The principles comply with the National Privacy Principles.

Where the Club’s agents, contractors or service providers are required to refer to this document, references to ‘Blacktown Workers Club’ or ‘the Club’ are to be taken to include references to those agents, contractors or service providers.

Blacktown Workers Club’s Privacy Protection Principles are:

Principle 1 – Collection

The Club will only collect personal information that is necessary for one or more of its functions or activities.

The Club will only collect personal information by lawful and fair means and not in an unreasonably intrusive way.

At or before the time (or, if that is not practicable, as soon as practicable thereafter) the Club collects personal information about an individual from the individual, the Club will take reasonable steps to ensure that the individual is aware of:

  1. The identity of Blacktown Workers Club and how to contact it;
  2. The fact that he or she is able to gain access to the information;
  3. The purposes for which the information is collected;
  4. The organisations (or the types of organisations) to which Blacktown Workers Club usually discloses information of that kind;
  5. Any law that requires the particular information to be collected; and
  6. The main consequences (if any) for the individual if all or part of the information is not provided.

If it is reasonable and practicable to do so, the Club will collect personal information about an individual only from that individual. Sometimes the Club may collect information about individuals from others who may hold that information, such as credit or bank references. If the Club collects personal information about an individual from someone else, the Club will take reasonable steps to ensure that the individual is or has been made aware of the matters listed from (a) to (f) above except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

Principle 2 – Use & Disclosure

The Club will only use or disclose personal information about an individual for a purpose other than the primary purpose of collection (a secondary purpose) if:

  1. both of the following apply:
    1. the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
    2. the individual would reasonably expect the Club to use or disclose the information for the secondary purpose; or
  2. the individual has consented to the use or disclosure; or
  3. the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
    1. it is impracticable for the Club to seek the individual’s consent before that particular use; and
    2. the Club will not charge the individual for giving effect to a request by the individual to the Club not to receive direct marketing communications; and
    3. the individual has not made a request to the Club not to receive direct marketing communications; and
    4. in each direct marketing communication with the individual, the Club draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and
    5. each written direct marketing communication by the Club with the individual (up to and including the communication that involves the use) sets out the Club’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the Club can be directly contacted electronically; or
  4. if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:
    1. it is impracticable for the Club to seek the individual’s consent before the use or disclosure; and
    2. the use or disclosure is conducted in accordance with guidelines approved by the Privacy Commissioner under section 95A of the Privacy Act for the purposes of this subparagraph; and
    3. in the case of disclosure—the Club reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or
  5. the Club reasonably believes that the use or disclosure is necessary to lessen or prevent:
    1. a serious and imminent threat to an individual’s life, health or safety; or
    2. a serious threat to public health or public safety; or
  6. the Club has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
  7. the use or disclosure is required or authorised by or under law; or
  8. the Club reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
    1. the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
    2. the enforcement of laws relating to the confiscation of the proceeds of crime;
    3. the protection of the public revenue;
    4. the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
    5. the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

If the Club uses or discloses personal information under paragraph (h) above, it will make a written note of the use or disclosure.

The first paragraph above operates in relation to personal information that the Club has collected from a related body corporate as if the Club’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

Principle 3 – Data Quality

The Club will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

Principle 4 – Data Security

The Club will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

The Club will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under Blacktown Workers Club Privacy Protection Principle 2.

Principle 5 – Openness

Blacktown Workers Club will set out in a document clearly expressed policies on its management of personal information. The Club will make the document available to anyone who asks for it. On request by an individual, the Club will take reasonable steps to let the individual know, generally, what sort of personal information it holds, for what purposes, and how it collects, uses, and discloses that information.

Principle 6 – Access and Correction

If the Club holds personal information about an individual, it will provide the individual with access to the information on request by the individual, in a form or manner suitable to the individual’s reasonable needs, except to the extent that:

  1. in the case of personal information other than health information, providing access would pose a serious and imminent threat to the life or health of any individual; or
  2. in the case of health information – providing access would pose a serious threat to the life or health of any individual; or
  3. providing access would have an unreasonable impact upon the privacy of other individuals; or
  4. the request for access is frivolous or vexatious; or
  5. the information relates to existing or anticipated legal proceedings between the Club and the individual, and the information would not be accessible by the process of discovery in those proceedings; or
  6. providing access would reveal the intentions of the Club in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
  7. providing access would be unlawful; or
  8. denying access is required or authorised by or under law; or
  9. providing access would be likely to prejudice an investigation of possible unlawful activity; or
  10. providing access would be likely to prejudice:
    1. the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
    2. the enforcement of laws relating to the confiscation of the proceeds of crime; or
    3. the protection of the public revenue; or
    4. the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
    5. the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders; by or on behalf of an enforcement body; or
  11. an enforcement body performing a lawful security function asks the Club not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

However, where providing access would reveal evaluative information generated within the Club in connection with a commercially sensitive decision-making process, the Club may give the individual an explanation for the commercially sensitive decision rather than direct access to the information. If the Club has given an individual an explanation under the above paragraph and the individual believes that direct access to the evaluative information is necessary to provide a reasonable explanation of the reasons for the decision, the Club will, at the request of the individual, undertake a review of the decision not to release the information. Personnel other than the original decision-maker will undertake the review.

If the Club is not required to provide the individual with access to the information because of one or more of paragraphs (a) – (k) above (inclusive), the Club will, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

If the Club levies charges for providing access to personal information, those charges:

  1. will not be excessive; and
  2. will not apply to lodging a request for access.

If the Club holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the Club will take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

If the individual and the Club disagree about whether the information is accurate, complete and up-to-date, and the individual asks the Club to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the Club will take reasonable steps to do so. The Club will provide reasons for denial of access or a refusal to correct personal information.

Principle 7 – Identifiers

Except as specifically authorised under the Privacy Act, the Club will not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

  1. an agency; or
  2. an agent of an agency acting in its capacity as agent; or
  3. a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

The Club will not use or disclose an identifier assigned to an individual by an agency (or by an agent, or contracted service provider mentioned above) unless:

  1. the use of disclosure is necessary for the Club to fulfill its obligations to the agency;
  2. one or more of paragraphs (e) to (h) in Privacy Protection Principle 2 above (inclusive) apply to the use or disclosure; or
  3. the use or disclosure is permitted under the regulations to the Privacy Act.

Note – the terms ‘agency’ and ‘contracted service provider’ in Privacy Protection Principle 7 are defined in the Privacy Act, but, in general, relate to Commonwealth Government agencies.

Principle 8 – Anonymity

Wherever it is lawful and practicable, individuals will have the option of not identifying themselves when entering transactions with the Club. However, in most cases it will not be practicable for the Club to provide services without requiring customer identification.

Principle 9 – Transborder Data Flows

The Club will transfer personal information about an individual to someone (other than the Club or the individual) who is in a foreign country only if:

  1. the Club reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Club’s Privacy Protection Principles; or
  2. the individual consents to the transfer; or
  3. the transfer is necessary for the performance of a contract between the individual and the Club, or for the implementation of pre-contractual measures taken in response to the individual’s request; or
  4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the Club and a third party; or
  5. all of the following apply:
    1. the transfer is for the benefit of the individual; and
    2. it is not practicable to obtain the consent of the individual to that transfer; and
    3. if it were practicable to obtain such consent, the individual would be likely to give it; or
    4. the Club has taken reasonable steps to ensure that the information, which it has transferred, will not be held, used or disclosed by the recipient of the information inconsistently with the Club’s Privacy Protection Principles.

Principle 10 – Sensitive Information

The Club will not collect Sensitive Information about an individual unless:

  1. the individual has consented; or
  2. the collection is required by law; or
  3. the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
    1. is physically or legally incapable of giving consent to the collection; or
    2. physically cannot communicate consent to the collection; or
  4. the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

Despite the above paragraph, the Club may collect health information about an individual if:

  1. the information is necessary to provide a health service to the individual; and
  2. the information is collected:
    1. as required by law (other than the Privacy Act); or
    2. in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the Club.

Despite the first paragraph, the Club may collect health information about an individual if:

  1. the collection is necessary for any of the following purposes:
    1. research relevant to public health or public safety;
    2. The compilation or analysis of statistics relevant to public health or public safety;
    3. the management, funding or monitoring of a health service; and
  2. that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and
  3. It is impracticable for the Club to seek the individual’s consent to the collection; and
  4. The information is collected:
    1. As required by law (other than the Privacy Act); or
    2. In accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the Club; or
    3. In accordance with guidelines approved by the Privacy Commissioner under section 95A of the Privacy Act.

If the Club collects health information about an individual in accordance with this last paragraph, the Club will take reasonable steps to permanently de-identify the information before the Club discloses it.