Privacy policy

PRIVACY POLICY Introduction As a Corporate Commonwealth Entity established for a public purpose under the Navy Canteen(s) Regulation 2016 and inforce under the Naval Defence Act (Cth) 1910, the Royal Australian Navy Central Canteens Board (RANCCB) is required to comply with the Privacy Act 1988 including any subsequent amendments and embedded obligations. Accordingly, in the course of its business operations, RANCCB acknowledges that it has a mandated obligation to protect the personal information of its stakeholders, including its employees, customers and other individuals. Scope This policy applies to the Directors of the RANCCB (trading as the Navy’s Anchorage (TNA)) and all its employees, including contractors and consultants who may directly or indirectly conduct work for the entity. Policy Statement The following policy explains how and when personal information is collected, used, stored, and disclosed by TNA in accordance with the Privacy Act 1988 (Privacy Act) and under the Australian Privacy Principles (APP). Please refer to the Office of the Australian Information Commissioner website (www.oaic.gov.au/privacy/australian-privacy-principles) for additional details on how the APP operates. Definitions Personal information Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. APP 1: How we collect your information The main purposes for which we collect personal information are:  for recruitment and employment (including expressions of interest in working for TNA);  for administration and management purposes, including Government compliance;  to conduct the Win with Navy raffle;  to conduct the Defence Ticketing service;  to reply to contact made by customers; and,  for marketing, media and public relation purposes. We only collect personal information where you have consented, or you would reasonably expect us to collect personal information in that way. APP 2: Anonymity and pseudonymity We allow customers to communicate and transact with us anonymously or by using a pseudonym, wherever it is reasonable and practical. APP 3: Information collected The type of information collected for employment or administrative purposes typically includes your name, date of birth, gender, contact details, email, job title and interests. Where relevant, we many ask for other information such as bank account details, tax file numbers, other financial information, driver’s licence details or details of directorships, past employment history and academic achievements. Unless disclosed to you prior or as required under employment conditions, we will not usually collect sensitive information (e.g. race or ethnic origins, religious beliefs, physical or mental health or sexual orientation). Since we work on Defence bases, and access to these bases is restricted, criminal, and other background records will be sought in connection with your employment at TNA. We will also ask if you are a Defence spouse or relative upon employment and record such information for statistical purposes. As a Government agency, we are required to report annually on staff members who identify as being of Aboriginal and Torres Strait Islander descent. However, the provision of this information is completely voluntary. All information reported under Government direction is provided in aggregated statistics and cannot be associated back to an individual unless required by law. For contact and marketing purposes, information retained would be in accordance with the requirements of the account or electronic app. This may include name or a unique identifier and email. APP 4: Unsolicited personal information If we receive personal information about you from a source other than yourself, or it is information provided by you that we did not request, we undertake to determine within a reasonable period if we could have requested such personal information under APP 3. If we determine that we could have collected the information under APP 3, we may then use and treat that information as if we had collected the information in that manner. If we determine that we could not have collected the information under APP 3, we will destroy or de-identify that information within a reasonable period. APP 5: Notification of the collection of information When we collect information about you, we will make it clear to you, either at or before the time, or as soon as practicable afterwards, why we are collecting such information. If this is collected for Win with Navy, through the TNA website or the TNA app, notification will be provided through the platform Terms and Conditions. Principle 6: How we use the information We will only use personal information to respond to lawful requests, to answer your enquiry, for direct marketing purposes where you have consented for your information to be used for that specific purpose, or in relation to your employment/services as a director, employee or contractor. The information is held only for as long as it is required to fulfil the purposes for which it was collected or as required by law. Principle 7: Direct marketing We will only use personal information we hold for the purpose of direct marketing if you agree to provide this information for this specific purpose. Our direct marketing platforms include an option to opt out of receiving communications; if not actioned, direct marketing communications will continue to be utilised. Personal information held by us will not be disclosed to third parties except with your express permission (e.g. to a supplier as a result of competition, media and public relation events). Principle 8: Cross border disclosure Your information will only be disclosed to third parties where required by law (domestic or international), with your direct consent or to facilitate your deployment overseas. We will take steps to maintain the security of the information and will endeavour to see that its use is consistent with this policy and our obligations under the Privacy Act. If we have to disclose your personal information, we will endeavour to advise you of the disclosure. Email and website management Whilst we take steps to provide a secure internet environment, you should be aware that there are inherent risks associated with the transmission of information via the internet. Email addresses are collected from employees in accordance with this policy. If a person is not an employee, then we will record the email address when a message is sent to us. The email address will be used for the purpose for which it has been provided. Our intranet or website may contain links to third party websites. If you access those websites (including via a link from our intranet/website) you will be subject to the privacy policy of that third party. In some cases, those third-party providers may not be subject to the Privacy Act. We will not be taken to endorse or accept responsibility for any privacy issues arising as a consequence of accessing that web-link. We do not use electronic cookies. However, we may track your Internet use on our IT network. If you use our IT network to visit social media websites or applications, any personal information or content that you contribute can be read, collected, and used by other users. We have no control over use that occurs through this medium and are not responsible for any use, misuse, or misappropriation by other users of any personal information or content so contributed. When using social media or social media websites, you should read and be aware of our Social Media Policy. If you use our Wi-Fi network, we may track your device’s IP address when you register for our Wi-Fi service. APP 9: Use of Government related identifiers We will not use or disclose a Government related identifier unless the use or disclosure of the identifier is reasonably necessary for us to fulfil any obligations, we may have to a Government agency or an Australian State/Territory. It may also be required or authorised in accordance with Australian laws, Courts or Tribunals. APP 10: Quality of information We will take all steps reasonable in the circumstances to ensure that personal information we collect from you is accurate, up to date and complete. Where we collect information directly from you, we rely on you to supply accurate information and we may not consider further steps are required. APP 11: Security of information The Privacy Act has specific provisions that prohibit any employee of TNA from collecting, using or disclosing anyone’s personal information except in performing their duties and in specific situations permitted by law. Your personal information is disclosed in accordance with the law or with your written permission. We take all reasonable steps to ensure the integrity and security of administrative files, physical and electronic, in our possession to protect against loss, unauthorised access, misuse, disclosure or modifications and to ensure that only authorised employees have access to such material. Our data systems have a ‘protected’ security classification including a dual authentication system for access. Data breaches In the event of a data breach involving personal information, we are obliged to advise any individual where that breach is likely to result in serious harm. This is known as an ‘eligible data breach’. This notification will include recommendations about the steps that should be taken by the impacted individuals in response to this breach. As required under the Privacy Act, we will also notify the Australian Information Commissioner of the eligible data breach. APP 12: Access to personal information We will allow you access to any personal information we may hold on your file unless there are lawful reasons to refuse you access. Personal information can only be provided to a third party upon your written permission or if authorised by law. In certain circumstances we may refuse access if we reasonably believe that doing so would pose a health or safety risk to any individual, have an unreasonable impact on the privacy of others, or that we consider the request to be frivolous or vexatious. We will not release information if it relates to existing or anticipated legal proceedings between TNA and yourself if  it would be protected by legal professional privilege;  any potential negotiations between TNA and yourself would be prejudiced; or  doing so is illegal or in breach of any Court order. If we suspect that you are involved in an unlawful activity or serious misconduct in relation to our purpose and giving you access to the information would prejudice our position, we will not release the information to you. We will not release information if by doing so, would reveal information that is commercially sensitive to TNA. APP 13: Correction of personal information If you believe that personal information collected by us about you is inaccurate, incomplete or not up-to-date, please contact us and we will take reasonable steps to correct it in accordance with the requirements of the Privacy Act. We will review our Privacy Policy as required. Procedure for making a complaint A person may make a complaint if they feel their personal information has been handled inappropriately or in breach of our privacy obligations under the Privacy Act. In the first instance, complaints must be directed to the Privacy Officer in writing. We will investigate the complaint and prepare a response to the complainant in writing within a reasonable period of time. If the complainant is not satisfied with our response or the manner in which we have dealt with the complaint, the individual may make a formal complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC will provide us with the opportunity to respond to the complaint. Following its enquiries, if the OAIC decides that there is insufficient evidence to support the complaint, the OAIC may dismiss the complaint. Alternatively, if the OAIC believes there is enough evidence to support the complaint, it will try to conciliate the matter. If conciliation does not resolve the complaint, depending on the circumstances, the OAIC may either close the file or make a determination. A determination could include a requirement that we issue an apology; improve practices to reduce likelihood of a breach of the Privacy Act, or compensation to be paid to the complainant. If the OAIC closes the file, the complainant may apply to the Federal Court or the Federal Magistrates Court by way of appeal. Either party may also appeal to the Administrative Appeal Tribunal for a review of any compensation amount ordered by the OAIC. Change of Policy The Navy’s Anchorage reserves the right to alter its Privacy Policy from time to time at its discretion and without notice. At any time, the latest version is available from www.thenavysanchorage.com.au or by contacting the Privacy Officer at executive@thenavysanchorage.com.au Status: Under Review Author: CEO Reviewer: Risk, Compliance and Audit Committee Reference: Date: 3 May 2021