Home /

Privacy

PRIVACY POLICY

Effective Governance Pty Ltd (ABN 64 619 698 761) and its Related Bodies Corporate (eG)

Last updated August 2022

1. Purpose

1.1. Background

This Privacy Policy applies to personal information collected by Effective Governance Pty Ltd (Effective Governance) (ACN 619 698 761) and its related bodies corporate. We are bound by the Australian Privacy Principles and the Privacy Act 1988 (Cth) (Privacy Act), which govern the way private sector organisations collect, use, keep secure and disclose personal information.

The Privacy Act sets the minimum standards we must meet when handling personal information. ‘Personal information’ is defined in the Privacy Act as: 

Information or an opinion about an identified individual, or an individual who is reasonably identifiable: 

a)    whether the information or opinion is true or not; and 

b)    whether the information or opinion is recorded in a material form or not. 

The Privacy Act contains 13 Australian Privacy Principles (APPs). The APPs: 

•    set out legally binding standards for handling personal information; 
•    regulate how we collect, store, use and disclose personal information; 
•    allow people to access the information that we keep about them; and 
•    allow people to correct or update their information. 

The APPs are contained in Schedule 1 of the Privacy Act. A plain English summary of the APPs is set out in Appendix 1 of this Privacy Policy.

1.2. Purpose

The purpose of this Privacy Policy is to generally inform people of:

•    How and when we collect personal information.
•    How we use and disclose personal information.
•    How we keep personal information secure, accurate and up to date.
•    How an individual can access and correct their personal information.
•    How we will facilitate or resolve a privacy complaint.

If you have any concerns or questions about the way your personal information has been collected, used or disclosed by us, we have put in place an effective mechanism and procedure for you to contact us so that we can attempt to resolve the issue or complaint. Please contact our Privacy Officer at catejolley@effectivegovernance.com.au or call us on (07) 3024 0455 and our Privacy Officer will then attempt to resolve the issue. 

Where we obtain personal information from a citizen of a member state of the European Union, we are governed by the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR).

2. Scope

The Privacy Policy applies to all employees of Effective Governance in collecting, holding, accessing and correcting personal information and sensitive information on our behalf.

This policy is relevant to any individual who discloses personal information to Effective Governance. 

3. Policy

3.1. What is your personal information?

When used in this Privacy Policy, the term ‘personal information’ has the meaning given to it in the Privacy Act. In general terms, it is any information that can be used to personally identify you. This may include your name, address, telephone number, email address and profession or occupation. If the information we collect personally identifies you, or you are reasonably identifiable from it, the information will be considered personal information.

3.2. What personal information do we collect and hold?

We will only use or disclose your personal information for the primary purposes for which it was collected or as consented by you. We may collect the following types of personal information about you: 

•    name; 
•    mailing or street address; 
•    email address; 
•    telephone number; 
•    age or birth date; 
•    profession, occupation or job title; 
•    employment history; 
•    educational history; 
•    medical information; 
•    security information from Police and other governmental departments; 
•    Tax File Number; 
•    superannuation account information; 
•    bank account information; 
•    details of the services you have acquired from us or which you have enquired about, together with any additional information necessary to deliver those services and to respond to your enquiries; 
•    any additional information relating to you that you provide to us directly through our website or indirectly through use of our website or online presence, through our representatives or otherwise; and 
•    information that you provide to us through client surveys or visits by our advisors from time to time.

We may also collect some information that is not personal information because it does not identify you or anyone else. For example, we may collect anonymous answers to surveys or aggregated information about how users use our website.

At or around the time we collect personal information from you, we will endeavour to provide you with a notice which details how we will use and disclose that specific information. 

We set out some common collection, use and disclosure instances in Appendix 2.

3.3. How eG collects and holds personal information

3.3.1. Collection generally

As much as possible or unless provided otherwise in this Privacy Policy or a notification, we will collect your personal information directly from you.

Where you are a board member of a company to whom we provide our governance services, we generally collect your personal information from the company secretary of that company.

When you engage in certain activities, such as filling out a survey or sending us feedback, we may ask you to provide certain information. It is completely optional for you to engage in these activities.

Depending upon the reason for requiring the information, some of the information we ask you to provide may be identified as mandatory or voluntary. If you do not provide the mandatory information or any other information we require in order for us to provide our products or services to you or address an enquiry you have, we may be unable to provide our products or services to you or answer your enquiry in an effective manner, or at all.

3.3.2. Other collection types

We may also collect personal information about you from other sources, such as competitions and from third parties. Some examples of these alternative collection events are:

•    when we collect personal information about you from third parties; or
•    when we collect personal information about you from publicly available sources including but not limited to, court judgments, directorship and bankruptcy searches, Australia Post, White Pages directory, and social media platforms (such as Facebook, Twitter, Google, TikTok, Instagram, etc.).

3.4. Notification of collection

If we collect details about you from someone else, we will, whenever reasonably possible, make you aware that we have done this and why, unless special circumstances apply, including as described in this clause 3.4(a) to 3.4(c) below. 

We will not tell you when we collect personal information about you in the following circumstances: where information is collected from any personal referee you have listed on any application form (including any employment application) with eG;

a.    where information is collected from publicly available sources including but not limited to court judgments, directorship and bankruptcy searches, social media platforms (such as Facebook, Twitter, Google, TikTok, Instagram, etc.); or
b.    as otherwise required or authorised by law.

3.5. Unsolicited personal information

In the event we collect personal information from you, or a third party, in circumstances where we have not requested or solicited that information (known as unsolicited information), and it is determined by Effective Governance (in its absolute discretion) that the personal information is not required, we will destroy the information or ensure that the information is de-identified.

If the unsolicited personal information collected is in relation to potential future employment with eG, such as your CV, resume or candidacy related information, and it is determined by Effective Governance (in its absolute discretion) that it may consider you for potential future employment, we may keep the personal information on our human resource records. 

3.6. How we hold your personal information

Once we collect your personal information, we will either hold it securely and store it on infrastructure owned or controlled by us or with a third-party service provider who has taken reasonable steps to ensure they comply with the Privacy Act. We provide some more general information on our security measures in section 3.13 (Data security and quality).

3.7. Cookies and IP addresses

If you use our website, we may utilise ‘cookies’ which enable us to monitor traffic patterns, trends and to serve you more efficiently if you revisit our website. In most cases, a cookie does not identify you personally but may identify your internet service provider or computer.

We may gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our services. This information does not identify you personally.

However, in some cases, cookies may enable us to aggregate certain information with other personal information we collect and hold about you. Effective Governance extends the same privacy protection to your personal information, whether gathered via cookies or from other sources, as detailed in this Privacy Policy. 

You can set your browser to notify you when you receive a cookie and this will provide you with an opportunity to either accept or reject it in each instance. However, if you disable cookies, you may not be able to access certain areas of our website or take advantage of the improved web site experience that cookies offer.

3.8. Who do we disclose your information to? 

We may disclose your personal information to: 

•    our employees, related bodies corporate, contractors or service providers for the purposes of operation of our website or our business, fulfilling requests by you, and to otherwise provide services to you including, without limitation, web hosting providers, IT systems administrators, mailing houses, couriers, payment processors, data entry service providers, electronic network administrators, debt collectors, and professional advisors such as accountants, solicitors, business advisors and consultants; 
•    our customers, particularly those with security requirements; 
•    other third parties appointed by Effective Governance who may require access to personal information in order to perform our services and our business operations; 
•    suppliers and other third parties with whom we have commercial relationships, for business, marketing, and related purposes; and 
•    any organisation for any authorised purpose with your express consent. 

We may combine or share any information that we collect from you with information collected by any of our related bodies corporate (within Australia).

3.9. Personal data about other people which you provide to us

Effective Governance may require the personal data of third parties (such as name, contact details and e-signature) for the purpose of managing electronic agreements. If you provide personal data to us about someone else (such as one of your directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this Privacy Policy. In particular, you must ensure the individual concerned is aware of the various matters detailed in this Privacy Policy, as those matters relate to that individual, including our identity, how to contact us, our purposes of collection, our personal data disclosure practices (including disclosure to overseas recipients), the individual’s right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided (such as our inability to provide services).

3.10. Direct marketing materials

We may send you direct marketing communications and information about our services that we consider may be of interest to you. These communications may be sent in various forms, including mail, SMS and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth). If you indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so. In addition, at any time you may opt-out of receiving marketing communications from us by contacting us (see the details below) or by using opt-out facilities provided in the marketing communications and we will then ensure that your name is removed from our mailing list.

3.11. Credit information and our Credit Reporting Policy

3.11.1. Credit information generally

The Privacy Act 1988 (Cth) contains provisions regarding the use and disclosure of credit information, which applies in relation to the provision of both consumer credit and commercial credit.

3.11.2. Credit information and Effective Governance

As we provide terms of payment of accounts which are greater than 7 days, we are considered a credit provider under the Privacy Act in relation to any credit we may provide you (in relation to the payment of your account with us).
We use credit related information for the purposes set out in the ‘Credit information’ section of the table in Appendix 2 and our Credit Reporting Policy, which includes but is not limited to using the information for our own internal assessment of your credit worthiness.

3.11.3. Storage and access

We will store any credit information you provide us, or which we obtain about you, with any other personal information we may hold about you.

You may request to access or correct your credit information in accordance with the provisions of section 3.14 and the provisions of our Credit Reporting Policy.

3.11.4. Complaints

Please see section 3.15 of this Policy and the provisions of our Credit Reporting Policy if you wish to make a complaint in relation to our handling of your credit information.

3.11.5. Our Credit Reporting Policy

Please see our Credit Reporting Policy for further information as to the way we collect, use, store and disclosure credit information.

3.12. Do we disclose your personal information to anyone outside Australia? 

Any personal information collected and held by Effective Governance may be disclosed to, and held at, a destination outside Australia, including but not limited to the US and Canada, where we utilise third party service providers to assist us with providing our services to you. Personal information may also be processed by staff or by other third parties operating outside Australia who work for us or for one of our suppliers, agents, partners or related companies.

As we use service providers and platforms which can be accessed from various countries via an Internet connection, it is not always practicable to know where your information may be held. If your information is stored in this way, disclosures may occur overseas.

In addition, we may utilise overseas IT services (including software, platforms and infrastructure), such as data storage facilities or other IT infrastructure. In such cases, we may own or control such overseas infrastructure or we may have entered into contractual arrangements with third party service providers to assist eG with providing our products and services to you.  

3.12.1. Provision of informed consent

By submitting your personal information to Effective Governance, you expressly agree and consent to the disclosure, transfer, storing or processing of your personal information outside of Australia. In providing this consent, you understand and acknowledge that countries outside Australia do not always have the same privacy protection obligations as Australia in relation to personal information. However, we will take steps to ensure that your information is used by third parties securely and in accordance with the terms of this Privacy Policy. 

The Privacy Act requires us to take such steps as are reasonable in the circumstances to ensure that any recipients of your personal information outside of Australia do not breach the privacy principles contained within the Privacy Act. By providing your consent, under the Privacy Act, we are not required to take such steps as may be reasonable in the circumstances. However, despite this, we acknowledge the importance of protecting personal information and have taken reasonable steps to ensure that your information is used by third parties securely and in accordance with the terms of this Privacy Policy.

3.12.2. If you do not consent

If you do not agree to the disclosure of your personal information outside Australia by Effective Governance, you should (after being informed of the cross-border disclosure) tell us that you do not consent. To do this, either elect not to submit the personal information to Effective Governance after being reasonably informed in a collection notification, or please contact us via the details set out at the top of this document.

3.13. Data security and quality 

We take reasonable steps to ensure your personal information is protected from misuse and loss and from unauthorised access, modification or disclosure. 

We may hold your information in either electronic or hard copy form. Personal information is destroyed or de-identified when no longer needed or when we are no longer required by law to retain it (whichever is the later).

3.14. How can you access and correct your personal information? 

You may request access to any personal information we hold about you at any time by contacting us (see the details below). Where we hold information that you are entitled to access, we will try to provide you with suitable means of accessing it (for example, by mailing or emailing it to you). We may charge you a reasonable fee to cover our administrative and other reasonable costs in providing the information to you. We will not charge for simply making the request and will not charge for making any corrections to your personal information. 

There may be instances where we cannot grant you access to the personal information we hold. For example, we may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal. 

If you believe the personal information we hold about you is incorrect, incomplete or inaccurate, then you may request us to amend it. We will consider if the information requires amendment. If we do not agree that there are grounds for amendment, then we will add a note to the personal information stating that you disagree with it.

3.15. What is the process for complaining about a breach of privacy? 

If you believe that your privacy has been breached, please contact us using the contact information below and provide details of the incident so that we can investigate it. We will treat your complaint confidentially, investigate your complaint and aim to ensure that we contact you and your complaint is resolved within a reasonable time (and in any event within the time required by the Privacy Act, if applicable). 

If you are unhappy with the way that we are using your personal data, or if you are not satisfied with our response to a complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (to the extent that the Privacy Act 1988 (Cth) applies) or if the GDPR applies, with a Data Protection Authority.

3.16. Contacting us

If you have any questions about this Privacy Policy, any concerns or a complaint regarding the treatment of your privacy or a possible breach of your privacy, please use the Contact Us link on our website (available at: www.effectivegovernance.com.au/page/contact/contact-us) or contact our Privacy Officer using the details set out below. 

You can contact our Privacy Officer via: 

Post:     

Privacy Officer
Effective Governance
Level 8, Waterfront Place
1 Eagle Street
Brisbane QLD 4000
Australia

Tel:     

+61 7 3024 0455

Email:     

catejolley@effectivegovernance.com.au

3.17. Data Breach Notification 

The Notifiable Data Breach (NDB) Scheme contained in Part IIIC of the Privacy Act requires certain entities to notify individuals and the Office of the Australian Information Commissioner (OAIC) about data breaches that are likely to cause serious harm.

Effective Governance accepts its obligation to keep personal information safe and is open and transparent in how data is handled. If personal data systems are breached, data is misused or lost, then Effective Governance will take all reasonable and practicable means to contact individuals whose personal information is involved. We will advise such individuals of the extent of the data breach (if known) and advise individuals of the most appropriate means of regaining control of their information to limit the personal impact of the breach. If appropriate, Effective Governance will also report any breach of data to the OAIC.

3.18. European Union – Additional Provisions

In addition to the protections given under this policy, for individuals located in the European Union (EU) (including the European Economic Area (EEA) that we offer or provide our products or services to, that personal information will be subject to Regulation EU (2016/679) – General Data Protection Regulation (GDPR) and the following provisions apply:


•    Effective Governance is the data controller for the purposes of processing personal information.
•    Our Privacy Officer is our Data Protection Officer for the purposes of the GDPR. 
•    We rely on the following legal grounds to process your personal information: 

–    Contact performance – we may collect and process your personal information to enter into a contract with an individual or to perform our obligations under a contract to which an individual is a party.
–    If it is necessary to pursue our legitimate interests and does not override your rights and interests – this is the usual basis on which we carry out our business and manage risk.
–    With consent – where required, we will only use your personal information for the purposes for which valid or explicit consent is given. 
–    To comply with laws that apply to us including exercising our rights – we may use and process your personal information where we are legally required to do so.

3.18.1. Your additional rights and choices

In addition to the above, an individual located in the European Union has the following rights:

•    Erasure: You can ask us to erase your personal information without undue delay in certain circumstances such as if you withdraw your consent and we otherwise have no legal reason to retain it.
•    Restrictions of processing: You can object to, and ask us to restrict, our processing of your personal information in certain circumstances, such as while we verify your assertion the information is inaccurate or if we are processing your information for our legitimate interests or for direct marketing purposes (we may be legally entitled to refuse that request).
•    Data portability: You can, in some circumstances such as where we are processing your information with your consent, receive some personal information you have given us in a structured, commonly used and machine-readable format and/or ask us to transmit it to someone else if technically possible feasible.
•    Right to object: You can withdraw your consent (but we may be able to continue processing without your consent if there is another legitimate reason to do so).
•    Right to complain: You can lodge a complaint with the relevant European data protection authority if you think that any of your rights have been infringed by us.

If we refuse any request you make in relation to your personal information rights, we will write to you to explain why and how you can make a complaint about our decision.

3.19. Breaches of this Policy

The breach of this policy by an employee, director or officer of Effective Governance may lead to disciplinary action being taken in accordance with our disciplinary procedure. Serious breaches may be regarded as gross misconduct and can lead to immediate dismissal.

All employees, directors and officers of Effective Governance will be expected to cooperate fully in any investigation into suspected breaches of this policy or any related processes or procedures.

If any part of this policy is unclear, clarification should be sought from the Privacy Officer.

3.20. Changes to our Privacy Policy 

We may change this Privacy Policy from time to time, to take account of new laws or technology, or changes to our functions, operations and practices. Any updated versions of this Privacy Policy will be posted on our website and will be effective from the date of posting.
 

4. Definitions 

Term

Definition

Australian Privacy Principles (APPs)

Means the principles that set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information as contained in Schedule 1 of the Privacy Act 1988 (Cth).

Consent

Agreement which must be freely given, specific, informed and be an unambiguous indication of the individual’s wishes by which they, by a statement or by a clear positive action, signify agreement to the processing of personal information relating to them.

Data breach

Occurs when personal information we hold is subject to unauthorised access or disclosure, or is lost. Examples include:

  • Malicious breach, e.g. someone hacking into Effective Governance’s computer system or unauthorised access to databases in the workplace, such as an employee browsing sensitive customer records without a legitimate purpose;
  • Accidental loss, e.g. IT equipment/hard copy documents left on public transport by an employee; and
  • Negligent disclosure, e.g. an organisation, whether intentionally or unintentionally, makes personal information accessible; or visible to others outside the organisation and releases the information from its effective control in a way not permitted by the Privacy Act, such as an employee accidentally publishing a confidential data file with personal information of one or more individuals on the internet.

Data controller

The person or organisation that determines when, why and how to process personal data in line with the GDPR. eG is the data controller for the purposes of the GDPR.

Data Protection Officer

The person required to be appointed in specific circumstances under the GDPR. Our Privacy Officer is the Data Protection Officer for the purposes of the GDPR.

eG

Effective Governance

Eligible data breach

Means a breach of personal data security that is likely to result in serious harm to any of the individuals to whom the data relates, and Effective Governance has been unable to prevent the likely risk of serious harm with remedial action.

Employee

Effective Governance employs persons in a variety of capacities and therefore the term ‘employee’ is to be given a broad definition. Employees can include a director, officer, employee, contractor or agent of Effective Governance.

General Data Protection Regulation (GDPR)

Means the legal framework governing the collection and processing of personal information of individuals located in the European Union (EU). The GDPR has extraterritorial reach and applies to entities outside the EU which do business with individuals located in the EU.

Health information

Information or opinion about a person’s physical, mental or psychological health or disability, that is also personal information – whether in writing or not. This includes information or opinion about a person’s health status and medical history, immunisation status and allergies, as well as counselling records.

Loss

Refers to the accidental or inadvertent loss of personal information held by Effective Governance, in circumstances where it is likely to result in unauthorised access or disclosure.

Notifiable Data Breach Scheme

Means established requirements for entities to notify individuals and the Australian Information Commissioner of eligible data breaches, as per the Privacy Act 1988 (Cth).

Office of the Australian Information Commissioner (OAIC)

The OAIC is the independent national regulator for privacy and freedom of information.

Personal information or data

Information or opinion, whether true or not, about a person whose identity is apparent, or can reasonably be ascertained, from the information or opinion – that is recorded in any form. For example, a person’s name, address, phone number and date of birth (age). De-identified information about employees can also be personal information.

Personal data

As defined under the GDPR, means any information relating to an identified or identifiable natural person residing in the EU. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Privacy Officer

Means the person appointed by Effective Governance from time-to-time to manage all inquiries and complaints arising under this policy. The Privacy Officer may delegate the management of any or all of the inquiries and complaints arising under this Policy to the Privacy Coordinator.

Processing or process

Means any activity that involves the use of personal information. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal information to third parties.

Sensitive information

Information or opinion about a set of specific characteristics, including a person’s racial or ethnic origin, political opinions or affiliations, religious beliefs or affiliations, philosophical beliefs, sexual preferences or practices; or criminal record. It also includes health information.

Serious harm

‘Serious harm’ to an individual may include physical, psychological, emotional, financial or reputational harm. Assessment of whether harm is serious will depend on the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm.

Unauthorised access/disclosure

Occurs if Effective Governance, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the organisation and releases that information from its effective control in a way that is not permitted by the Privacy Act 1988 (Cth). This includes an unauthorised disclosure by an employee of the company.

we (us, our, ours)

Effective Governance (eG)

you (your, yours)

Any individual who discloses personal information to Effective Governance.


5. Responsibilities

5.1. Policy Management

The Board of Directors has overall responsibility for this policy and in ensuring that we comply with all our privacy obligations.

Approval of the Policy is vested with the Board.

Reviews of the Policy are the responsibility of the CEO and will be conducted annually. This is to ensure that the policy remains consistent with all relevant legislative requirements.

5.2. Policy Implementation

Implementation of this Policy is the responsibility of the CEO.

6. Procedure

The Data Breach Procedure provides additional detail to give practical effect to the Privacy Policy.

7. References

Legislation
•    Privacy Act 1988 (Cth)
•    Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)
•    Spam Act 2003 (Cth)

Policies
•    Credit Reporting Policy
•    Data Breach Procedure
 

8. Appendices

Appendix 1: Summary of the Australian Privacy Principles

Appendix 2: Common collection, use and disclosure instances

Appendix 1: Summary of the Australian Privacy Principles

The Office of the Australian Information Commissioner has provided the following summary of the Australian Privacy Principles (APP). 

APP 1—Open and transparent management of personal information 

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy. 

APP 2—Anonymity and pseudonymity 

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply. 

APP 3—Collection of solicited personal information 

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information. 

APP 4—Dealing with unsolicited personal information 

Outlines how APP entities must deal with unsolicited personal information. 

APP 5—Notification of the collection of personal information 

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters. 

APP 6—Use or disclosure of personal information 

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds. 

APP 7—Direct marketing 

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. 

APP 8—Cross-border disclosure of personal information 

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas. 

APP 9—Adoption, use or disclosure of government related identifiers 

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual. 

APP 10—Quality of personal information 

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure. 

APP 11—Security of personal information 

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances. 

APP 12—Access to personal information 

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies. 

APP 13—Correction of personal information 

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.


 
Appendix 2: Common collection, use and disclosure instances

Purpose

Type of Information

Uses

Disclosures

General enquiries / Website ‘Contact eG’ 'Proposal request'

Contact information: such as your name, company name, address, billing address (if different to address), email address, board membership details and phone numbers.

Transaction sales: (where applicable to your enquiry) such as:

  • Delivery information.
  • Billing and account details.
  • Payment card details.

Customer Service: information collected in connection with your enquiry by our customer services department and staff.

 

The types of uses we will make of personal information collected for this type of purpose include:

  • Identity verification: if required, the verification of your identity, and to protect eG’s websites from security threats, fraud or other criminal activities.
  • Services: using your personal information in the provision of our services to you including:

-assisting you with payment processing, including charging, credit card authorisation, verification and debt collection; and

-providing other customer service functions, including handling customer enquiries and complaints.

  • Marketing: using your personal information for the purposes set out in ‘Marketing’ section below.

-General administrative and security use.

- The use for the administration and management of eG.

-The maintenance and development of our products and services, business systems and infrastructure.

-In connection with the sale of any part of eG’s business or a company owned by an eG entity.

-For quality assurance purposes.

The types of disclosures we will make of personal information collected for the type of purposes listed include, without limitation, to:

  • Third parties connected with the sales process including ecommerce, payment gateway providers and financial institutions.
  • Service providers (including IT service providers and consultants) who assist eG in providing our products and services.
  • Related bodies corporate of eG (including related entities).
  • Third parties in connection with the sale of any part of eG’s business or a company owned by an eG entity.
  • Third parties connected with the marketing process who assist us in providing our products and services to you.
  • As required or authorised by law.

New assignment

New and potential assignments:

  • Your name, company name, address, billing address (if different to address), email address, board membership details and phone numbers.
  • Alternative contact (name, address and phone number).
  • Bank account (including bank statements), credit or debit card details.
  • Any personal information recorded in documentation or business cards that you provide to us during or prior to your engagement of eG to provide our services to you.

For full details relating to uses of personal information in relation to the use of credit information, please refer to our Credit Reporting Policy.

Provision of services: the provision of our services to you, including by contacting you for information on your governance practices and to provide you with governance advice.

Vendor and supplier payments: the processing of any payments and refunds, credit card authorisation, verification and debt collection if applicable.

Credit checks: using director details to conduct checks for financial standing and creditworthiness (as detailed in our Credit Reporting Policy).

Marketing: using your personal information for the purposes set out in ‘Marketing’ section below.

General administrative and security use as detailed in the Uses column for ‘General enquiries / Website ‘Contact Us’ / Governance Action Plan survey’.

For full details relating to disclosures of personal information in relation to any credit information, please refer to our Credit Reporting Policy.

In summary, we may disclose this type of personal information to:

  • Our contractors, agents and third-party providers who undertake billing and credit services on our behalf.
  • Third party providers who assist us in providing our products and services to you.
  • Third parties, such as external debt recovery agents, court or other entities to which we are required by law to disclose personal information.
  • The parties listed in the Disclosure column for ‘General enquiries / Website ‘Contact eG' 'Proposal request'.

Marketing

Contact information: Such as your name, company name, email address, current postal and residential addresses, and phone numbers.

eG News blog: Information such as:

  • your name and email address; and
  • any other personal information you provide as contained in the message section of your comment on our eG News blog.

Newsletter subscriptions: the personal information you provide us in order to subscribe to our newsletter, such as your name, organisation name and email address.

Competitions: any personal information you provide to us as part of your entry into our competitions, such as our business card draw.

Social media activity: including ‘likes’, comments posted, any of your oppositions or feedback, photos posted or uploaded and other information pertaining to your social media activities which concern, or relate, to eG.

General marketing and consumer analytics: using your personal information:

  • To aggregate with other information and to then use it for marketing and consumer analytics.
  • To offer you updates on products, events or information that may be of interest to you, including same from our related entities.
  • For marketing and promotional activities by us and our related entities (including by direct mail and email) such as our email alerts, product awareness information and to send you our newsletters.
  • For the Uses detailed above in ‘General enquiries / Website ‘Contact Us’ / Governance Action Plan survey’.

Online accounts or social media: If you participate in our social media platforms (such as Twitter and LinkedIn) and you provide us your personal information, we will use it for:

  • Adding account holders to the marketing database.
  • Customer service-related contact.
  • Responding to social media messages.
  • Fulfilling social media platform rules.

We may disclose your personal information to:

  • Third parties connected with the marketing process who assist us in providing our products and services to you.
  • The parties listed in the Disclosure column for ‘General enquiries / Website ‘Contact eG' 'Proposal request'.

Human Resources

Contact information: such as your name, email address, current postal and residential address, phone numbers, country of residence, next of kin contact details.

Employee record information.

Identifying information: such as your photo, passport and residency details, date of birth.

CV, resume or application related information: Such as the details provided in your resume or CV, your eligibility to work in Australia, your education, previous employment details, professional memberships or qualifications.

Tax, superannuation and payroll information: Such as your Tax File Number and ATO Declaration, Superannuation details and financial institution details.

Background check information: Information obtained from you or third parties to perform background checks.

Medical or health information which you voluntarily provide to us as part of pre-employment medicals, random drug and alcohol testing or such other information which may be related to an incident which has occurred during your employment.

Performance related information: Pre-employment testing and other information collected by eG’s systems in the course of the employee or contractor’s engagement with eG.

Information collected from referees

Security information: Such as CCTV footage and photographs taken on our premises.

Background checks: Utilising the information collected for the purpose of assessing candidate suitability for role, including by obtaining:

  • Verification of your identity and age.
  • Criminal history background checks including publicly available information including Facebook, Twitter, Instagram, YouTube.
  • Confirmation of eligibility to work in Australia.
  • Confirmation of education and qualifications.
  • Confirmation of previous employment.
  • Consideration regarding medical leave.

Administration and performance monitoring use: Utilising the information collected for the purpose of:

  • Dealings related to the employer/employee relationship or the contractor/principal relationship (as the case may be).
  • Use of such information whether or not the employment or contractor relationship is prospective, current or past.
  • Use of such information to monitor systems, performance and time usage and internet usage.
  • The use of your personal information collected in the administration and management of eG.
  • In connection with the sale of any part of eG’s business or a company owned by an eG entity.

We may disclose your personal information to:

  • Relevant superannuation company.
  • Government agencies, including but not limited to The Australian Taxation Office, Centrelink and Child Support Agency.
  • Relevant Worker’s Compensation organisation (e.g. WorkCover etc).
  • Third party referees provided by you in connection with an application made to eG.
  • Service providers (including IT service providers and payroll providers), if any.
  • Recruitment agents used in connection with your application with us.
  • Third parties in connection with the sale of any part of eG’s business or a company owned by a eG’s entity.
  • Third party parties in connection with obtaining any background checks, pre-employment screening.
  • Financial institutions for payroll purposes.
  • As required or authorised by law.