1 INTRODUCTION AND OVERVIEW
The Academy is required by the Privacy Act 1988 (Cth) (Privacy Act) to comply with the Australian Privacy Principles (APP) (subject to other provisions of the Privacy Act). The APPs regulate the manner in which personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal.
The Academy is also required to comply with the Spam Act 2003 (Cth) (Spam Act); the Do Not Call Register Act 2006 (Cth) (Do Not Call Register Act); the European Union General Data Protection Regulation (GDPR); and the Notifiable Data Breaches (NDB) Scheme.
1.1 WHAT IS PERSONAL INFORMATION?
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. Special provisions apply to the collection of personal information which is sensitive information. Sensitive information includes (for example) information about a person’s membership of a professional or trade association. The Academy does not collect sensitive information (as defined by the Privacy Act) without consent.
The kinds of personal information the Academy collects and holds include:
- an individual’s name, address, DOB, gender, contact number and email address
- post-nominal letters
- employment details
- credit card details
- membership of industry body
1.2 COLLECTION OF PERSONAL INFORMATION BY THE ACADEMY
To the extent required by the Privacy Act the Academy will not collect personal information about you unless that information is necessary for one or more of our functions or activities, for example:
- conferences, meetings, events and presentations
- newsletters or publications
- membership procedures
When the Academy collects personal information directly from you, we will take reasonable steps at or before the time of collection to ensure that you are aware of certain key matters, such as the purpose for which we are collecting the information, the organisations (or types of organisations) to which we would normally disclose information of that kind, the fact that you are able to access the information and how to contact us.
When we collect credit card or other payment details, we will not store them, or they will be masked or encrypted after your payment has been processed. Where the Academy collects information about you from a third party, we will take reasonable steps to ensure that you have consented or have been made aware of the details as set out above.
Similarly, the Academy may be required to provide your contact details to third party suppliers of services which you would reasonably expect the Academy to do in order to provide its services. The Academy provides the opportunity to opt-out of such third party arrangements.
The Academy acknowledges that there is no obligation for an individual to provide it with personal information. However, if an individual chooses not to provide the Academy with personal details, the Academy may not be able to provide the individual with the services reasonably expected to be provided.
1.3 USE AND DISCLOSURE OF PERSONAL INFORMATION BY THE ACADEMY
If the Academy uses or discloses your personal information for a purpose (secondary purpose) other than the main reason for which it was originally collected (primary purpose) to the extent required by the Privacy Act, we will ensure that:
- the secondary purpose is related to the primary purpose and you would reasonably expect that the Academy would use or disclose your information in that way
- you have consented to the use and disclosure of your personal information for the secondary purpose
- the use or disclosure is required or authorised by or under law
- the use or disclosure is otherwise permitted by the Privacy Act
For each visitor to our website or social media site or e-news, we may collect the following type of information for statistical purposes:
- number of users who visit
- date and time of the visits
- pages accessed
- user’s top-level domain name (for example .com or .gov)
- previous site visited
- type of browser used
- type of device used, users’ operating system (such as Windows or Macintosh)
- website or mobile device activity
The Academy system requires that the web browser accept cookies, which are used to make logging-in possible. Cookies are pieces of information that a website can transfer to an individual’s computer hard drive for record-keeping. Your cookie may be sent at various times during your visit to our website and may be updated as you access our many different areas. These cookies are not used to collect, store, track or monitor any personal information.
As would reasonably be expected, the Academy may collect website and mobile device (e.g. apps) statistics (which includes pages accessed and search terms used) but this information is not identifiable (i.e. the Academy cannot tell who you are): Google Analytics: (or other third-party vendor) demographics and interest reporting (such as what country you are from, what language your computer is set to, age group, gender and interest area).
This is anonymous statistical data and no attempt will be made to identify users. We use this data to evaluate our website and to improve the content we display to you.
We may use Google AdWords, Facebook Pixel and other third-party vendor remarketing tools to advertise trigger ads across the internet. AdWords (and other vendors) remarketing will display relevant ads tailored to you based on what parts of the Academy website you have viewed by placing a cookie on your machine and/or use Facebook Pixel or Google Tag Manager technology (using your internet browser).
This cookie does not in any way identify you or give access to your computer. The cookie or similar technology is used to say: “This person visited this page, so show them ads relating to that page.” Google AdWords (or other third-party vendor) remarketing allows us to tailor our marketing to better suit your needs and only display ads that are relevant to you.
1.4 WHY DOES THE ACADEMY COLLECT PERSONAL INFORMATION?
The Academy collects personal information for a range of purposes, including:
- to process nominations for Fellowship
- manage the Fellowship of the Academy
- record and maintain membership details and profile information
- provide information on services and benefits available to Fellows
- notify Fellows and non-Fellows about Academy events
- ensure compliance with the Academy’s Constitution
- website traffic data for statistical, reporting and maintenance purposes
- manage conferences, workshops and events, including:
– travel organisation, both domestic and international
– international conferences and exchanges
– manage grant applications
- applications for international programs run by the Academy, including for the Global Connections Fund
- distribution of Academy products, eg:
– IMPACT magazine
– purchase of STELR school kits
From time to time, the Academy may survey its Fellowship on a range of issues. These surveys help us to identify and analyse the ongoing needs of our Fellows and the quality of our products and services. If you do not wish to participate in these surveys, you can opt out of the survey or please let us know.
1.5 OUR RESPONSIBILITIES UNDER THE GDPR
For EU residents that engage with the Academy, because we collect, use and store your personal information to enable us to provide you with our goods and/or services, we are a “collector” under the GDPR. As such, we have certain obligations under the GDPR when collecting, storing and using the personal information of EU residents. If you are an EU resident, your personal data will:
- be processed lawfully, fairly and in a transparent manner by us;
- only be collected for the specific purposes we have identified in section 1.4 above and personal information will not be further processed in a manner that is incompatible with the purposes we have identified;
- be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
- be kept up to date, where it is possible and within our control to do so (Fellows may update their data by logging into their Fellow’s profile on the Academy website and editing details). Please let us know if you would like us to correct any of your personal information, by sending an email to firstname.lastname@example.org;
- be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal data was collected; and
- be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.
We also apply these principles to the way we collect, store and use the personal information of all non-EU contacts.
Specifically, we have the following measures in place, in accordance with the GDPR:
- Data protection policies: We have internal policies in place which set out where and how we collect personal information, how it is stored and where it goes after we get it, in order to protect your personal information.
- Right to ask us to erase your personal information: You may ask us to erase personal information we hold about you.
- Right to ask us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal information we hold about you is wrong (to give us enough time to verify if the information needs to be changed), and you request us to restrict the processing of personal information rather than it being erased.
- Notification of data breaches: We will comply with the GDPR in respect of any data breach.
1.6 HOW MIGHT WE CONTACT YOU?
We may contact you in a variety of ways, including by post, email, SMS, social media, mobile devices or apps, telephone call or facsimile.
We will not send you any commercial electronic messages such as SMSs or emails unless this is permitted by the Spam Act. Any commercial electronic message that we send will identify the Academy as the sender and will include our contact details. This message will also provide an unsubscribe facility. If you do not wish to receive commercial electronic messages from us, please let us know.
Do Not Call Register
We will not call you on a number listed on the Do Not Call Register unless this is permitted under the Do Not Call Register Act. If you do not wish us to call you on a particular number, please let us know.
1.7 WHEN DOES THE ACADEMY DISCLOSE PERSONAL INFORMATION TO THIRD PARTIES?
In performing our functions and activities (such as for conferences, presentations, and events as outlined above), we may need to disclose personal information to third parties where you may reasonably expect the Academy to use or disclose the personal information for a specific purpose. Third parties with whom the Academy may share your personal information include, where appropriate:
- secure online election provider
- printers and distributers of Academy publications and other material
- financial institutions for payment processing
- external business advisers (such as auditors and lawyers)
- travel and conference organisers
1.8 DATA QUALITY AND SECURITY
The Academy aims to safeguard your information to the best of its abilities, through a combination of technical, administrative and physical measures. This includes the use of Secure Socket Layer (SSL) encryption to protect information transmitted across the internet. Production data is housed in a Tier 3 Data Centre facility and backups are encrypted at rest.
All personal information collected by the Academy will be retained as part of a database, which will be securely monitored and maintained by the Academy or an approved host, which to the best of our knowledge is based in Australia. If the Academy stores personal information with a “cloud” service provider, the provider may be situated outside Australia. Subject to paragraph 1.7, the data will not be made available to a third party, unless it is legally required and verified, without the authority of the individual who provided the personal information.
The Academy will take all reasonable steps to protect the security of the personal information that it holds. This includes appropriate measures to protect electronic materials and materials stored and generated in hard copy. Where information held by the Academy is no longer required to be held, and the retention is not required by law, then the Academy will de-identify or destroy such personal information by a secure means.
However, if you have reason to believe that your interaction with us is no longer secure (for example, if you feel that your online account has been compromised) please contact our Privacy Officer by phone: 03 9864 0900, fax: 03 9864 0930 or email email@example.com or write to us at The Privacy Officer, Australian Academy of Technology and Engineering, GPO Box 4055, Melbourne VIC 3001.
Please note some third-party platforms that you might use to engage with us (for example, LinkedIn, Twitter, Mailchimp or SecurePay) are not under our control. If you have concerns about using these platforms, we encourage you to carefully consider their terms and conditions and other relevant policies.
The Academy permits your details to be accessed only by authorised personnel, and it is a condition of employment that our employees maintain the confidentiality of personal information.
Payment security of all financial transactions is maintained by the Academy using EFTPOS, BPAY and online technologies. It is our policy to ensure that all financial transactions processed meet industry security standards that ensure payment details are protected.
If you are concerned about sending your information over the internet, you can contact us by mail, facsimile or telephone.
1.8.1 DATA BREACH RESPONSE PLAN
The Data Breach Response Plan is to enable the Academy to contain, assess and respond to a data breach in a timely fashion and to mitigate potential harm to affected individuals.
A data breach occurs when information held by the Academy is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Data breaches involving personal information that are likely to cause individuals to be at serious risk of harm must be reported to the affected individual(s) and the Australian Information Commissioner in accordance with the requirements of the Notifiable Data Breaches (NDB) scheme.
Data breaches may arise from: loss or unauthorised access, modification, use or disclosure or other misuse; malicious actions, such as theft or “hacking”; internal errors or failure to follow information handling policies that cause accidental loss or disclosure; and not adhering to the laws of the states and territories or the Commonwealth of Australia.
When a data breach has occurred or is suspected to have occurred, the Academy will initiate the following process. However, it should be noted that there is no single method of responding to a data breach and in some cases the following steps may need to be modified. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
Suspected or known data breach
When an Academy employee or contractor become aware or suspects that there has been a data breach, they will notify their manager who will assess the risk, document the event and report in the first instance to the Executive Director, Corporate Strategy and Innovation.
The Executive Director, Corporate Strategy and Innovation will notify:
- the Academy’s Privacy Officer, who will include details of the suspected breach in a data breach register that will contain a brief description of the nature of the breach, how it occurred, the date of the breach, the date of discovery and the date of notification to the Academy (for an external breach);
- the Academy’s Chief Executive Officer via a Data Breach Risk Assessment Report (and other senior managers as required) to determine the Academy’s response and remedial actions to take to contain the breach, which may include:
– if the breach is the result of an ICT security incident (i.e. an event that affects the
confidentiality, integrity or availability of the Academy’s information, systems and
infrastructure), notify the Academy’s IT service manager provider to implement a
– stopping the unauthorised practice;
– recovering records;
– shutting down the system that has been breached;
– revoking or changing computer access privileges;
– addressing weaknesses in physical or electronic security
Notification and Review
The Executive Director, Corporate Strategy and Innovation will submit a Data Breach Risk Assessment Report to the Chief Executive Officer who will coordinate notification (if required) of affected individuals, the Academy Board, and/or the Australian Information Commissioner.
1.9 ACCESS AND CORRECTION OF YOUR PERSONAL INFORMATION
The Academy will make available for inspection, free of charge, all personal information, based on the information supplied by the individual that it holds in relation to an individual, provided reasonable notice is given. In the event that such a request is made, the Academy will review our records to determine what personal information is held and endeavour to respond to your request as soon as possible.
Please note that the Academy will request that identification is provided before personal information is released. In the event that any part of the personal information that the individual inspects is determined to be incorrect and requires alteration then the Academy will make such alteration in compliance with the corrected advice provided by the individual.
Fellows are able to update their contact details and profile information online at any time by signing into the Fellows section of the website to Manage Account; or they can email firstname.lastname@example.org or email@example.com.
Subject to the above, where you have consented to receiving communications from the Academy, your consent will remain current until you advise us otherwise. However, you can, at no cost, opt out at any time, in the following ways:
- Fellows can update their communications preferences by signing into the Fellows section of the website to “Manage Account”
- Fellows can opt out of participating in surveys by contacting the Privacy Officer, Australian Academy of Technology and Engineering, GPO Box 4055, Melbourne VIC 3001 or by sending an email to firstname.lastname@example.org
Please contact the Academy if you have any queries about the personal information that the Academy holds about or the way we handle that personal information.