Privacy Policy
Description
This document details Alpha Echo’s (AE’s) Privacy Policy which applies to all personal information collected about employees, or prospective employees, of AE.
This document has been structured to cover all of the essential elements of a privacy policy as detailed within Australian Privacy Principle (APP) 1.4 (reference A). Further detail on specific definitions and use cases can be found in the APP Guidelines (reference B) which are publicly available on the Office of the Australian Information Commissioner (OAIC) website.
AE is considered an APP entity as it is an organisation that while would be considered a small business due to current annual turnover, is a contracted service provider for a Commonwealth contract and therefore subject to an exception (refer paragraph B.5 of reference B).
Definitions
Business purposes are defined as activities related to internal business practises, such as employment activities, termination, payroll activities, or accreditation. Data collected for this purpose may include personal identifying information and sensitive information as this is required for business operations. Personnel included in this definition include current employees, former employees, and potential/future employees of AE.
Research purposes are defined as activities related to research and development practises. Research and development practises are the activities employed by AE to increase knowledge about relevant topics, interpret new events, identify factors and phenomena pertaining to applied work and document findings to establish an evidence base. These activities could include research such as surveys and questionnaires distributed to investigate factors affecting populations, market research or information gathering to inform evidence-based practice.
Anonymity and Pseudonymity
APP 2 allows an individual to not identify themselves or to use a pseudonym. For data collected for business purposes, due to the nature of business that AE specialises in, it is impractical for AE to deal with individuals who have not identified themselves or use a pseudonym. For data that is collected for research purposes, only anonymous data will be collected by AE, as it is impractical to handle or store personal identifying information of individuals otherwise.
Nature and Purpose of Personal Information AE Collects and Holds for Business Purposes
AE only collects personal information that is required to:
- Assess a prospective employee’s suitability for employment within AE.
- Facilitate execution of business functions to manage an employee (for example, payment of income, superannuation, taxes, emergency contact information, etc).
- Demonstrate suitability of an employee to a potential client (e.g. provision of a Curriculum Vitae (CV) to a potential client).
Personal Information that is collected for the above purposes includes, but is not limited to:
- Name
- Address
- Date of Birth
- Phone Number
- Bank Account details
- Superannuation details
- Relationship information for emergency contacts
- Academic history
- Employment history
- Previous employment information, etc, etc
Nature and Purpose of Personal Information AE Collects and
Holds for Research Purposes
AE only collects anonymised or de-identified data for research purposes. AE may collect personal information when these details are relevant to the research questions, are without sensitive information (see OAIC for definitions of sensitive information) and follow the Australian code for responsible conduct of research.
Prior to data collection, AE will define the research questions and the data collection method. AE will then identify risks associated with the data collection process and remove any requests for personal identifying information or sensitive information. AE will then review the intended data collection process to ensure it:
- Allows for justification and verification of research outcomes
- Maximises the potential for future research and analysis
- Minimises waste of resources of value to researchers, participants and the wider community
- Adheres to the Australian Code for the Responsible Conduct of Research (https://www.nhmrc.gov.au/about-us/publications/australian-code-responsible- conduct-research-2018)
Ownership and Control of Personal Information AE Collects and Holds for Research Purposes
Any data collected for research purposes that is prescribed by the privacy policy is deemed to be property of AE. Once data has been collected (and informed consent obtained), AE reserves the right to store, move, use, or destroy the information as it deems necessary. Any AE owned data that is shared will be subject to a licensing agreement (such as a Creative Commons Attribution License – https://creativecommons.org/licenses/). If data is shared or made publicly available, the data should be cited as property of AE and licensing agreements followed by external parties.
How Alpha Echo Collects, Holds, Uses and Discloses Your Personal Information for Business Purposes
Collection
AE will only collect personal information from the individual directly, or will seek approval from the individual that AE can collect personal information from other sources such as:
- Supporting information about an application for employment from a listed referee,
- Confirmation of security clearance information held by the Department of Defence,
- Police Criminal History checks, etc
If AE receives unsolicited personal information from another source, that AE could not lawfully have otherwise obtained, AE will destroy or de-identify the information as soon as practicable.
If AE could have lawfully obtained the personal information, AE will notify the individual as soon as practicable of the nature of the information AE has received and seek confirmation as to its accuracy from the individual.
AE seeks to always ensure the integrity of the personal information held, whether collected from an individual or a third party. If an individual wishes to update their personal information to ensure its continued accuracy they are to contact privacy@alpha- echo.com.au to gain access to their information (as per the below) and make any necessary changes. If AE believes that the information held is no longer current or correct AE will request the individual to update the information or seek the individuals consent to obtain up to date information from a third party.
If an individual provides updated personal information, the individual can request that AE provide the updated information to any other entity which AE has previously disclosed the information to.
If AE refuses to update the information held, AE will provide the individual with an written explanation that details:
- the reasons for the refusal to the extent that it is reasonable to do so;
- mechanisms available to complain about the refusal;
- any other matter prescribed by the regulations; and
- an opportunity for the individual to provide a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading which AE will take reasonable steps to associate the statement with the information held or provided to other entities.
Storage
AE uses Google Workspace for Businesses to store and manage AE records. A shared drive has been established to store personal information that is collected about individuals. Access to this drive is restricted to only AE staff that have a need-to-know for the execution of AE business.
If AE no longer has a requirement to hold the personal information of an individual and AE is not required to retain the information as part of a Commonwealth record, an Australian law or a court/tribunal order AE will destroy the information or de-identify the information as soon as practicable.
Use and Disclosure
AE will only use or disclose personal information attained about an individual for the primary purpose for which it was collected unless:
- It is reasonable to expect AE to disclose the personal information for a secondary purpose that is related to the primary purpose AE has collected the information; or
- The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
A permitted general situation exists (refer Chapter C of reference B and section 16A of reference C) in relation to the use of disclosure of the information by AE; or - AE reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
If AE uses or discloses information for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, AE will provide written notice of the use or disclosure to the individual as soon as practicable.
AE will not use any personal information collected or held about an individual for direct marketing purposes unless an exception applies as a contracted service provided to the Commonwealth as detailed within APP 7.5 (reference A).
AE will not disclose government related identifiers (drivers licence number, passport number, CS ID numbers, etc) unless:
- the use of disclosure of the identifier is reasonably necessary for AE to verify the identity of the individual for the purposes of conducting AE activities or functions; or
- the use or disclosure of the identifier is reasonably necessary for AE to fulfil its obligations to an agency or a State or Territory authority; or
the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or - a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of reference C) exists in relation to the disclosure of the identifier; or
- AE reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
How Alpha Echo Collects, Holds, Uses and Discloses Your Personal Information for Research Purposes
Collection
AE will only collect personal information from the individual directly. Individuals will be informed that their personal information is being collected and will be required to consent to the information being collected in accordance with APP 3. AE will also inform participants of the purpose of data collection, contact information if participants wish to withdraw or change their information, and the risks and benefits of participating in the data collection. Individuals will always be able to opt out of their information being collected.
If AE receives unsolicited personal information, that AE could not lawfully have otherwise obtained or does not pertain to the research, from the individual or from another source, AE will destroy or de-identify the information as soon as practicable.
AE will generally collect information for research purposes via survey and questionnaire, using platforms such as Microsoft Forms (for internal collection) or Google Forms (for external collection).
Storage & Migration
Once data is collected, it will be migrated to an AE shared drive. This shared drive has been established to store personal information that is collected for research purposes. Access to this drive is restricted to only AE staff that have a need-to-know for the execution of AE research. Once data has been moved to the shared drive, it will be removed from any personal accounts responsible for data collection in accordance with the ownership of AE data. If data is shared, it may be stored in alternate locations subject to the data licencing agreement.
If AE no longer has a requirement to hold the research information and AE is not required to retain the information as part of a Commonwealth record, an Australian law or a court/tribunal order, AE will destroy the information or de-identify the information as soon as practicable. In the case that analysis of AE data is published, AE will ensure the data is made publicly available where licencing agreements allow and will not destroy the data, so long as the publication exists.
Use and Disclosure
AE will not disclose any personal identifying information collected for research purposes. The information collected for research purposes will be analysed and may be reported in publications from AE. AE reserves the right to share anonymous data with collaborators or publish anonymous data on open repositories, given the data contains no identifying information and licensing agreements are adhered to.
AE will not use any personal information collected or held about an individual for marketing purposes unless an exception applies as a contracted service provided to the Commonwealth as detailed within APP 7.5 (reference A). AE will also refrain from selling any data collected to external agencies unless specified in licensing agreements.
How to Access Your Personal Information for Business Purposes Held by Alpha Echo
If an individual wishes to gain access to their personal information they are to email privacy@alpha-echo.com.au. AE will provide the requested information as soon as practicable, in the manner requested (where reasonable and practicable to do so) to the individual except under the following circumstances:
- AE reasonable believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
- giving access would have an unreasonable impact on the privacy of other individuals; or
- the request for access is frivolous or vexatious; or
- the information relates to existing or anticipated legal proceedings between AE and the individual, and would not be accessible by the process of discovery in those proceedings; or
- giving access would reveal the intentions of AE in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
- giving access would be unlawful; or
- denying access is required or authorised by or under an Australian law or a
court/tribunal order; or - AE has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to AE’s functions or activities has been, is being or may be engaged in and giving an individual access would likely prejudice the taking of appropriate action in relation to the matter; or
- giving access would be likely to prejudice one or more enforcement related activities conduct by, or on behalf of, an enforcement body; or
- giving access would reveal evaluative information generated within AE in connection with a commercially sensitive decision-making process.
If AE cannot provide access to the information in the manner requested, or due to a reason as detailed above, AE will engage the individual to take reasonable steps to give access that meets the needs of both AE and the individual.
If AE is still unable to provide the individual with the requested information AE will provide in writing:
- the reasons for the refusal except where it would be unreasonable to do so based upon the grounds of the refusal to provide the information;
- the mechanisms available to complain about the refusal; and
- any other matter prescribed by the regulations.
How to Access Your Personal Information for Research Purposes Held by Alpha Echo
As all data collected for research purposes will be anonymous or de-identified, individuals are unable to access, change or withdraw their data following consent. In the event that personal identifying information is collected, this will be destroyed immediately. Hence it is not possible for individuals to access, change or withdraw their information as there is no way of linking individuals to the information they disclosed.
How to Make a Complaint
If an individual wishes to make a complaint about AE’s handling of personal information the individual is to provide in writing the nature of their complaint privacy@alpha-echo.com.au.
AE will make best efforts to work with the individual to resolve their complaint or seek further advice or direction from OAIC to seek resolution to the issue.
Overseas Disclosure of Personal Information
AE will only disclose personal information about an individual to a person or organisation that is not in Australia or an external Territory unless AE is confident that the overseas recipient will not breach the APPs unless:
- AE reasonably believes that:
- the recipient of the information is subject to a law, or binding scheme, that
has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information; and - there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
- the recipient of the information is subject to a law, or binding scheme, that
- AE advises an individual that if they consent to disclosing their personal information to an overseas recipient AE cannot guarantee that the overseas recipient will not breach APPs and the individual still provides their consent; or
- the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
- a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of reference C) exists in relation to the disclosure of the information by AE.
References
A. The Australian Privacy Principles, From Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, January 2014
B. Australian Privacy Principles Guidelines, Privacy Act 1988, July 2019
C. Privacy Act 1988