objective of this policy is to set guidelines for the
collection, use, access, correction, deletion and storage
of personal information that complies with the National
Privacy Principles (NPP’s).
company recognises that it is both necessary and required
by law for the company to hold records of a variety
of factual information about employees and prospective
employees in order for necessary daily running of the
company accepts that the general principles of confidentiality
and privacy apply to the use and availability of its
records. Where information about a person includes personal
details as defined by the Privacy Act 1988 as amended,
that person may quite reasonably expect that the company
will maintain confidentiality, except where disclosure
is required for legitimate and legal purposes.
The company collects, maintains, utilises and discloses
personal information covered by the privacy legislation.
The information collected by the company includes:
a) Personal information on prospective employees.
b) Sensitive information on psychometric testing candidates.
c) Personal information on client contacts and prospective
client contracts including business relationship history.
Personal information on supplier contacts.
This private information is primarily stored on both
secure databases and in hard copy form that is only
accessible to authorised employees with a genuine need
to access the information as part of their employment.
Unless required by law or permitted by consent, the
information collected by the company is not used for
any purpose other than the primary purpose for which
it was collected, or a related and reasonably foreseeable
The company will endeavour to ensure that all employees,
contractors, agents and other people working within
the company are familiar with this policy and other
information is broadly defined as any information or
opinion that can identify a person.
information is defined as any combination of the following:
Membership of union
professional or trade associations
Sexual preferences or practices
Religious beliefs or affiliations
Access to Records:
The company defines authorised access to that which
is required from work-related purposes. For example,
reaching selection decisions or providing vocational
1: Collection of Personal Information
company will only collect personal information where
the information is necessary for one or more of its
functions or activities. The company will collect this
information in a way that is fair, lawful and not intrusive.
is the company’s responsibility to take reasonable
steps to ensure that the person providing the information
is made aware of:
The name of the organisation collecting the information.
How to contact the organisation collecting the information.
The fact that the person can gain access to the information.
The purpose of the collection.
The organisations (or types of organisations) to which
the organisation usually discloses information of that
What happens, if anything, if the person does not give
any or all of the information.
information about an individual is collected from a
third party, the company will take reasonable steps
to notify the individual of the above information.
obligations will be met through the use of appropriate
forms and training of staff.
company will only used or disclose information for the
purposes it was collected (unless the person has consented).
the secondary purpose is related to the primary purpose
and a person would reasonably expect such use or disclosure.
marketing in specified circumstances.
circumstance related to public interest such as law
enforcement and public health.
company will endeavour to receive an individual’s
consent for disclosure of his/her information by way
of writing. If necessary, verbal consent will be accepted
and a file note or database record will be taken.
NPP 3: Data
company will take reasonable steps to make sure that
the personal information it collects, uses or discloses
is accurate, complete and up-to-date.
company will endeavour to do this by filling out a “change
of details” form when a change is required to
be made to the information. This change of details form
must be submitted to the data controller as soon as
possible and is to be corrected within two working days.
NPP 4: Data
steps will be taken to protect personal information
from misuse, loss and unauthorised access modification
steps will be taken to destroy or permanently de-identify
personal information if it is no longer needed for any
purpose for which the information may be used or disclosed.
following process will be implemented:
personal information should be given over the phone
unless it has been established that the caller has
legitimate grounds to access the information and given
proof of identify.
personal information should be left on voicemail unless
requested by the owner of the voicemail on the basis
that the voicemail is secure.
containing personal information should be labelled
“Private and Confidential: Attention…”
machines used for transmission of personal health
information should be secure.
authorised individuals should receive personal information
and are not permitted to forward such information
records containing personal information should not
be copied unless it is essential to do so.
paper records should be kept in lockable storage when
not in use and should be shredded or burned when no
anonymity of client contacts should be maintained
during presentations, consultation with other clients,
suppliers and other members of the public, research
activities and public events.
information should not be left unattended nor should
it be discussed in public areas where others may overhear.
and other persons who are directly involved with the
activities of the company are required to consent to
applicable confidentiality obligations in writing.
policy will be made available to anyone who asks for
it and will be reviewed/modified where appropriate in
order for information systems to run smoothly.
request by a person, the company will take reasonable
steps to let the person know what sort of personal information
it holds, for what purposes it is held and disclosed.
Any such requests are to be directed to the General
Manager or the Office Manager
NPP 6: Access
company acknowledges that it must give an individual
access to their personal information on request. This
is limited by a number of things. For example:
In the case where it would pose a threat to the life
of any individual.
the request for access is frivolous or vexations.
denying access is required or authorised by or under
providing access would reveal evaluative information
generated within the company, in connection with a commercially
sensitive decision-making process, the company may give
the individual an explanation for the commercially sensitive
decision rather than direct access to the information.
the individual is able to establish that the information
is not accurate, complete or up-to-date, the company
will take reasonable steps to correct the information
so that it is accurate, complete and up-to-date.
an individual and the company disagree about whether
the information is accurate, complete and up-to-date,
and individual asks the company to associate with the
information a statement claiming that the information
is not accurate, complete or up-to-date, the company
will take reasonable steps to do so.
company will provide reasons for a denial of access
or a refusal to correct personal information.
inquiries regarding access or correction in accordance
with this policy must be communicated to the General
Manager or the Office Manager.
NPP 7: Identifiers
the company will not adapt, use or disclose, an identifier
that has been assigned by a Commonwealth Government
agency. In most cases, personal information will be
stored by the person’s last name or the associated
NPP 8: Anonymity
it is lawful and practicable to do so, individuals will
have the option of not identifying themselves when entering
transactions with the company.
NPP 9: Transborder
company does not generally transmit information overseas,
however, in such an unlikely event, the company will
only transfer personal information to a recipient in
a foreign country in circumstances where the information
will have appropriate protection.
NPP 10: Sensitive Information
information will not be collected unless:
individual has consented.
is required by law.
collection is necessary to prevent or lessen a serious
and imminent threat to the life or health of any individual,
where the subject of the information is physically
or legally incapable of giving consent.
collection is necessary for the establishment, exercise
or defence of a legal claim.
about breaches of personal privacy should be reported
to the company’s General Manager in the first
instance and recorded on a Quality Improvement / Incident