RMIA, as an Australian entity is NOT subject to The Privacy Act 1988 (Privacy Act) which regulates how personal information is handled. RMIA is committed to voluntarily meet compliance obligations and protect personal information. This Voluntary Privacy Code (Code) takes into consideration the recent amendments made to the Privacy Act by the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which came into effect in March 2014.
This Code explains how we manage personal information, including RMIA’s efforts to meet the obligations and rights of individuals. It sets out the commitment and general principles but does not detail specific processes or procedures adopted.
This Code applies to any and all persons, corporate or natural, whether employed, contracted or otherwise associated with RMIA.
RMIA usually collects and holds the following kinds of information:
2.1 Personal Information
2.2 Sensitive Details
Less commonly held, but where necessary for the provision of a service or compliance with lawful authority, RMIA may also collect sensitive information, including:
Critical to the Privacy Act are the thirteen APP’s, which set out the guiding principles that organisations must make reasonably practicable steps to give effect to in order to comply.
The following is RMIA’s voluntary response to the APP’s:-
APP1 Open and Transparent Management of Personal Information
At all times, this Code will:
RMIA will take reasonable steps to voluntarily implement practices, procedures and systems to deal with enquiries or complaints from individuals to voluntarily meet with the Privacy Act.
APP2 Anonymity and Pseudonymity
RMIA will generally enable individuals to remain anonymous (nameless), or to use a pseudonym (fictitious name), wherever it is reasonably practicable to do so.
That is, RMIA will not generally refuse to deal with individuals who do not disclose their identity, and will not insist on seeking personal information unless it is lawfully required, and/or necessary, to provide a contracted or requested service.
An example of an exception is where an individual requests details of a particular Member. RMIA will need to verify the identity of the person requesting the information before the request can be fulfilled.
APP3 Collection of Solicited Personal Information
The purposes for which RMIA collects, holds, uses and discloses personal information are to provide proprietary products and services to Members, or receive third party product or services under contract or validly discharge legal obligations (contractual or otherwise) or manage an in-house Membership registry.
RMIA’s usual approach to collecting personal information is, wherever possible, to collect information directly from the individual. Where this is not practicable, information may be collected by lawful and fair means from secondary sources such as Government agencies, other service providers, publicly available sources, employers. Sensitive information about a person will only be collected with the consent of the individual, except where we are required or permitted by lawful authority to collect sensitive information without consent.
APP4 Dealing with Unsolicited Personal Information
Where it becomes apparent that a communication contains unsolicited personal information that would not otherwise be lawfully capable of being requested or used under APP3, RMIA will make reasonable efforts to delete, destroy or de-identify the record.
Where is it is impracticable to delete, destroy or de-identify (for example, where the unsolicited information is combined with necessary information) the record will be retained. Reasonable steps are taken to protect the personal information against loss, unauthorised access, use, modification or disclosure and against other misuse.
APP5: Notification of the Collection of Personal Information
At the point of collecting personal information via the website, individuals will receive, or have access to, a personal information collection notice from RMIA.
APP6: Use and Disclosure of Personal Information
Personal information held by RMIA will only be used or disclosed for purposes directly related to one or more legitimate functions or activities of RMIA in the provision of its services and products or as otherwise permitted by lawful authority. RMIA does not sell personal information.
RMIA may permit third parties to access personal information, or may disclose personal information to third parties, in the following circumstances:
Subject to law, the people or entities that RMIA may allow to use personal information or may disclose personal information to, include, but may not be to:
RMIA voluntarily takes all reasonable steps to ensure that the third parties we deal with are bound by confidentiality and privacy responsibilities.
APP7: Direct Marketing
RMIA may provide marketing services on its own behalf. Personal information of individuals is only used to market relevant products and services specifically to that individual.
This will only occur with individuals consent or as otherwise lawfully permitted. RMIA complies with the SPAM Act 2003 and Do Not Call Register Act 2006.
An individual can opt out of direct marketing at any time by notifying RMIA of the desire to unsubscribe. Such requests can be made electronically, in writing by post or by telephone call. Each marketing communication sent by RMIA will contain the details of the opt-out option, which will be honoured.
APP8: Cross Border Disclosure of Personal Information
RMIA generally will not send personal information overseas. However, RMIA has a number of overseas counterparts? and deals with some overseas third parties.
APP9: Adoption, Use or Disclosure of Government Related Identifiers
RMIA may request, record and use government identifiers for legitimate purposes in the conduct of its business as permitted by law.
For example, an individual’s tax file number may be sought, recorded and used to validly discharge taxation obligations. However, government identifiers will not be adopted as the RMIA’s own identifier.
APP10: Quality of Personal Information
RMIA will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, up-to-date, complete and relevant. Where the personal information is redundant or misleading, reasonable steps will be taken to correct the information. This may be achieved by re-collecting information directly from the individual and/or independently verifying personal information as required and/or permitted by lawful authority.
APP11: Security of Personal Information
RMIA’s [Information Security Management System] utilises various security methods and controls to protect information during the data lifecycle. Such measures include, but are not limited to, masking or scrambling of data in test environments, firewalls, anti-virus, system security patch management, secure identity access management, user access restrictions/role-based permissions, data encryption, penetration testing, vulnerability assessments, segregated restricted access facilities and staff awareness training.
When personal information is no longer required, reasonably practicable steps are taken to destroy or de-identify the information. Where it is not practicable to do so, reasonable steps are taken to protect the personal information against loss, unauthorised access, use, modification or disclosure and against other misuse.
APP 12: Access to Personal Information
Individuals have a right to request access to their personal information (some restrictions may apply). Such a request may be made verbally and/or in writing. Where such a request is reasonable, access will not be unreasonably withheld.
Access may include a report, transcript, reproduced copy, or right to access to RMIA’s premises to inspect personal information held. A charge equal to the reasonable cost to reproduce or make copies of personal information may be levied by the RMIA.
To lawfully gain access to personal information, RMIA will need to satisfy itself of the identity of the requestor and that the personal information being sought is that of the requestor and not any other individual (including family relations without relevant authority).
Where a written request to access information is refused, a written notice will generally be issued setting out the reasons for the refusal.
APP13: Correction of Personal Information
Individuals have the right to correct personal information held about them. Such a request may be made verbally and/or in writing. In some cases, RMIA may require evidence in support of the requested change to ensure the integrity of the information.
Valid requests to correct personal information will be completed within a reasonable timeframe. If RMIA refuses a written request to update an individual’s personal information, a written notice will generally be issued, setting out the reasons for the refusal.
Individuals wishing to make enquiries or lodge a complaint in relation to how RMIA handles personal information are encouraged to do so. At first instance, this should be to RMIA directly, via this web site.
After exhausting the above, if RMIA is unable to resolve a complaint to the satisfaction of the individual, you may be able to refer the matter to the Office of the Australian Information Commissioner (www.oaic.gov.au) who can be contacted by phoning 1300 363 992 or emailing: firstname.lastname@example.org.