S.O. Asher Consultants Pty Ltd Privacy Policy

1. Privacy Policy

1.1 This Privacy Policy (Policy) sets out in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) the way in which S.O. Asher Consultants Pty Ltd (SOA) and its related entities (SOA, we, us, or our) may collect, store, use, disclose, manage and protect your Personal Information (including Sensitive Information).

1.2 SOA develops and manages charitable lotteries for established, influential charities (Services).

1.3 This Privacy Policy applies to how SOA handles personal information in Australia. As a company with a global presence, we additionally strive to be compliant with privacy law requirements and best practices which are generally applicable to the protection of personal information in other countries where we operate, such as Canada.

1.4 In providing the Services, SOA may collect information about our clients (including the Personal Information of their officers, agents and employees), as well as information provided by our clients in provision of the Services (which may contain the Personal Information of third parties).

1.5 By:

1.5.1 accessing, acquiring, subscribing to, or using the Services;

1.5.2 providing Personal Information to a client of SOA who has informed you of the fact that your Personal Information may be shared with SOA;

1.5.3 accessing, requesting information on, enquiring about, using, receiving or providing feedback in relation to, SOA’s operations or Services (online, in writing, by telephone or in person);

1.5.4 seeking employment or becoming a business partner or affiliate with us; or

1.5.5 otherwise providing, or consenting to the collection of, Personal Information by SOA, its officers, agents or employees.

After this Policy has been brought to your attention, you acknowledge and consent to the use, collection, storage or disclosure of your Personal Information by us in accordance with this Policy and the Privacy Act.

1.6 If you do not agree to us handling your Personal Information in the manner set out in this Policy we may not be able to provide our Services to you or our clients, and you should not provide us with any Personal Information.

1.7 Our Data Breach Policy forms part of this Privacy Policy and sets out our approach to any data breach.

2. What is Personal Information?

2.1 We follow the definition of Personal Information given in the Australian Privacy Act:

“Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.”

3. What kinds of Personal Information might we collect and hold?

3.1 We may collect (and hold) different Personal Information about you depending upon how you interact with us. This information may vary depending on the specific needs of you, and of SOA, however, it may include your:

3.1.1 name and date of birth;

3.1.2 contact details (e.g. address, email address, telephone number and other contact information) and emergency contact details of relevant persons and their relationship to you;

3.1.3 gender;

3.1.4 history of interaction with our clients, including what services you access or accessed, frequency of access, and any problems or issues that arose in your interactions with our clients;

3.1.5 where you have purchased a ticket in a lottery from one of our clients: the fact of your purchase; the amount you have paid for lottery tickets; the number of tickets purchased; the payment method; your purchase history;

3.1.6 demographic information such as age or location and activities;

3.1.7 history with us;

3.1.8 messages, emails, voicemail and other correspondence and frequency of enquiries;

3.1.9 IP address and / or other device identifying data;

3.1.10 general preferences and interests;

3.1.11 authorization to receive notifications by email or text

3.1.12 comments, complaints and feedback and responses to surveys;

3.1.13 interaction with websites, including our website and the Platform;

3.1.14 what computer configurations and software you use;

3.1.15 government issued identifiers such as Australian Government concession and health care card identifiers (and numbers) and Medicare Numbers as well as driver’s licence, passport and/or visa details, police check and security clearance details (where is is lawful for us to assess these);

3.1.16 billing and credit card information; and

3.1.17 any additional information relating to you that you provide to us directly.

3.1.18 other information required to provide a service or information you have requested from us; and

3.1.19 information collected by Cookies, Pixels, Web Beacons and other comparable technologies.

If you apply for employment with us your personal information may be disclosed to recruitment agencies for suitability assessment. You have additional rights in relation to Sensitive Information. Current or prospective employees may have additional types of personal information collected, such as:

3.1.20 occupation, employment history and educational qualifications including, but not limited to: resumes and application forms; payroll and related information bank account information; income tax related information;

3.1.21 health information;

4. How do we collect Personal Information

4.1 We collect Personal Information:

4.1.1 directly from you (when you provide that information to us, we contact you, when you contact us, when you use our Services, when you engage with us or when we engage with you);

4.1.2 when you provide that information to one of our clients including by purchasing a ticket in a lottery we support;

4.1.3 when you participate in our Services, including marketing or promotional activities;

4.1.4 when providing our Services;

4.1.5 from third parties who you have authorised to provide us with information; and

4.1.6 from publicly available sources such as the internet and social media.

5. How do we hold and secure your Personal Information?

5.1 We store your Personal Information digitally (unless legally required to retain in hard copy format).

5.2 All digital material is secured using password protected computers.

5.3 Records are kept for as long as they have value and in line with any legal or regulatory requirements for the storage of information.

5.4 SOA uses data storage providers located in Canada. SOA has agreements with its storage providers to keep all Personal Information they store secure, using reasonable and appropriate security methods.

5.5 We may terminate and store information at our offshore offices in Canada and the USA.

5.6 We conduct regular audits of our compliance with this Policy and the Act to ensure that our privacy framework is in line with industry best-practice.

5.7 The Data Breach Policy is a component of, and supports, our Privacy Policy. Refer to our Data Breach Policy at page 9 of this document on how we will manage any loss or unauthorised access or disclosure of your personal information should it ever occur.

6. Employee access to Personal Information

6.1 All employees of SOA must comply with this Privacy Policy and ensure that they safeguard Personal Information they may have access to during the course of their employment.

6.2 Practices applicable to employees collection, use, disclosure and access to Personal Information include (without limitation):

6.2.1 Need to Know Access: Employees are only permitted to access personal information as necessary to fulfil legitimate job functions.

6.2.2 Transmittal of Information: Employees shall use reasonable care to ensure that the method of transmitting personal information (whether by telephone, mail, fax, e-mail or otherwise) is sufficiently secure taking into account the sensitivity of the information.

6.2.3 Secure Storage: Employees shall ensure that records containing personal information are securely stored and never left in plain view unattended.

6.2.4 Passwords/Access Cards: Employees shall protect the security of their computer passwords, building access cards and any other security codes or devices issued to them. Employees shall not share such codes or devices with any person.

6.2.5 Breach Incidents: Employees who suspect or become aware of any data loss or data breach incident must report the matter to the Privacy Officer, and must cooperate in the investigation of any such incident.

6.2.6 Revoking Access: On termination or transfer of employees, or when work duties no longer require access to personal information, SOA will immediately revoke access to personal information and retrieve means of access to same.

6.2.7 Disposal of Records: Records containing personal information must be disposed or destroyed in a timely and secure manner. Employees shall follow approved practices when disposing or destroying records containing personal information.

7. Why do we collect, hold, use and disclose Personal Information?

7.1 SOA may collect Personal Information for a number of reasons, including:

7.1.1 providing our clients with a centralised record of the documents required for accreditation and compliance for their operations;

7.1.2 providing you or a third party with Services;

7.1.3 providing you with information about our Services, events or developments;

7.1.4 sending communications you request or contacting you and responding to your enquiries;

7.1.5 providing third parties with information about you and your use of our Services where necessary or appropriate;

7.1.6 ensuring consistency of service across our organisation and other internal organisation purposes;

7.1.7 providing back end and administrative functions for the conduct of charitable lotteries;

7.1.8 developing or refining our Services;

7.1.9 internal organisation purposes;

7.1.10 providing you with marketing material;

7.1.11 contacting you in relation to your access to and use of our Services;

7.1.12 better understanding our clients and other stakeholders;

7.1.13 tailoring our Services; and

7.1.14 corporate governance, auditing and record keeping.

7.2 Our use of Personal Information may extend beyond these uses, but will be restricted to purposes that we consider to be related to our functions and activities.

8. What do we do with your Personal Information?

8.1 If we collect Personal Information, we may:

8.1.1 use that information for the purposes stated in this Policy;

8.1.2 store that information in accordance with this Policy;

8.1.3 pass that information amongst entities we work with and to our clients;

8.1.4 pass that information to third parties who provide products or services to us (including our accountants, auditors, lawyers, IT contractors, and other service providers);

8.1.5 provide that information to third parties as required or allowed by law.

9. Do you use my information for Direct Marketing?

9.1 We may use your Personal Information to communicate directly with you to promote our Services. We use direct marketing to provide you with information about our Services that we believe you may be interested in. If you receive direct marketing material from us, and do not wish to continue receiving it, please contact us by any of the methods stated in this Policy, asking to be removed from all future direct marketing programs. Once we have received your opt-out request, we will remove you from our direct marketing programs as soon as reasonably practicable.

10. What about Cookies, pixels and analytics?

10.1 When you access our website, we may receive Personal Information via a ‘cookie’, a ‘pixel’ or from analytics software.

10.2 These are tools that our web server may direct your traffic to, send to your computer, or embed on a website, when you visit our website. These tools help us to recognise when you re-visit the website, serve you customised content and to optimize your experience. We generally don’t collect Personal Information through the use of these tools, though we may be able to access your IP address and information about what your computer technology is when using analytical software.

10.3 You may be able to change the settings of your browser so that Cookies are not accepted generally or that you are provided with options to accept or reject them as they are sent to your browser.

11. Do we ever send your information overseas?

11.1 We may send information to a Canadian data warehouse for storage or marketing purposes. The data warehouse is subject to our privacy and data protection requirements.

11.2 We may upload images and/or footage to our social media accounts from time to time. The social media accounts may be hosted on an overseas server.

Where applicable, in the event that your information is sent overseas, we will use our best endeavours to ensure that any overseas supplier will keep all Personal Information secure.

12. Can you access your Personal Information or request it be corrected?

12.1 You may request access to the Personal Information that we hold about you by contacting the Privacy Officer.

12.2 SOA may provide access to Personal Information subject to any applicable exceptions or exemptions under applicable laws.

12.3 Upon receiving an access request, we may request further details from you to verify your identity. We reserve the right not to provide you with access to Personal Information if we cannot verify your identity to our reasonable satisfaction.

12.4 An administrative fee may be charged to cover our costs in providing you with access to your Personal Information. This fee will be explained to you before it has been incurred.

12.5 We will respond to your access request within a reasonable period of time by:

12.5.1 providing you with access to your Personal Information;

12.5.2 rejecting your access request and providing you reasons for this rejection.

12.6 Access requests may be denied where:

12.6.1 we believe your request is frivolous or vexatious;

12.6.2 we are entitled to reject a request by law;

12.6.3 we are unable to verify your identity; or

12.6.4 you have not paid the administrative fee (if any).

12.7 If you believe that the Personal Information that we hold is inaccurate or otherwise requires correction, you may send us a correction request by contacting the Privacy Officer. We will review your Personal Information and respond to the request within a reasonable period of time.

13. What happens if you want to deal with us anonymously or using a pseudonym?

When contacting us, you can do so either anonymously or by using a pseudonym. If you do so, we may not be able to provide you with accurate or useful information, and you may not be able to access a full range of our operations and services. Further, we may not be able to investigate incidents or complaints you have made.

14. Does this policy ever change?

From time to time we may make changes to this Policy. When we do, we will highlight those changes in yellow highlight for a period of 14 days. Please make sure you review the Privacy Policy each time you visit our website to keep up to date on any changes.

15. What about the General Data Protection Regulation (GDPR)?

15.1 The GDPR is the European Union (EU) data protection law. Australian-based organisations that offer goods or services to persons in the EU or target or monitor the behaviour of persons in the EU may be required to comply with the GDPR regulatory regime.

15.2 We are an Australian based organisation providing Services within Australia and Canada. From time to time, we may capture or collect Personal Information that passes through the EU. This might occur, for example, if a person in the EU accesses our website and we collect analytical data about them, if a person in the EU signs up for a newsletter, books services from the EU, or if one of our members gives us information about a person in the EU. If this occurs, we will treat the Personal Information received in accordance with this Policy.

15.3 Where data is processed or monitored in the EU, you may have additional rights, such as:

15.3.1 The right to request that we delete your Personal Information (unless we require that information to comply with a legal obligation, or need it to bring or defend a legal claim); and

15.3.2 The right to restrict our processing of your Personal Information (where it is inaccurate, would be unlawful to process, or where it has not been deleted due to us needing it to meet a legal obligation).

16. What happens if you have a question or complaint about how we have handled your Personal Information?

If you have a question or complaint, you can raise it with us by contacting the Privacy Officer:

Privacy Officer
S.O. Asher Consultants Pty Ltd
Office 08 8294 4109

We take all complaints seriously and will respond to you within a reasonable period of time, unless we consider your complaint to be frivolous or vexatious or if we are unable to verify your identity.

If you aren’t satisfied with the way we have handled your complaint, you can make a complaint to the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.

Version 1, May 2021
Version 2, November 2022

S.O. Asher Consultants Pty Ltd Data Breach Policy

1. Data Breach Policy

1.1 S.O. Asher Consultants Pty Ltd (SOA, our, us, or we) are committed to protecting the Personal Information1 we collect. This policy is a component of, and supports, our Privacy Policy.

1.2 We are required to protect Personal Information2 we collect from loss, unauthorised access and unauthorised disclosure (Data Breach).

2. Security of Data

We are obliged under the Australian Privacy Principles to take such steps as are reasonable to protect personal information:

(a) from misuse, interference and loss;

(b) from unauthorised access, modification or disclosure.

2.1 We are also obliged to ensure the security of credit eligibility information.3

2.2 All staff members of SOA must adhere to the data security requirements and procedures for client information as outlined in the Privacy Policy, this Data Breach Policy, the Data Breach Response Plan and the Data Breach Report Form.

2.3 A failure to provide adequate security may lead to an interference with the privacy of an individual. The penalty for serious and repeated interferences with privacy under the Privacy Act 1988 (Cth) is 2,000 penalty units ($210 per penalty unit as of the effective date of this Policy, subject to indexation).

3. Data Breach steps

Should we suspect or believe that a Data Breach has occurred we will undertake the following five steps:

1) Identify;

2) Contain;

3) Assess;

4) Notify; and

5) Review.

4. Identify

(a) We will maintain systems and procedures to ensure that any suspected or actual Data Breach can be identified, reported and escalated to management responsible for the implementation of the Data Breach Response Plan.

(b) Any staff member of SOA who suspects a Data Breach has occurred must ensure that a Data Breach Report Form is completed and sent promptly to the Privacy Officer.

(c) The Privacy Officer is the person nominated by SOA, as changed from time to time, and whose details appear below:

Privacy Officer
S.O. Asher Consultants Pty Ltd
Office 08 8294 4109

5. Contain

(a) Once a Data Breach has been identified, we will take all reasonable steps that can be taken to contain that breach.

(b) We make a preliminary assessment of any remedial action we should take and provide that assessment to all relevant staff members within 24 hours.

(c) Remedial action is anything we can reasonably do to stop the breach, prevent further similar breaches or prevent harm occurring to the individual whose data has been accessed or lost.

(d) Examples of remedial action include:

(i) retrieving the personal data;

(ii) shutting down our system;

(iii) finding the lost device or file.

6. Assess

The Data Breach Response Plan and the Data Breach Report Form provide for the proper assessment of the breach including:

(a) the type of information involved;

(b) whether the breach can be remedied and the information recovered;

(c) the identity and number of individuals affected or likely to be affected;

(d) the possible financial, economic, social and emotional impact on any individual;

(e) the nature of the breach (i.e. was it loss, access or disclosure of electronic or paper-based data and was it accidental or deliberate);

(f) the perpetrator of the breach (i.e. internal staff, contractors, third parties whether local or overseas);

(g) the risk of further breaches if remedial action not taken (i.e. is systemic problem or one-off);

(h) whether criminality evident (i.e. theft or hacking); and

(i) whether the information was encrypted, de-identified or difficult to access.

7. Notification

If we believe (not just suspect) on reasonable grounds that a Data Breach is likely to result in serious harm to any of the individuals concerned we will:

(a) prepare the statement required by the Privacy Act 1988 (Cth) including the following information:

(i) our identity and contact details;

(ii) a description of the breach we believe has occurred;

(iii) the kind of information involved in the breach;

(iv) recommendation about the steps the individuals should take in response; and

(v) if the Data Breach was caused by a third party service provider we engage, we will include their name and contact details.

(b) provide a copy of the statement to the Office of the Australian Information Commissioner;

(c) provide a copy of the statement to each affected individual affected by means determined to communicate effectively and include additional information such as:

(i) our response to contain the Data Breach and prevent its recurrence;

(ii) any assistance we can offer to the individual(s);

(iii) that we have reported the breach to the Office of the Australian Information Commissioner and, if relevant, any law enforcement agency/ies;

(iv) how individual(s) can make a complaint to the Office of the Australian Information Commissioner.

8. Review

8.1 To prevent future breaches of the same kind, the Data Breach Response Plan must include a requirement for us to conduct a review of our policies, systems and procedures which may include the following:

(i) a post-investigation audit of physical and technical security controls;

(ii) a review of policies and procedures;

(iii) additional training of staff members including scenario practices;

(iv) identify external resources that may assist in to prevent future breaches, i.e. auditing firms, public relations firms, legal advisers;

(v) review authority levels for access to and transfer of electronic data;

(vi) whether the Data Breach Response Plan was adequate.
1 As defined in the Privacy Policy.
2 As defined in the Privacy Policy.
3 As defined in section 6 of the Privacy Act (Cth) 1988.