1.5.1 accessing, acquiring, subscribing to, or using the Services;
1.5.2 providing Personal Information to a client of SOA who has informed you of the fact that your Personal Information may be shared with SOA;
1.5.3 accessing, requesting information on, enquiring about, using, receiving or providing feedback in relation to, SOA’s operations or Services (online, in writing, by telephone or in person);
1.5.4 seeking employment or becoming a business partner or affiliate with us; or
1.5.5 otherwise providing, or consenting to the collection of, Personal Information by SOA, its officers, agents or employees.
After this Policy has been brought to your attention, you acknowledge and consent to the use, collection, storage or disclosure of your Personal Information by us in accordance with this Policy and the Privacy Act.
2. What is Personal Information?2.1 We follow the definition of Personal Information given in the Australian Privacy Act:
“Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.”
3. What kinds of Personal Information might we collect and hold?3.1 We may collect (and hold) different Personal Information about you depending upon how you interact with us. This information may vary depending on the specific needs of you, and of SOA, however, it may include your:
3.1.1 name and date of birth;
3.1.2 contact details (e.g. address, email address, telephone number and other contact information) and emergency contact details of relevant persons and their relationship to you;
3.1.4 history of interaction with our clients, including what services you access or accessed, frequency of access, and any problems or issues that arose in your interactions with our clients;
3.1.5 where you have purchased a ticket in a lottery from one of our clients:
220.127.116.11 the fact of your purchase;
18.104.22.168 the amount you have paid for lottery tickets;
22.214.171.124 the number of tickets purchased;
126.96.36.199 the payment method;
188.8.131.52 your purchase history;
3.1.6 demographic information such as age or location and activities;
3.1.7 history with us;
3.1.8 messages, emails, voicemail and other correspondence and frequency of enquiries;
3.1.9 IP address and / or other device identifying data;
3.1.10 general preferences and interests;
3.1.11 authorization to receive notifications by email or text
3.1.12 comments, complaints and feedback and responses to surveys;
3.1.13 interaction with websites, including our website and the Platform;
3.1.14 what computer configurations and software you use;
3.1.15 government issued identifiers such as Australian Government concession and health care card identifiers (and numbers) and Medicare Numbers as well as driver’s licence, passport and/or visa details, police check and security clearance details (where is is lawful for us to assess these);
3.1.16 billing and credit card information; and
3.1.17 any additional information relating to you that you provide to us directly.
3.1.18 other information required to provide a service or information you have requested from us; and
3.1.19 information collected by Cookies, Pixels, Web Beacons and other comparable technologies.
If you apply for employment with us your personal information may be disclosed to recruitment agencies for suitability assessment. You have additional rights in relation to Sensitive Information. Current or prospective employees may have additional types of personal information collected, such as:
3.1.20 occupation, employment history and educational qualifications including, but not limited to:
184.108.40.206 resumes and application forms;
220.127.116.11 payroll and related information
18.104.22.168 bank account information;
3.1.21 health information;
4. How do we collect Personal Information4.1 We collect Personal Information:
4.1.1 directly from you (when you provide that information to us, we contact you, when you contact us, when you use our Services, when you engage with us or when we engage with you);
4.1.2 when you provide that information to one of our clients including by purchasing a ticket in a lottery we support;
4.1.3 when you participate in our Services, including marketing or promotional activities;
4.1.4 when providing our Services;
4.1.5 from third parties who you have authorised to provide us with information; and
4.1.6 from publicly available sources such as the internet and social media.
5. How do we hold and secure your Personal Information?5.1 We store your Personal Information digitally (unless legally required to retain in hard copy format).
6.2.1 Need to Know Access: Employees are only permitted to access personal information as necessary to fulfil legitimate job functions.
6.2.2 Transmittal of Information: Employees shall use reasonable care to ensure that the method of transmitting personal information (whether by telephone, mail, fax, e-mail or otherwise) is sufficiently secure taking into account the sensitivity of the information.
6.2.3 Secure Storage: Employees shall ensure that records containing personal information are securely stored and never left in plain view unattended.
6.2.4 Passwords/Access Cards: Employees shall protect the security of their computer passwords, building access cards and any other security codes or devices issued to them. Employees shall not share such codes or devices with any person.
6.2.5 Breach Incidents: Employees who suspect or become aware of any data loss or data breach incident must report the matter to the Privacy Officer, and must cooperate in the investigation of any such incident.
6.2.6 Revoking Access: On termination or transfer of employees, or when work duties no longer require access to personal information, SOA will immediately revoke access to personal information and retrieve means of access to same.
6.2.7 Disposal of Records: Records containing personal information must be disposed or destroyed in a timely and secure manner. Employees shall follow approved practices when disposing or destroying records containing personal information.
7. Why do we collect, hold, use and disclose Personal Information?7.1 SOA may collect Personal Information for a number of reasons, including:
7.1.1 providing our clients with a centralised record of the documents required for accreditation and compliance for their operations;
7.1.2 providing you or a third party with Services;
7.1.3 providing you with information about our Services, events or developments;
7.1.4 sending communications you request or contacting you and responding to your enquiries;
7.1.5 providing third parties with information about you and your use of our Services where necessary or appropriate;
7.1.6 ensuring consistency of service across our organisation and other internal organisation purposes;
7.1.7 providing back end and administrative functions for the conduct of charitable lotteries;
7.1.8 developing or refining our Services;
7.1.9 internal organisation purposes;
7.1.10 providing you with marketing material;
7.1.11 contacting you in relation to your access to and use of our Services;
7.1.12 better understanding our clients and other stakeholders;
7.1.13 tailoring our Services; and
7.1.14 corporate governance, auditing and record keeping.
8. What do we do with your Personal Information?8.1 If we collect Personal Information, we may:
8.1.1 use that information for the purposes stated in this Policy;
8.1.2 store that information in accordance with this Policy;
8.1.3 pass that information amongst entities we work with and to our clients;
8.1.4 pass that information to third parties who provide products or services to us (including our accountants, auditors, lawyers, IT contractors, and other service providers);
8.1.5 provide that information to third parties as required or allowed by law.
9. Do you use my information for Direct Marketing?9.1 We may use your Personal Information to communicate directly with you to promote our Services. We use direct marketing to provide you with information about our Services that we believe you may be interested in. If you receive direct marketing material from us, and do not wish to continue receiving it, please contact us by any of the methods stated in this Policy, asking to be removed from all future direct marketing programs. Once we have received your opt-out request, we will remove you from our direct marketing programs as soon as reasonably practicable.
10. What about Cookies, pixels and analytics?10.1 When you access our website, we may receive Personal Information via a ‘cookie’, a ‘pixel’ or from analytics software.
11. Do we ever send your information overseas?11.1 We may send information to a Canadian data warehouse for storage or marketing purposes. The data warehouse is subject to our privacy and data protection requirements.
12. Can you access your Personal Information or request it be corrected?12.1 You may request access to the Personal Information that we hold about you by contacting the Privacy Officer.
12.5.1 providing you with access to your Personal Information;
12.5.2 rejecting your access request and providing you reasons for this rejection.
12.6.1 we believe your request is frivolous or vexatious;
12.6.2 we are entitled to reject a request by law;
12.6.3 we are unable to verify your identity; or
12.6.4 you have not paid the administrative fee (if any).
13. What happens if you want to deal with us anonymously or using a pseudonym?When contacting us, you can do so either anonymously or by using a pseudonym. If you do so, we may not be able to provide you with accurate or useful information, and you may not be able to access a full range of our operations and services. Further, we may not be able to investigate incidents or complaints you have made.
15. What about the General Data Protection Regulation (GDPR)?15.1 The GDPR is the European Union (EU) data protection law. Australian-based organisations that offer goods or services to persons in the EU or target or monitor the behaviour of persons in the EU may be required to comply with the GDPR regulatory regime.
15.3.1 The right to request that we delete your Personal Information (unless we require that information to comply with a legal obligation, or need it to bring or defend a legal claim); and
15.3.2 The right to restrict our processing of your Personal Information (where it is inaccurate, would be unlawful to process, or where it has not been deleted due to us needing it to meet a legal obligation).
16. What happens if you have a question or complaint about how we have handled your Personal Information?If you have a question or complaint, you can raise it with us by contacting the Privacy Officer:
1. Data Breach Policy
1.2 We are required to protect Personal Information2 we collect from loss, unauthorised access and unauthorised disclosure (Data Breach).
2. Security of DataWe are obliged under the Australian Privacy Principles to take such steps as are reasonable to protect personal information:
3. Data Breach stepsShould we suspect or believe that a Data Breach has occurred we will undertake the following five steps:
4. Identify(a) We will maintain systems and procedures to ensure that any suspected or actual Data Breach can be identified, reported and escalated to management responsible for the implementation of the Data Breach Response Plan.
5. Contain(a) Once a Data Breach has been identified, we will take all reasonable steps that can be taken to contain that breach.
(i) retrieving the personal data;
(ii) shutting down our system;
(iii) finding the lost device or file.
6. AssessThe Data Breach Response Plan and the Data Breach Report Form provide for the proper assessment of the breach including:
7. NotificationIf we believe (not just suspect) on reasonable grounds that a Data Breach is likely to result in serious harm to any of the individuals concerned we will:
(i) our identity and contact details;
(ii) a description of the breach we believe has occurred;
(iii) the kind of information involved in the breach;
(iv) recommendation about the steps the individuals should take in response; and
(v) if the Data Breach was caused by a third party service provider we engage, we will include their name and contact details.
(i) our response to contain the Data Breach and prevent its recurrence;
(ii) any assistance we can offer to the individual(s);
(iii) that we have reported the breach to the Office of the Australian Information Commissioner and, if relevant, any law enforcement agency/ies;
(iv) how individual(s) can make a complaint to the Office of the Australian Information Commissioner.
8. Review8.1 To prevent future breaches of the same kind, the Data Breach Response Plan must include a requirement for us to conduct a review of our policies, systems and procedures which may include the following: