a. Special categories
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal information. We may process special categories of personal information in the following circumstances:
- With your explicit consent;
- Where we need to carry out our legal obligations or exercise rights in relation to your employment with us. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data;
Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect yours or others interests, and you are not capable of giving consent, or have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.
As an employer, we may use your particularly sensitive information in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
- We will use information about your race or national or ethnic origin, religious beliefs to ensure meaningful equal opportunity monitoring and reporting.
- We will use your biometric information for the purpose of developing, testing and training biometric algorithms and demonstrating Ignition’s products (with your explicit consent).
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data, including your biometric information. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
b. Criminal Convictions
We may only use information relating to criminal convictions where the law in your jurisdiction allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.
Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your or someone else’s interests and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate and lawful, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will use information about criminal convictions and offenses in the following ways:
- Job Applicants Australia and United Kingdom: An offer of employment will be contingent upon consideration of the results of any background check including information about criminal convictions.
- Job Applicants other European countries: We may seek information regarding criminal convictions in any other European jurisdiction where this is legally permissible, for the purpose of considering an offer of employment.
- Existing Employees: Where it is reasonably required for our legitimate business interests, for example, for the purpose of complying with customer security requirements when employees enter a customer’s premises, a background check may be undertaken during your employment even if a previous check was already completed. This may include information about criminal convictions where this is legally permissible.
c.Automated Decision Making
Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration;
- Where it is necessary to perform the contract with you and the appropriate measures are in place to safeguard your rights;
- In limited circumstances, with your explicit consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
8. Data Sharing
We may disclose data and personal information with third parties, including third party service providers and other entities in the group. We require third parties to respect the security of your data and treat it in accordance with the law. We will share data with third parties where required by law, where necessary to administer the working relationship with you or where we have another legitimate interest in doing so. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the particular context of a business reorganization or group restructuring exercise, for system maintenance support and hosting of data. Sensitive information will be used and disclosed only for the purpose for which it was provided (or a directly related secondary purpose), unless you agree otherwise or there is a relevant legislated ability or restriction.
In particular, and without limitation, we may disclose your personal information to:
- any of our internal divisions, business units, departments, or group members and other related entities;
- your nominated representatives;
- other organisations or individuals who assist us in providing products and services to you;
- professional service providers and advisors who perform functions on our behalf, such as lawyers;
- representatives, agents or contractors who are appointed by us in the ordinary operation of our business to assist us in providing goods or services or administering our business (such as for data storage or processing, printing, mailing, marketing, planning and product or service development);
- banks, lenders, financiers, valuers, insurers, brokers, auditors, business consultants and IT service providers; and
- government, regulatory authorities, and other organisations as required or authorised by law.
Additionally, as we continue to develop our business, we may buy, merge or partner with other companies or organisations, and in so doing, acquire customer personal information. In such transactions, personal information may be among the transferred assets. Similarly, in the event that a portion or substantially all of our business or assets are sold or transferred to a third party, we may also disclose certain information including your personal information to a purchaser or potential purchaser in connection with the sale or potential sale of us, our business or any of our assets, including in insolvency.
Notice for Australian Employees
We may disclose your Tax File Number to other persons when we are acting on your behalf in the conduct of your affairs (for example, to our execution broker, or to share registries). When we do so, we are acting in accordance with Section 8WB(1A) (c) of the Taxation Administration Act 1953. We do not adopt identifiers assigned by the Government (such as driver’s licence numbers) for our own file recording purposes, unless one of the exemptions in the Privacy Act applies.
If we disclose your personal information to service providers that perform business activities for us, they may only use your personal information for the specific purpose for which we supply it. We require that all contractual arrangements with third parties adequately address privacy issues and will make third parties aware of this Policy.
9. Sending information overseas
We may disclose your personal information to our related entities within the Ignition group, for the purposes of their provision of services and support to us, or if they otherwise need to access that information in connection with the provision of products or services to you or otherwise for the purposes set out in this Privacy Policy. Those entities may be located overseas, outside of your country of residence, including Australia, the United Kingdom, Ireland, and other countries from time to time, and therefore your personal information may be disclosed to those entities in those countries. To the best of our knowledge, Ignition is EU GDPR and UK GDPR compliant.
In addition to overseas disclosures to our related entities within the Ignition group, some of your personal information may also be disclosed, transferred, stored, processed or used overseas by us, or by third party service providers. This may happen if:
- our offices or related entities are overseas
- we (Including any of our related entities) outsource certain activities overseas
- transactions, information, services or products have an overseas connection, or
- our computer systems including IT servers are located overseas.
In particular, your personal information may be disclosed to third parties In Australia, the United Kingdom, Ireland, and such other countries in which those parties or their, or our, computer systems may be located from time to time, where it may be used for the purposes described in this Privacy Policy.
If you reside in Australia, you consent to the collection, use, storage, and processing of your personal information outside of Australia as set out in this Privacy Policy.
Any overseas disclosure does not affect our commitment to safeguarding personal information we collect, and we will take reasonable steps to ensure overseas recipients comply with the relevant legislations. We will not disclose your personal information to overseas recipients unless:
- we have taken reasonable steps to ensure that the recipient does not breach the Privacy Act, the APPs, the EU GDPR or the UK GDPR;
- we use specific contracts approved for use in the European Union and the United Kingdom which give personal information the same protection as it has in the European Union and the United Kingdom, when transferring your personal data out of the European Union and/or the United Kingdom;
- the recipient country has been deemed to provide an adequate level of protection for personal information; or
- we are otherwise permitted by law to do so.
Some of our subsidiaries or associates may have their own individual privacy policy. Those policies may include additional overseas countries to which those entities may disclose your personal information. Before providing any personal information directly to those entities, you should read and understand their applicable privacy policy which may describe different practices regarding the way they disclose, transfer, store, process and use your personal information. Our related entities may also disclose that personal information to different overseas countries to those mentioned above, and they may be required to comply with legislation in different jurisdictions to us.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the European Union and/or the United Kingdom.
10. Data Security
We recognise the importance of securing the personal information of our customers. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from Ignition’s Information Security Manager. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
11. Data Retention
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
For further information as to any specific retention periods that might apply to personal information we hold about you, please contact us using the details set out at the top of this Privacy Policy.
12. Direct Marketing
We may only use personal information we collect from you for the purposes of direct marketing without your consent if:
- the personal information does not include sensitive information; and
- you would reasonably expect us to use or disclose the information for the purpose of direct marketing; and
- we provide a simple way of opting out of direct marketing; and
you have not requested to opt out of receiving direct marketing from us.
If we collect personal information about you from a third party, we will only use that information for the purposes of direct marketing if you have consented (or it is impracticable to obtain your consent), and we will provide a simple means by which you can easily request not to receive direct marketing communications from us. We will draw your attention to the fact you may make such a request in our direct marketing communications. You have the right to request us not to use or disclose your personal information for the purposes of direct marketing, or for the purposes of facilitating direct marketing by other organisations. To do so, please contact us using the details at the beginning of this Policy, or use the unsubscribe functionality provided in any direct marketing communication that you have received from us. We must give effect to the request within a reasonable period of time. You may also request that we provide you with the source of their information. If such a request is made, we must notify you of the source of the information free of charge within a reasonable period of time.
13. Information collected via our websites
a. General
Personal information may be collected by us and by our third party service providers who assist us in operating our website referred to above, including its subdomains and any other website we operate from time to time.
We may use various technological methods from time to time to track the visiting patterns of individuals accessing our websites, including but not limited to the methods set out in this paragraph 13.
b. Cookies
A “cookie” is a small text file that may be placed on a computer by a web server. Our website may use cookies which may enable us to identify you or your browser while you are using our site. These cookies may be permanently stored on a computer or are temporary session cookies. They are used for a variety of purposes, including security and personalisation of services. They are frequently used on websites and you can choose if and how a cookie will be accepted by configuring your preferences and options in your browser.
If you disable the use of cookies on your web browser or remove or reject specific cookies from our websites or linked sites then you may not be able to gain access to all of the content and facilities in those websites.
c. Google Analytics
We may use Google Analytics to help analyse how you use our websites. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated is used to create reports about the use of our Website. Google will store this information.
If you do not want your website visit data reported by Google Analytics, you can install the Google Analytics opt-out browser add-on. For more details on installing and uninstalling the add-on, please visit the Google Analytics opt-out page at https://tools.google.com/dlpage/gaoptout
d. Click Stream Data
When you read, browse or download information from our websites, we or our internet service provider may also collect information such as the date, time and duration of a visit, the pages accessed, the IP address of your computer, and any information downloaded. This information may be used for purposes including statistical, reporting and website administration, maintenance and improvement purposes.
14. Third party content (eg social media links)
Some of the content on our websites may include applications made available by third parties, such as social media buttons or links that allow you to share content or links to our website through the relevant third party platforms. These third party applications themselves may facilitate collection of information by those third parties, through your interaction with the applications and sometimes even if you do not interact directly with them. We are not responsible for the technical operation of these applications or the collection and use practices of the relevant third parties. Please visit the relevant third party websites to understand their privacy practices and options they may make available to you in relation to their collection of your personal information.
15. Your Rights
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the HR Department in writing. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances or where we are otherwise permitted by law. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the HR Department. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
16. Updates to this Policy
This Policy will be reviewed from time to time to take account of new laws and technology, and changes to our operations and the business environment.
17. Our responsibilities
It is the responsibility of management to inform employees and other relevant third parties about this Policy and of any changes to this Policy. Management must ensure that employees and other relevant third parties are advised of any changes to this Policy. All new employees are provided with timely and appropriate access to this Policy, and all employees are provided with training in relation to appropriate handling of personal information as part of our ISO/IEC 27001:2013 certification. Employees or other relevant third parties that do not comply with this Policy may be subject to disciplinary action.
18. Making a complaint
If you have any questions about this Policy, please contact us by:
- telephoning +61 1300 656 924
- writing to the Privacy Officer, Ignition, Level 2, 5 Martin Place, Sydney, NSW 2000
- emailing – privacy@ignitionadvice.com
You have the right to make a complaint to the relevant data protection supervisory authority at any time. We would, however, appreciate the chance to deal with your concerns before you approach the relevant data protection supervisory authority, so please contact us in the first instance by using any of the above methods.
We will investigate your queries and privacy complaints within a reasonable period of time depending on the complexity of the complaint.
It would assist us to respond to your complaint promptly if it is made in writing. Please detail information relevant to your complaint.
We will notify you of the outcome of our investigation.
If you are not satisfied with our response to your complaint, you can also refer your complaint to the relevant data protection supervisory authority:
Australia
Office of the Australian Information Commissioner
Phone – 1300 363 992
Postal Address –Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001, Australia
Europe
To find the relevant European Union national data protection authority, please consult the list on the following website: https://edpb.europa.eu/about-edpb/about-edpb/members_en
United Kingdom
Information Commissioner’s Office
Phone – 0303 123 1113
Postal Address – Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF