Policy No: 2014-01
Publication Date: 11/03/2014
1.2 “Personal information” means information or an opinion, whether true or not and whether recorded in a material form or not, about an individual who is either identified or reasonably identifiable. auDA strongly advocates the protection of all personal information, and believes that the adoption and implementation of this policy represents good business practice.
1.3 auDA is required to comply with the Australian Privacy Principles (APPs) set out in the Privacy Act when it collects and handles personal information. auDA may also be required to comply with more specific privacy legislation in some circumstances, such as State and Territory health privacy legislation.
1.6 More information about the Privacy Act is available on the Office of the Australian Information Commissioner’s web site at http://www.oaic.gov.au or on the OAIC's enquiry line at 1300 363 992.
2. TYPE OF PERSONAL INFORMATION COLLECTED BY auDA
2.1 The type of personal information that auDA collects about you depends on the type of dealings you have with us. For example, if you:
a) tender to become a registry operator, we will collect the name and contact details of the applicant's contact person, the names of all directors, officers and senior management staff of the applicant and the name and contact details of a contact person at the applicant's bank or financial institution;
b) apply to become an auDA Accredited Registrar, we will collect the name and contact details of the applicant's contact person, the names of all directors, officers and senior management staff of the applicant and the name and contact details of a contact person at the applicant's bank or financial institution;
c) are notified to us as a reseller of an auDA Accredited Registrar, we will collect your name and contact details from the registrar that appointed you;
d) apply to become a member of auDA, we will collect your name, postal address, contact details, membership class and payment details;
e) make a complaint (or are the subject of a complaint) under auDA’s Complaints Policy, we will collect your name and contact details and information about the substance, progress and outcome of the complaint;
f) send us an enquiry or provide us with feedback, we may collect your name, contact details, details of your enquiry or feedback and information about our response;
g) send us a submission as part of a policy consultation process that we are conducting, we will collect your name, contact details and details of your submission;
h) participate in a survey in relation to the .au domain, we will collect your name, contact details and the responses you provide to our survey questions;
i) apply to register a community geographic domain name (CGDN), we will collect the name, position, address and contact details of two members of the community organisation and the names and contact details of community members and the interest groups they represent;
j) apply for an auDA Foundation grant, we will collect your name, contact details, details of your application and information about our response;
k) apply for an Australia and New Zealand Internet Award (ANZIA), we will collect your name, contact details, details of your application and information about our response;
l) register to attend the Australian Internet Governance Forum or another event hosted by us, auDA will collect your name, contact details and payment details; and
m) apply for a job with auDA, we will collect the information you include in your job application, including your cover letter, resume, contact details and referee reports.
2.2 “Sensitive information” is a subset of personal information that is generally afforded a higher level of privacy protection, such as health information and information about an individual’s criminal record. auDA only collects sensitive information where it is reasonably necessary for our functions or activities and either the individual has consented or we are required or authorised by or under law (including applicable privacy legislation) to do so. For example, we may collect:
a) health information about our employees; and
b) information about whether the directors, officers or relevant staff of an applicant for registry operator appointment or registrar accreditation have been convicted of a criminal offence.
3. HOW auDA COLLECTS PERSONAL INFORMATION
3.1 auDA collects personal information in a number of ways, including:
a) through our websites;
b) on hard copy forms;
c) over the telephone;
d) in person;
e) through written communications (including letter, fax and email); and
f) from third parties, including:
i. third parties contacted by auDA to verify the information contained in applications; and
ii. third parties contacted by auDA where relevant to our complaints handling processes.
4. PURPOSES OF COLLECTION
4.1 The personal information held by auDA is collected and held for the purpose of meeting its objectives as the manager of the .au domain, and providing the services necessary for meeting those objectives.
4.2 In the course of managing the .au domain, auDA may collect personal information in order to:
a) appoint and license registry operators;
b) accredit and license registrars;
c) maintain publicly available online databases, including a public Reseller Search Tool containing the names of resellers that have been appointed by a registrar, and auDA’s Membership List, containing the name and class of membership of auDA members;
d) conduct policy consultation processes;
e) process applications for CGDNs;
f) administer the .au Dispute Resolution Policy and auDA’s Complaints Policy;
g) process applications for membership of auDA and administer membership;
h) process applications for auDA Foundation grants and the ANZIAs;
i) field and deal with consumer enquiries and complaints;
j) refer individuals to appropriate bodies according to the nature of the individual’s enquiry;
k) canvass stakeholders for their views, opinions and suggestions in relation to the .au domain space; and
l) consider applications for employment with auDA.
4.3 auDA limits the collection of personal information to that which is reasonably necessary for one or more of our functions or activities.
4.4 auDA's websites do not utilise "cookies" or other technology to collect user information or track individual usage. auDA's websites may feature links to other websites not owned or controlled by us. auDA is not responsible for the content and privacy practices of other such websites.
5. USE AND DISCLOSURE OF PERSONAL INFORMATION
5.1 auDA uses and discloses personal information for the purposes outlined in section 4 above. As most information is collected directly from the relevant individual, that individual will normally be aware of the purpose of the collection.
5.2 auDA may also use or disclose personal information for other purposes explained at the time of collection or where:
a) that individual has consented; or
b) we are required or authorised by law (including without limitation privacy legislation) to do so.
5.3 People who subscribe to one of auDA's mailing lists (such as the auDA Announcements List) may decide at any time to unsubscribe from the list. Instructions for unsubscribing will appear in the footer of all list emails, or you can contact us (refer to details in section 10 below).
5.4 auDA may share personal information with third parties where appropriate for the purposes set out in section 4, including:
a) financial institutions for payment processing;
b) referees whose details are provided to auDA by job applicants; and
c) our contracted service providers, including:
i. information technology and data storage provides;
ii. function and event organisers
iii. marketing and communications agencies
iv. research and statistical analysis providers
v. external business advisors (such as recruitment advisors, auditors and lawyers).
In each case, auDA may disclose personal information to the service provider and the service provider may in turn provide auDA with personal information collected in the course of providing the relevant products or services.
6. CROSS BORDER DISCLOSURE OF PERSONAL INFORMATION
6.1 In administering the ANZIAs, auDA may disclose the personal information of applicants and details of their application, to third parties located in New Zealand. In this case, auDA will comply with the requirements of the Privacy Act that apply to cross border disclosures of personal information.
7. PROTECTION OF PERSONAL INFORMATION
7.1 auDA holds personal information in a number of ways, including in hard copy documents, electronic databases (including databases published online), email contact lists and in paper files held in drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities.
7.2 auDA endeavours to maintain the security and integrity of all facilities in which personal information is stored. This extends to protecting personal information from misuse, interference and loss, as well as from unauthorised access, modification and disclosure.
7.3 The steps auDA takes to secure the personal information it holds include website protection measures (such as firewalls and anti-virus software), security restrictions on access to computer systems (such as login and password protection), controlled access to our corporate premises, policies on document storage and security, personnel security (including restricting access to personal information on our systems to staff who specifically require that access to carry out their work responsibilities), staff training and workplace policies.
7.4 Commercially sensitive information (for example, information provided by a prospective registrar for the purpose of accreditation) will held by auDA staff and will not be disclosed to any director of the auDA Board.
7.5 All personal information will only be retained for a reasonable period of time.
8. ACCESS AND CORRECTION OF PERSONAL INFORMATION
8.1 auDA is committed to processing personal information promptly and accurately. As part of this commitment, individuals may request access to the personal information auDA holds about them and request correction of that information.
8.2 Requests for access or correction should be directed to auDA's Chief Operations and Policy Officer (refer to details section 10 below). auDA reserves the right to refuse a request if it is vexatious or frivolous, or if we are legally entitled to do so.
9. PRIVACY COMPLAINTS
9.1 If you have a complaint about how auDA has collected or handled your personal information, please contact us (refer to details in section 10 below). We will endeavour in the first instance to deal with your complaint and take action to resolve the matter.
9.2 If your complaint cannot be resolved at the first instance, we will ask you to lodge a formal complaint in writing, explaining the circumstances of the matter that you are complaining about, how you believe your privacy has been interfered with and how you believe your complaint should be resolved.
9.3 auDA will acknowledge receipt of your formal complaint and indicate the timeframe that you can expect a response. auDA will endeavour to resolve the complaint as quickly as possible, but if the matter is complex and our investigation may take longer, we will let you know when we expect to provide our response.
9.4 If you are unhappy with auDA's response, you may refer your complaint to the Office of the Australian Information Commissioner or, in some instances, other regulatory bodies, such as the Victorian Health Services Commissioner or the Australian Communications and Media Authority.
10. auDA’S CONTACT DETAILS
10.1 Please contact auDA if you have any queries about the personal information that we hold about you or the way we handle that personal information. Our contact details are set out below:
Telephone 1300 732 929 (Within Australia)
+61 3 8341 4111 (International)
Facsimile +61 3 8341 4112
Address Chief Operations and Policy Officer
114 Cardigan Street
Carlton VIC 3053
11. REVIEW OF POLICY
11.1 auDA reserves the right to revise this policy at any time. The current version will be posted on our website and a copy may be obtained by contacting us (details above). People who volunteer their personal details to auDA are deemed to acknowledge and be bound by this policy and any changes made to it. This is no way affects the protection afforded under the relevant laws, according to which this policy was developed.