1.1 From time to time Blue Lotus Water Garden and G&Y Cochrane ABN 27267100924 (“the Business Owner”) is required to collect, hold, use and/or disclose personal information relating to individuals (including, but not limited to, its customers, contractors, suppliers and employees) in the performance of its business activities.
1.2 This document sets out the Business Owner’s policy in relation to the protection of personal information, as under the Privacy Act 1998 (Cth) the (“Act”) and the Australian Privacy Principles (“APP”).
1.3 The APPs regulate the handling of personal information.
2. What is personal information?
2.1 Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
3. Employee records
3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.
3.2 An employee record is a record of personal information relating to the employment of an employee. Examples of personal information relating to the employment of the employee include, but are not limited to, health information and information about the engagement, training, disciplining, resignation, termination, terms and conditions of employment of the employee. Please see the Act for further examples of employee records.
4. Kinds of information the Business Owner collects and holds
4.1 The Business Owner collects personal information that is reasonably necessary for one or more of its functions or activities.
4.2 The type of information that the Owner collects and holds may depend on your relationship with the Owner. For example:
4.1.1 Candidate: if you are a candidate seeking employment with the Business Owner, the Business Owner may collect and hold information including your name, address, email address, contact telephone number, gender, age, employment history, references, resume, medical history, emergency contact, taxation details, qualifications and payment details.
4.1.2 Customer: if you are a customer of the Business Owner, the Business Owner may collect and hold information including your name, address, email address, contact telephone number, gender and age and image as collected on CCTV footage.
4.1.3 Supplier: if you are a supplier of the Business Owner, the Business Owner may collect and hold information including your name, address email address, contact telephone number, business records, billing information, information about goods and services supplied by you.
4.1.4 Referee: if you are a referee of a candidate being considered for employment by the Business Owner, the Business Owner may collect and hold information including your name, contact details, current employment information and professional opinion of candidate.
4.1.5 Sensitive information: the Business Owner will only collect sensitive information where you consent to the collection of the information and the information is reasonably necessary for one or more of the Business Owner’s functions or activities. Sensitive information includes, but is not limited to, information or an opinion about racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, membership of a trade union, sexual preferences, criminal record, health information or genetic information.
5. How the Business Owner collects and holds personal information
5.1 The Business Owner must collect personal information only by lawful and fair means. The Business Owner will collect personal information directly from you if it is reasonable or
5.2 The Business Owner may collect personal information in a number of ways, including without limitation:
5.2.1 through application forms;
5.2.2 by email or other written mechanisms;
5.2.3 in person;
5.2.4 through transactions;
5.2.5 through our website;
5.2.6 through surveillance camera (CCTV);
5.2.7 by technology that is used to support communication between us;
5.2.8 through publically available information sources (which may include telephone directories, the internet and social media sites); and
5.2.9 direct marketing database providers;
5.2.10 through bookings;
5.2.11 through competitions;
5.2.12 through customer feedback forms;
5.2.13 through application forms;
5.2.14 through social media; and
5.2.15 through events and functions;
5.3 When the Business Owner collects personal information about you through publicly available information sources, it will manage such information in accordance with the APPs.
5.4 At or before the time or, if it is not reasonably practicable, as soon as practicable after, the Business Owner collects personal information, the Business Owner must take such steps as are reasonable in the circumstances to either notify you or otherwise ensure that you are made aware of the following:
5.4.1 the identity and contact details of the Business Owner;
5.4.2 that the Business Owner has collected personal information from someone other than you or if you are unaware that such information has been collected;
5.4.3 that collection of personal information is required by Australian law, if it is;
5.4.4 the purpose for which the Business Owner collects the person information;
5.4.5 the consequences if the Business Owner does not collect some or all of the personal information;
5.4.6 any other third party to which the Business Owner may disclose the personal information;
5.4.8 whether the Business Owner is likely to disclose personal information to overseas recipients, and the countries in which those recipients are likely to be located.
5.5 Unsolicited person information is personal information that the Business Owner receives which it did not solicit. Unless the Business Owner determines that it could have collected the personal information in line with the APPs or the information is contained within a Commonwealth record, it must destroy the information to ensure it is de-identified.
6. Purpose for which the Business Owner collects, holds, uses and/or discloses personal information
6.1 The Business Owner will collect personal information if it is reasonably necessary for one or more of its functions or activities.
6.2 The main purposes for which the Business Owner may collect, hold, use and/or disclose personal information may include but are not limited to:
6.2.1 Complying with relevant legislation by the State of Victoria or Commonwealth of Australia.
6.2.2 ensuring safety and wellbeing of patrons.
6.2.3 customer service management;
6.2.4 training and events;
6.2.5 surveys and general research; and
6.2.6 business relationship management.
6.3 The Business Owner may also collect, hold, use and/or disclose personal information if you consent or if required or authorised under law.
6.4 Direct marketing:
6.4.1 The Business Owner may use or disclose personal information (other than sensitive information) about you for the purpose of direct marketing (for example, advising you of new goods and/or services being offered by the Business Owner).
6.4.2 The Business Owner may use or disclose sensitive information about you for the purpose of direct marketing if you have consented to the use or disclosure of the information for that purpose.
6.4.3 You can opt out of receiving direct marketing communications from the Business Owner by contacting the Privacy Officer in writing or if permissible accessing the Business Owner’s website and unsubscribing appropriately.
6.5 The purchase of tickets to Blue Lotus Water Garden is an implied opt in to receive emails and marketing material from Blue Lotus Water Garden and/or other subsidiaries of G&Y Cochrane, unless otherwise stated by the customer at the time of purchase.
7. Disclosure of Personal Information
7.1 The Business Owner may disclose your personal information for any of the purposes for which it was collected, as indicated under clause 6 of this policy, or where it is under a legal duty to do so.
7.2 Before the Business Owner discloses personal information about you to a third party, the Business Owner will take steps as are reasonable in the circumstances to ensure that the third party does not breach the APPs in relation to the information.
7.3 Cross-boarder disclosure of personal information:
7.3.1 The Business Owner is likely to disclose personal information to overseas recipients.
7.3.2 Before the Business Owner discloses personal information about you to an overseas recipient, the Business Owner will take steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the information.
8. Access to personal information
8.1 If the Business Owner holds personal information about you, you may request access to that information by putting the request in writing and sending it to the Privacy Officer. The Business Owner will respond to any request within a reasonable period, and a charge may apply for giving access to the personal information.
8.2 The Business Owner unconditionally reserves the right to refuse access to the personal information on a discretionary basis.
9. Correction of personal information
9.1 If the Business Owner holds personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, it must take steps as are reasonable to correct the information.
9.2 If the Business Owner holds personal information and you make a request in writing addressed to the Privacy Officer to correct the information, the Business Owner must take steps as are reasonable to correct the information and the Business Owner will respond to any request within a reasonable period.
9.3 There are certain circumstances in which the Business Owner may refuse to correct the personal information. In such situations the Business Owner will give you written notice that sets out the reasons for the refusal and the mechanisms available to you to make a complaint.
9.4 If the Business Owner correct personal information that it has previously supplied to a third party and you request us to notify the third party of the correction, the Business Owner will take such steps as are reasonable to give that notification unless impracticable or unlawful to do so.
10. Integrity and security of personal information
10.1 The Business Owner will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that it:
10.1.1 collects is accurate, up-to-date and complete; and
10.1.2 uses or discloses is, having regard to the purpose of the use or disclose, accurate, up-to-date and complete.
10.2 The Business Owner will take steps as are reasonable in the circumstances to protect the personal information from misuse, interference, loss and form unauthorised access, modification or disclosure.
10.3 If the Business Owner holds personal information, it no longer needs the information for any purpose for which the information may be used or disclosed, the information is not contained in any Commonwealth record and the Business Owner is not required by law to retain the information, it will take such steps as are reasonable in the circumstances to destroy the information or to ensure it is de-identified.
11. Anonymity and Pseudonymity
11.1 You have the option of not identifying yourself, or using a pseudonym, when dealing with the Business Owner in relation to a particular matter. This does not apply:
11.1.1 where the Business Owner is required or authorized by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or
11.1.2 where it is impracticable for the Business Owner to deal with individuals who have not identified themselves or who have used a pseudonym.
11.2 However, in some cases if you do not provide the Business Owner with your personal information when requested, the Business Owner may not be able to respond to your request or provide you with the goods or services that you are requesting.
12. How to access or correct personal information or make a privacy complaint
12.1 If you wish to access any of your personal information that the Business Owner holds or would like to correct any errors in that information; or
12.2 If you would like to notify the Business Owner of any privacy complaint, including if you think the Business Owner has failed to comply with the APPs;
12.3 Please contact the Privacy Officer by email firstname.lastname@example.org or send a letter to:
Attention: Privacy Officer
Blue Lotus Water Garden
2628 Warburton Highway
Yarra Junction VIC 3797