Automic Pty Ltd ACN 152 260 814 and each of its related bodies corporate (together the Automic Group) is committed to taking reasonable steps to implement practices, procedures and systems that will ensure it complies with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and any binding registered APP code.
This policy should be read together with Automic Group’s other policies, including the Confidentiality and Data Security Policy and Insider Lists and Information Barriers Policy.
This policy applies to all personal information collected by Automic Group, including that of:
The types of personal and sensitive information we will collect from you will depend on the circumstances in which it is collected. It may include:
(a) Automic Group’s employees (whether permanent, full-time, part-time, fixed or maximum-term, casual/temporary or voluntary), officers, agents and contractors (including any employees of those contractors) ;
(b) Automic Group’s clients or prospective clients; and
(c) any other individual who attends the physical premises occupied by Automic Group, including:
(i) Level 5, 126 Phillip St, Sydney NSW 2000;
(ii) Level 2, 267 St Georges Terrace Perth WA 6000; and
(iii) 477 Collins Street Melbourne VIC 3000.
(a) Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(i) whether the information or opinion is true or not; and
(ii) whether the information or opinion is recorded in a material form or not.
(b) Sensitive information is a particular subcategory of personal information and includes:
(i) whether the information or opinion is recorded in a material form or not.
(A) racial or ethnic origin;
(B) political opinions;
(C) membership of a political association;
(D) religious beliefs or affiliations
(E) philioshpical beliefs
(F) membership of a professional or trade association
(G) membership of a trade union sexual orientation or practices;
(H) or criminal record,
that is also personal information
(ii) health information about an individual, including vaccination status;
(iii) genetic information about an individual that is not otherwise health information;
(iv) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(v) biometric templates.
(d) The personal information that Automic Group collects may include the following:
(i) identity information such as your name, age or date of birth, contact details (including address, email address, phone number or mobile phone number), occupation, licence information, driver’s licence or passport number, usernames or passwords;
(ii) vaccination status limited to COVID-19 and any COVID-19 variants; and
(iii) financial details such as your bank account details, credit card information or tax file number.
Automic Group will manage personal information in an open and transparent manner. In doing so, Automic Group will ensure that individuals are notified at the time of collecting their personal information:
(a) what type of personal information is being collected;
(b) the fact and circumstances of collection;
(c) whether the collection is required or authorised by law;
(d) how Automic Group collects and holds personal information;
(e) the purposes for which Automic Group collects, holds, uses and discloses personal information;
(f) Automic Group’s usual disclosures of that kind of person information; and
(g) who that personal information will be disclosed to, including whether the personal information is likely to be disclosed to overseas recipients.
Automic Group will ensure that all its employees, agents, and contractors are trained at regular intervals to ensure they understand its obligations under the Privacy Act 1988 (Cth), including the APPs.
Generally, it is impracticable for Automic Group to deal with clients who do not wish to identify themselves or who wish to use a pseudonym. However, where possible and appropriate Automic Group will provide information of a general nature to unidentified individuals.
Automic Group only collects personal information that is reasonably necessary for Automic Group’s functions and activities. Automic Group collects personal information for the following purposes:
(a) to conduct Automic Group’s business;
(c) to communicate with an individual;
(d) to comply with Automic Group’s legal obligations;
(e) to help us manage and enhance Automic Group’s services;
(f) to protect individuals and Automic Group from error or fraud; or
(g) to provide individuals with the products or services they have requested.
Where practical, Automic Group will collect personal information directly from the individual and not from third parties unless otherwise required by the law. Automic Group may obtain information from third parties if authorisation has been provided by the individual.
We collect personal information directly from you or from third parties once authorisation has been provided by you. You have a right to refuse us authorisation to collect information from a third party.
(a) Automic Group only collects sensitive information:
(i) that is reasonably necessary for Automic Group’s functions and activities; and
(ii) where the individual has consented to the collection; or
(iii) whether the information or opinion is recorded in a material form or not.
(b) Automic Group will only collect sensitive information in very limited circumstances, on an “as-needs” basis which will be communicated to the individual if and when that occurs.
(c) You have a right to refuse to provide sensitive information for collection by Automic Group. Automic Group will notify you of the consequences if you do not consent to the collection of particular sensitive information.
If Automic Group receives unsolicited personal information, Automic Group will determine whether Automic Group could have collected that personal information by lawful and fair means, and whether it is related to one of the purposes of collecting personal information above. Automic Group will do this by looking at its relationship with the individual and whether the personal information relates to its relationship with them.
If Automic Group determines that it could have collected the personal information by lawful and fair means, Automic Group will deal with that personal information in accordance with clauses 8 to 16 of this policy.
If Automic Group could not have collected the personal information by lawful and fair means, or the personal information does not relate to one of Automic Group’s purposes for collecting the personal information, Automic Group will destroy the personal information.
(a) When Automic Group first collects personal information from an individual, Automic Group will notify them that it has collected its personal information and notify them about:
(i) the contact details for Automic Group;
(ii) the purposes of the collection of their personal information;
(iii) those entities that Automic Group usually disclose personal information to;
(iv) what happens if the individual chooses not to provide Automic Group with personal information;
(v) direct marketing that may be undertaken by us or any related companies;
(vi) when Automic Group is required to collect personal information under an Australian law,
(viii) how they may complain about a breach of the APPs or any registered binding APP code;
(ix) how they may access their personal information and seek correction of such information; and
(x) any disclosure of personal information that Automic Group makes to an overseas entity.
(b) If Automic Group knows that as part of its relationship with the individual Automic Group will disclose their personal information to another identifiable entity, Automic Group will notify the individual of the following matters at the time Automic Group first collects their personal information:
(i) the identity and contact details of that organisation; and;
(ii) why their information may be disclosed to the organisation.
(c) If the information is collected from another entity, or the individual may not be aware that the entity has collected their personal information, Automic Group will explain to the individual at the commencement of dialogue either:
(i) the name of the entity that provided their information; or, if this is not practical
(ii) the kinds of entities from which it collects this information.
The purpose of collecting an individual’s personal information will be outlined to them.
If during Automic Group’s relationship with the individual Automic Group wishes to use an individual’s personal information for an additional purpose, Automic Group will obtain their consent unless the purpose is related to the primary purpose, or Automic Group is permitted under law to do so.
In line with modern business practices common to many financial institutions, an individual’s personal information may be disclosed to the following organisations:
(a) other product providers in order to manage or administer a product or service;
(b) compliance consultants;
(c) contractors or temporary staff to handle workloads during peak periods;
(d) mailing houses;
(e) professional advisers, including solicitors or accountants as authorised by the individual;
(f) information technology service providers;
(g) government and regulatory authorities, as required or authorised by law;
(h) another authorised representative of the licensee;
(i) a potential purchaser/organisation involved in the proposed sale of the Automic Group business for the purpose of due diligence, corporate re-organisation and transfer or all or part of the assets of Automic Group’s business. Disclosure will be made in confidence and it will be a condition of that disclosure that no personal information will be used or disclosed by them; and
(j) a new owner of Automic Group that will require the transfer of personal information.
Automic Group notifies individuals at the time of collecting their personal information that their personal information will be used by Automic Group and any associated businesses for the purposes of direct marketing.
In all Automic Group’s direct marketing communications Automic Group will provide a prominent statement about how an individual can elect not to receive direct marketing. If the direct marketing communication is an email, Automic Group will provide an ‘unsubscribe’ function within the email.
Automic Group will keep appropriate records to ensure those individuals that have made requests not to receive direct marketing communications do not receive them. Automic Group does not apply a fee to unsubscribe from direct marketing communications.
Automic Group does not sell personal information. Automic Group does not use sensitive information for the purposes of direct marketing.
If Automic Group purchases personal information for the purposes of direct marketing, Automic Group will conduct appropriate due diligence to ensure appropriate consents from the individuals have been obtained.
Generally, Automic Group does not disclose personal information overseas.
Automic Group may use cloud storage and IT servers that may be located overseas to store the personal information Automic Group holds.
Automic Group will notify the individual of any proposed disclosure of personal information that Automic Group makes to an overseas entity.
Automic Group may receive tax file numbers, Centrelink reference numbers, driver’s license numbers or passport numbers in the course of providing our services; however, Automic Group does not use or disclose government related identifiers for any purpose other than required by law.
Automic Group will take reasonable steps to protect personal information that Automic Group holds from misuse, interference and loss and from unauthorised access, modification or disclosure.
Automic Group hold personal information on secure IT systems. All IT systems are appropriately updated with passwords, virus scanning software and firewalls when needed.
Any paper records must only be accessible to Automic Group’s employees, agents, contractors and others as they are needed. Any paper records are held within an office that is locked and protected by security systems at night.
When reasonable, Automic Group will usually destroy personal information that is held electronically and in paper form seven years after Automic Group’s relationship with the individual ends. Automic Group will do this by shredding paper copies and deleting electronic records containing personal information about the individual or permanently de-identifying the individuals within those records.
Individuals may request access to any personal information that Automic Group holds about them. Automic Group will not charge an individual for requesting access to their personal information. An individual does not need to state that they are making a request under the Privacy Act and the request does not need to be made in writing.
Automic Group will verify the individual’s identity prior to disclosing any personal information or ensure the person seeking access has appropriate authority from the person to whom the personal information relates.
When an individual requests access to their personal information Automic Group will conduct a search of our database. This search will also indicate if there are any paper records that contain personal information.
Automic Group will not give access to the personal information that Automic Group holds about an individual where it is unreasonable or impracticable to provide access, or in circumstances where the request would likely:
(a) pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
(b) unreasonably access the privacy of other individuals;
(c) be frivolous or vexatious;
(d) relate to anticipated legal proceedings, and the correct method of access to personal information is by the process of discovery in those legal proceedings;
(e) reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations;
(f) be unlawful or in breach of an Australian law or court / tribunal order;
(g) prejudice the taking of appropriate action in relation to a matter where unlawful activity or misconduct that relates to our functions or activities;
(h) prejudice enforcement related activities of a regulatory body (such as ASIC); or
(i) reveal commercially sensitive information.
When Automic Group receives a request for access, Automic Group will usually respond to the individual with seven days. However, depending on the nature of the request Automic Group may provide the personal information when the request is made.
If the individual is requesting a large amount of personal information, or the request cannot be dealt with immediately, then after Automic Group has investigated the request for access, Automic Group will advise the individual what personal information Automic Group holds and provide details of that personal information.
Automic Group will comply with all reasonable requests by an individual to provide details of the personal information that Automic Group holds in the requested format.
If Automic Group does not provide access to the information, Automic Group will provide written reasons setting out why Automic Group does not believe it need to provide access.
Automic Group relies on individuals to help it to ensure that their personal information is accurate, up-to-date and complete.
If Automic Group holds personal information about an individual and Automic Group is reasonably satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading, or Automic Group receives a request to correct the information, Automic Group will take reasonable steps to correct the information. Automic Group will not charge an individual for requesting correction of their personal information.
If Automic Group corrects personal information that Automic Group has previously disclosed, it will take reasonable steps to notify the entity to which Automic Group disclosed the information of the correction. Automic Group may not always make corrections to an individual’s personal information. When Automic Group does not make requested corrections, it will provide written reasons for our refusal to make the correction.
When Automic Group receives a request for correction, Automic Group will usually respond to the individual with seven days. However, depending on the nature of the request Automic Group may correct the personal information when the request is made.
If, after notifying the individual of Automic Group’s refusal to correct personal information, the individual requests Automic Group to issue a statement that the personal information on the record is inaccurate, out of date, incomplete, irrelevant or misleading, Automic Group will take reasonable steps to do so.
Automic Group manages a website that provides links to third party websites. The use of personal information by third party websites is not within Automic Group’s control. Automic Group is not responsible for the conduct of third-party website owners.
Automic Group’s website utilises cookies to provide individuals with an improved user experience. Cookies allows Automic Group to identify users’ browser while they are using the website. Cookies does not identify the user’s personal information. If users do not wish to receive cookies, they can instruct their web browser to refuse them.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012, sets out a number of APPs. Automic Group operates in a manner that allows it to control the use of, and protect, personal information as guided by the APPs and required by other relevant legislation.
Not all telephone lines are recorded, a list of recorded telephone lines is maintained by IT and recordings are retained for one year. Telephone recordings are only carried out for the purposes of employee training and quality assurance audits. Access to these recordings is limited to authorised personnel approved by the CO.
Automic Group’s employees, officers, agents, contractors and any of its authorised representatives must:>
(b) consider the necessity and purpose of collecting any personal information from individuals;
(d) when collecting sensitive information from an individual, first obtain the voluntary and adequately informed consent of that individual;
(e) only use the personal information for the purpose for which it was provided;
(f) question the purpose for passing on any personal information (including both client or employee data) and check whether or not there is a secure procedure in place;
(g) add personal data to client record keeping systems as and when necessary to maintain updated records;
(h) store (and remove when appropriate) data securely, whether hard or soft copy;
(i) use encryption and secure email; and
(j) verify the identity of all persons making requests for information.
Any complaint that about a breach of this policy or the APPs must be in writing and delivered to Automic Group at firstname.lastname@example.org. Any complaint Automic Group receives will usually be acknowledged within seven days. A decision or any decisive action arising from or in connection with the complaint will usually be reached within 30 days. Individuals may contact the Office of the Australian Information Commissioner if they are unhappy with the handling of a complaint.
This policy is sponsored by the Managing Director and endorsed by Automic Group’s Directors.
The policy is explained to all Staff as part of induction and they are required to read it and raise any questions or concerns they have arising from it.
The policy is maintained electronically on the intranet and accessible at all times by everyone at the company. Comments on the policy are welcome and should be directed to senior management.
Automic Group will monitor the implementation of this policy on a regular basis to determine its effectiveness.