La Trobe University Rowing Club Inc. (LURC, We, Our, Us) is a rowing club affiliated with La Trobe University (the University), based in Melbourne, Australia.
LURC is an incorporated entity that handles personal and health information, as such our obligations arise from the Privacy Principles contained in the Privacy Act 1988 (Cth) (Privacy Act) to the extent they apply to us.
As an affiliate of the University, information you share with us will be shared with the University and will be subject to protections under the Personal Data Protection Act 2014 (Vic) (PDP Act).
In certain circumstances, we must comply with the privacy obligations of other countries, how we do this is detailed in section 7 below.
2. Personal Information and Sensitive Personal Information
Sensitive information (Sensitive PI) is also defined in the Privacy Act and includes information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual orientation or practices;
- criminal record.
Sensitive PI also includes health information about an individual, genetic information about an individual that is not otherwise health information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or biometric templates.
In all cases where consent is required for us to process your PI, whether it be express consent (verbal, in writing, click-wrap tick box), or implied consent (browse-wrap without a tick-box and other behaviour which indicates consent through continued use), you must give it freely, to a specific kind of processing and you must be informed about the processing based upon adequate information and the choices available to you. Naturally, you must have the capacity (for example be 16 years or older) to understand the circumstances for which consent is required and be able to give and communicate consent.
Individuals who are not sure about consent or who think we fall short of the consent requirements are encouraged to contact us so that we can assist you (section 10 below).
Individuals who are entitled to additional rights, including in relation to consent under European Union Regulations and other international laws are referred to section 7.
4. Privacy Principles Governing the Handling of Personal Information
4.1. Open and Transparent Management of Personal Information
LURC is committed to making every reasonable effort to manage PI in an open and transparent way.
This Policy sets out how we provide for open and transparent management of PI to give individuals the ability to make informed choices about LURC and their communications with us.
4.2. Anonymity and Pseudonymity
Under some circumstances, you have the right to choose to remain anonymous (you cannot be identified, and we do not collect PI), or you can choose to use a pseudonym (you can use a name, term or description that is different from your own) when dealing with us.
Circumstances where we give individuals the option to remain anonymous or to use a pseudonym include, for example, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified.
Examples of circumstances where we will need to know the identity of the person that we are dealing with relate to your membership, where identification is required or authorised by law, where access to information is requested for correction of a PI record, and where cost becomes excessive or impractical without knowing the identity of the individual we are dealing with.
4.3. Collection of Solicited Personal information
We are committed to collecting PI by lawful and fair means and wherever possible only collecting it directly from the individual concerned.
We collect PI from individuals where the information is reasonably necessary for membership and the operations of LURC.
We collect personal information:
- directly from you when you visit us, or when you provide it to us or our agents;
- via our website or when you deal with us online including through our social media pages;
- from the University;
- from your next of kin if they put you down as an emergency contact; and
- from third parties (for example, from referees if you apply for a position as an employee or contractor with us).
In providing membership, we also collect some forms of Sensitive PI (detailed below). This Sensitive PI is provided by the individual themselves, by parents and guardians, and by third parties (where relevant).
Where we collect Sensitive PI, we always ask for prior consent in “writing”, where writing includes electronic forms of writing such as email. Your consent allows us to collect that information and use and disclose that information for the purpose for which you disclosed it to us and as permitted by the Privacy Act and other relevant laws.
We do not discriminate between different formats of PI (electronic, paper, voice etc.), nor upon whether the information or opinions are true or not.
The types of personal information we collect from you depends on the circumstances in which the information is collected and may include your:
- contact details (such as phone number, residential address and email address);
- date of birth;
- emergency contact information;
- information on student status;
- health information;
- banking information;
- recordings of your image and/or voice through the use of devices (such as a video camera or smart device) and other surveillance devices;
- any information posted on our social media sites or website and other information provided in relation to your dealings with us;
- any information collected through our website and other forms of communication such as through email and social media.
In addition to the types of personal information identified above, we may collect personal information as otherwise permitted or required by law.
In most instances, even for non-sensitive PI where we collect PI, we only do so after a direct request to, and with the consent of the individual to whom the information relates.
In exceptional circumstances, or when authorised or required by law, we will collect PI from some source other than the individual themselves.
4.4. Dealing with Unsolicited Personal information
PI is sometimes provided to us in circumstances where we have not requested it. In these circumstances, where the information is unsolicited, we will examine whether it could have been collected under the circumstance under section 4.3 above. We will then apply our minds and decide whether this unsolicited information should be retained, de-identified or destroyed. Having made that decision, we will implement the decision within a reasonable time.
We do not actively seek to collect unsolicited information.
4.5. Notification of the Collection of Personal Information
This Policy, other legal notices published on our website and our internal practices, procedures and systems (administrative controls) are our way to ensure that individuals know about the PI that LURC collects and processes.
We are committed to making all reasonable efforts to inform individuals about the PI we collect before we collect it, for example by making this Policy and our other legal notices publicly available.
We will inform individuals about the collection of PI at the time we collect PI, for example when individuals sign up for membership, through our website activity and other forms of communication such as email.
In exceptional circumstances where this does not happen, for example, when we receive unsolicited PI from a third party which we decide to retain, we will inform individuals as soon as reasonably possible after the collection of PI.
Through this Policy and other legal notices published on our website, we seek to ensure that individuals are informed about the reasons for the collection of PI, and that they know how to contact the accountable office bearers at LURC (section 10 below).
4.6. Use or Disclosure of Personal Information
Where we hold PI about an individual that was collected for a particular purpose (the primary purpose) we will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect us to use or disclose it for a related purpose. An example of a related purpose in these circumstances is disclosure to the University to meet our obligations as an affiliated association.
Some of the specific purposes for which we collect, use and disclose personal information are:
- to provide membership services to you;
- to verify your identity and eligibility to provide you access to restricted areas of LURC;
- for quality, safety and security purposes;
- to administer surveys, competitions or other promotional activities or events conducted, sponsored or managed by us or our affiliates such as the University or Rowing Victoria;
- to respond to you if you have requested information (including via our website or via an email or other correspondence you send to us);
- to combine your information with information we collect from our affiliates such as the University or Rowing Victoria, third parties, cookies or web beacons in order to provide you with a more personalised experience and to improve the quality of our services;
- to address any issues or complaints that we or you have regarding our relationship; and
- to contact you regarding the above, including via electronic messaging such as SMS and email, by mail, by phone or in any other lawful manner.
If you apply for employment with us, we may collect your information for the purpose of:
- contacting you about opportunities in the future;
- providing you with information about working with us; or
- considering your application including your qualifications and resume as well as reference information from your nominated referees.
We also use and retain PI records which are required to be retained for legal, business and evidential reasons. Sometimes these PI records come from external sources and third parties, such as the University and Rowing Victoria.
Broadly speaking we disclose PI (release it outside of our possession or control) for the same primary reasons listed above, and where there is a legal obligation to do so.
Where we disclose your personal information to third parties, we will use reasonable commercial efforts to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Privacy Principles under the Privacy Act.
If you post information to public parts of our website or to our social media pages, you acknowledge that such information (including your personal information) may be available to be viewed by the public. You should use discretion in deciding what information you upload to such platforms.
4.7. Direct Marketing
When you engage with us, you consent to us communicating directly with you in order to provide information and to promote our membership offering.
We allow individuals to opt-out of receiving direct communications and direct marketing notifications. When individuals request us to stop communicating with them, we will comply with that request.
If an individual requests information about how we came to have their PI, we will respond, and provide the source of an individual’s PI wherever possible. We will respond to these requests within a reasonable time (thirty (30) business days).
We do not disclose, sell or share PI to third parties for direct marketing purposes.
4.8. Cross-border Disclosure of Personal Information
LURC operates in Victoria Australia. These operations include all aspects of internal operations that support providing membership and includes situations where that involves PI travelling over telecommunications lines (“live” data on switched networks) and the storage of static (archived) PI in data warehouses and on information systems.
LURC members are primarily located in Australia, but may also be located in, or be residents or citizens of the European Union (EU), the United Kingdom (UK), the Asia Pacific (APAC) region or elsewhere, with the result that PI flows (is exported and imported) between these other countries.
LURC relies on various third party service providers such as application, ‘cloud’, email, data warehousing and other technology and communications service providers. These are based in Australia.
Because information systems enable our membership services, PI may be located or disclosed in transit (live) and in a static (archived) format in countries outside Australia, in the countries mentioned above, or elsewhere. Wherever reasonably possible, we meet international best practice standards and employ recognised mechanisms such as contractual clauses and other agreements to ensure the security and confidentiality of the PI that we process under privacy, telecommunications and data laws.
We do not have control over the agreements between the University and their service providers. When your information is shared with the University and their service providers, it may be subject to a different standard of security and may transit or be stored in countries not mentioned above.
Despite our best efforts, there is no guarantee of security or privacy, and individuals are cautioned to consider how their PI moves and is stored on global information systems and to make appropriate choices.
4.9. Adoption, Use or Disclosure of Government Identifiers
We do not adopt, use or disclose government identifiers of an individual as our own identifiers.
We do not use and disclose government identifiers such as Australian Tax File Numbers.
4.10. Quality of Personal Information
We are committed to taking such steps as are reasonable in the circumstances to ensure that the PI we collect, hold, use and disclose is accurate, up-to-date, complete and relevant having regard to the purpose for which it is used or disclosed.
To ensure that your PI is accurate, up-to-date, complete and relevant, we ask you to assist us by providing updates when your information has changed.
In the event of an eligible data breach (section 6 below) as defined in the Notifiable Data Breach Scheme (NDB Scheme), we will need to contact you, and we need to know that the information we have to do so is correct. For your own security, please ensure that we know your preferred means of communication.
4.11. Security of Personal Information
We are committed to taking reasonable steps to protect PI that we hold from misuse, (wrong or improper use) interference (access even where the content is not necessarily modified) and loss (accidental, inadvertent, misplaced PI).
We are committed to securing PI from unauthorised access (by someone that is not permitted to access the information), modification (alteration by someone that is not permitted to do so, or who acts beyond the scope of their authority to modify PI) and unauthorised disclosure (where PI is released from our effective control without authority).
To comply with law and manage risk, our practices, procedures and systems aim to protect the confidentiality, integrity and availability of our information systems and the information on them, especially the PI that we collect, hold, use and disclose.
Where there is no legal obligation to retain records and evidence, and in circumstances where we no longer need PI to provide membership or for any purpose for which the information may be used or disclosed under Australian law, we take reasonable steps to destroy the information.
Our information security and privacy practices include circumstances where our data handling practices are outsourced to third parties. Because of this we endeavour wherever possible to bind third party service providers through appropriate legal agreements. We also endeavour to monitor their privacy and security practices where possible
4.12. Access to Personal Information
Where we hold or have the right and power to deal with PI (for example, where it is stored by one of our affiliates or third parties), we will, on request by an individual, normally give that individual access to their information.
We do this so that individuals know what information we hold on them and because it assists us to ensure that the PI that we hold is up-to-date, complete and relevant, and we are able to communicate directly with individuals in the event of an eligible data breach.
In considering a request for access to PI by an individual, we will require identification. We reserve the right not necessarily to give access to an individual to their PI in circumstances, for example, where provided for in law, in instances of commercial sensitivity and where a third party may be negatively affected.
We will respond to an individual’s request for access to their information within a reasonable time (thirty (30) business days), and we will consider reasonable requests for access to be given in a particular format, for example, through user registration login, by facsimile, email and postal services. As a matter of courtesy, we will provide reasons for the refusal if access is refused.
No charge will apply when an access to information request is received. We do however reserve our rights to charge a fee where we incur costs, for example, for photocopying, postage and costs associated with using an intermediary if one is required.
4.13. Correction of Personal Information
Where we hold PI, we will take reasonable steps to correct it to ensure that, having regard to the purpose for which we hold it, it is accurate, up-to-date, complete, relevant and not misleading.
You, as an individual may request that we correct PI that we hold about you in circumstances where you believe that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
In considering a request for the correction of PI that we hold, we will require identification of the requesting individual. We reserve the right not necessarily to effect the changes sought but undertake to consider reasonable requests and to associate a statement to the record reflecting our refusal to correct the failed request for correction if we consider refusal the appropriate action.
We will respond to a request to change information within a reasonable time (sixty (60) business days) although changes sought may take longer, for example, because we may need to contact and notify other organisations and individuals about the request.
No charge applies for making a request, correcting PI or associating a statement for refusal to change a record.
As a matter of courtesy, we will provide reasons for the refusal if correction is refused, and also a reminder of the complaint process available to individuals that feel aggrieved by the refusal.
5. Links, Cookies and Use of Our Website and Applications
We may use “cookies” and similar technology on our website and in other technology applications. The use of such technologies is an industry standard and helps us to monitor the effectiveness of advertising and how visitors use our website/applications. We may use such technologies to generate statistics, measure your activity, improve the usefulness of our website/applications and to enhance your experience.
6. Eligible Data Breach
Under the NDB Scheme, LURC must notify the Australian Privacy Commissioner and affected individuals of an eligible data breach in relation to PI, credit reporting information, credit eligibility information or tax file number information if, and when:
a. There is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
b. The information is lost, and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to individuals.
6.1. Actual Eligible Data Breach
If, and when, LURC becomes aware of a breach of its network or information systems resulting in the circumstances outlined in 6a and 6b above, LURC will:
- take remedial action;
- where remedial action fails to adequately limit the risk, notify the individuals concerned, and notify the Office of the Australian Information Commissioner (Commissioner): and
- work with the individuals concerned and the Commissioner to protect everyone and everything concerned.
6.2. Suspected Eligible Data Breach
If, and when, LURC suspects a breach of its network or information systems resulting in the circumstances outlined in 6a and 6b above, LURC will:
- undertake an assessment of the situation with a view to establishing the facts; and do so within a reasonable time (thirty (30) business days); and
- when a suspected breach is found to be an actual breach, LURC will follow the steps in 6.1 above.
If any person suspects or becomes aware of a breach or an impending breach, please contact our privacy officer (contact details in section 10 below) as a matter of urgency.
7. International Laws
Where an individual has rights under international law such as the General Data Protection Regulation (GDPR), we will make special arrangement to accommodate you in the exercise of your specific rights.
Please ensure that you make us aware of your status if, and when, you become aware that your PI may be processed by us. LURC will use all reasonable efforts to monitor and classify foreign PI and handle it accordingly.
8. Queries, Comments and Complaints About Our Handling of Personal Information
Individuals can make general enquiries, request access to their information and complain to us in writing. Writing includes email communications but excludes text and social media platforms.
We will respond to complaints within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed, for example, because we may need to contact and notify other organisations and individuals affected by the complaint. In this case we will endeavour to respond within sixty (60) business days.
In most circumstances, the Australian Information Commissioner will not investigate a complaint if an individual has not first raised the matter with us. For this reason, we ask individuals to agree to submit all complaints relating to this Policy and to our handling of PI to us first, so that we have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to us via the contact information in section 10.
9. Governing Law
10. Contact Information
Name: La Trobe University Rowing Club Inc.
Postal Address: Building 6, Boathouse Drive, Melbourne VIC 3004
Email Address: firstname.lastname@example.org
Website Address: http://latroberowing.org
ABN: 17 899 4848 544