Version date: March 2019
2. What is personal information?
Sensitive Personal Information (“Sensitive PI”) involves genetic and biometric information, physical and mental health, racial, political, religious or philosophical beliefs, sexual orientation, criminal records and professional or trade association information.
3. Collection of Personal Information
We collect PI from individuals where the information is reasonably necessary for the Airport Services, legal obligations and activities relating to Avalon business activities.
Some of the specific purposes for which We collect, use and disclose personal information are:
- to provide goods or services to you or to receive goods or services from you;
- to verify your identity and eligibility to provide you access to restricted areas of Avalon Airport;
- for quality, safety and security purposes;
- to administer surveys, competitions or other promotional activities or events conducted, sponsored or managed by Us or Our business partners;
- to respond to you if you have requested information (including via Our websites or via an email or other correspondence you send to Us);
- to combine your information with information We collect from Our service providers, third parties, cookies or web beacons in order to provide you with a more personalised experience and to improve the quality of Our services;
- to improve Our services;
- to address any issues or complaints that We or you have regarding Our relationship; and
- to contact you regarding the above, including via electronic messaging such as SMS and email, by mail, by phone or in any other lawful manner.
For internal human resourcing, We collect PI and Sensitive PI, which We may solicit or request from a third party such as an employment agency or referees in the context of employment. From employees, We request third party information such as next-of-kin and medical practitioner details.
If you apply for employment with Us, We may collect your information for the purpose of:
- contacting you about opportunities in the future;'
- providing you with information about working with Us; or
- considering your application including your qualifications and resume as well as reference information from your nominated referees.
3.1 Types of personal information We collect
The types of personal information We collect from you depends on the circumstances in which the information is collected and may include:
- Your name, contact details (such as phone number, residential address and email address), employment history and driver licence number;
- if you visit Avalon Airport, recordings of your image and/or voice through the use of Closed-Circuit Television (CCTV) systems, handheld devices (such as a video camera or smart device) and other surveillance devices;
- if you use Our car park service, vehicle licence plate numbers and credit card details;
- if you log in to the Wi-Fi service We provide, We may collect, among other things, the information you input in order to access the Wi-Fi, any MAC address associated with your wireless device, the time and date of your access, your server address and your browser type; and
- any information posted on Our social media sites or website and other information provided in relation to Your dealings with Us.
If you wish to access and use restricted areas of Avalon Airport, We may collect additional information from you so We can issue you an Aviation Security Identification Card (ASIC) or other form of identification or access card. The information We may collect for those purposes could include:
- Additional identity information including your place of birth, country of citizenship, gender and your photo; and/or
- Your previous residential addresses, details of previous criminal offences, details of any pending prosecutions, and information provided to Us by relevant government agencies (such as the outcome of criminal records checks, security assessments and immigration checks).
3.2 Sensitive Personal Information
In providing Airport Services We also collect Sensitive PI. This Sensitive PI is provided by the individual themselves, by parents and guardians, and by third parties such as those involved in the security and health sectors. Where We collect Sensitive PI, We always ask for prior consent in “writing”, where writing includes electronic forms of writing such as email and click-wrap agreements where you tick a box (opt-in).
Except as described in this section, We do not generally require you to disclose any sensitive information to Us. If you do provide Us with sensitive information for any reason, you consent to Us collecting that information and using and disclosing that information for the purpose for which you disclosed it to Us and as permitted by the Privacy Act and other relevant laws.
In addition to the types of personal information identified above, We may collect personal information as otherwise permitted or required by law including any obligations We have under the Civil Aviation Act 1988 and the Civil Aviation Regulations 1988.
Notification of Collection of Personal Information
3.3 How We collect your personal information
We collect personal information in a number of ways. The most common ways We collect your personal information are:
- directly from you when you visit Avalon Airport, or when you provide it to Us or Our agents or contractors;
- ia Our website or when you deal with Us online (including through Our social media pages);
- from Our related companies; and from third parties (for example, from referees if you apply for a position as an employee or contractor with Us).
In most instances, even for non-sensitive PI, where We collect PI, We only do so after a direct request to, and with the consent of the individual to whom the information relates. This Policy is one way that We seek to obtain your consent to processing your PI.
In exceptional circumstance, or when authorised or required by law, We will collect PI from some source other than the individual themselves.
3.4 Use and disclosure of personal information
Where We hold PI about an individual that was collected for a particular purpose (the primary purpose) We will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect Us to use or disclose it for a related purpose. An example of a related purpose in these circumstances might be disclosure to a next-of-kin or health care provider in the case of an employee.
Broadly speaking, We use (process, handle and manage) PI internally for 2 reasons:
- To provide Airport services; and
- For internal human resourcing.
This may include disclosing your personal information to the following types of third parties:
- Our employees, business partners and related companies;
- Our contractors and other third parties that provide goods and services to Us (including website and data hosting providers, and other suppliers);
- Our accountants, insurers, lawyers, auditors and other professional advisers and agents;
payment system operators;
- f you are an individual contractor to Us or a prospective employee, to Our related companies and HR related service providers;
- any third parties to whom you have directed or permitted Us to disclose your personal information (e.g. referees);
- in the unlikely event that We or Our assets may be acquired or considered for acquisition by a third party, that third party and its advisors;
- third parties that require the information for law enforcement purposes or to prevent a serious threat to public safety; and
- otherwise as permitted or required by law.
Where We disclose your personal information to third parties We will use reasonable commercial efforts to ensure that such third parties only use your personal information as reasonably required for the purpose We disclosed it to them and in a manner consistent with the Privacy Principles under the Privacy Act.
If you post information to public parts of Our websites or to Our social media pages, you acknowledge that such information (including your personal information) may be available to be viewed by the public. you should use discretion in deciding what information you upload to such sites.
We also use and retain PI records which are required to be retained for legal, business and evidential reasons. Sometimes these PI records come from external sources and third parties, such as government and law enforcement agencies, insurance and financial service providers.
Broadly speaking We disclose PI (release it outside of Our possession or control) for the same primary reasons listed above; providing the service (including third party service providers) for human resourcing, and where there is a legal obligation to do so.
3.5 Dealing with Unsolicited Personal information
Personal Information is sometimes provided to Us in circumstances where We have not requested it. In these circumstances, where the information is unsolicited, We will examine whether it could have been collected under the circumstance under section 4 above. We will then apply Our minds and decide whether this unsolicited information should be retained, de-identified or destroyed. Having made that decision, We will implement the decision within a reasonable time.
We do not actively seek to collect unsolicited information.
3.6 What happens if you don't provide personal information?
Generally, you have no obligation to provide to Us any personal information requested by Us. However, if you choose to withhold requested personal information, We may not be able to do provide you with the services requested or allow you to participate in the marketing activities that depend on the collection of that information.
4. Direct Marketing
Direct marketing involves communicating directly with you for the purpose of promoting Our services or the goods or services of third-party organisations. We may also communicate with you for the purpose of providing you with special offers. Direct marketing can be delivered by a range of methods including mail, telephone, email or SMS.
We may use and disclose your personal information for the purpose of direct marketing to you where you have consented to Us doing so; or it is otherwise permitted by law.
5. Adoption, Use or Disclosure of Government Identifiers
We do not adopt, use or disclose government identifiers of an individual as Our own identifiers.
We do use and disclose government identifiers such as Australian Tax File Numbers, for example, for Our business activities, human resource purposes and where required or authorised by law
6. Anonymity and Pseudonymity
Under some circumstances, you have the right to choose to remain anonymous (you cannot be identified and We do not collect your PI), or you can choose to use a pseudonym (you can use a name, term or description that is different from your own) when dealing with Us.
Circumstances where We give individuals the option to remain anonymous or to use a pseudonym include, for example, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified.
Examples of circumstances where We will need to know the identity of the person that We are dealing with relate to the provision of Airport Services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction of a PI record, and where cost becomes excessive or impractical without knowing the identity of the individual We are dealing with.
7. Cross-border Disclosure of Personal Information
Avalon operates from offices in Victoria Australia. These operations include all aspects of internal operations that support the Airport services that We provide and include the provision of services that involve PI travelling over telecommunications lines (‘live’ data on switched networks) and the storage of static (archived) PI in data warehouses and on information systems.
Users of Avalon Airport services are located in Australia and elsewhere in the world, with the result that PI flows (is exported and imported) between numerous countries.
Avalon relies on various third-party service providers such as telecommunications providers, internet service providers, information security, application, ‘cloud’, email, data warehousing and other technology and communications service providers. These are based in Australia, and around the world.
Because information systems enable Our Airport services, PI may be located or disclosed in transit (live) and in a static (archived) format in countries outside Australia. Wherever reasonably possible, We meet international best practice standards and employ recognised technical and other mechanisms such as contractual clauses and other agreements to ensure the security and confidentiality of the PI that We Process under privacy, telecommunications, data laws and other laws.
Despite Our best efforts, there is no guarantee of security or privacy, and individuals are cautioned to consider how their PI moves and is stored on global information systems and to make appropriate choices.
8. How We store and secure personal information
We store personal information on computer databases and/or in hard copy and will take reasonable commercial physical and electronic security measures to protect any records that We hold which contain your personal information. We destroy personal information in a secure manner when We no longer need it.
9. Accuracy of the personal information We hold
We try to maintain your personal information as accurately as reasonably possible. We rely on the accuracy of personal information as provided to Us both directly (from you) and indirectly.
10. Links, cookies and use of Our websites and applications
We may use “cookies” and similar technology on Our websites and in other technology applications. The use of such technologies is an industry standard and helps to monitor the effectiveness of advertising and how visitors use Our websites/applications. We may use such technologies to generate statistics, measure your activity, improve the usefulness of Our websites/applications and to enhance the “customer” experience.
11. How you can access and correct personal information We hold about you
12. Data Breaches
12.1 Eligible Data Breach
Under the NDB Scheme, Avalon must notify the Australian Privacy Commissioner and affected individuals of an Eligible Data Breach in relation to PI, credit reporting information, credit eligibility information or tax file number information if, and when:
a) There is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
b) The information is lost, and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to individuals.
12.2 Actual Eligible Data Breach
If, and when, Avalon becomes aware of a breach of its network or information systems resulting in the circumstances outlined in 13a and 13b above, Avalon will:
- Take remedial action;
- Where remedial action fails to adequately limit the risk of serious harm, notify the individuals concerned, and notify the Office of the Australian Information Commissioner (Commissioner): and
- Work with the individuals concerned, the Commissioner and law enforcement or other parties to protect everyone and everything concerned.
12.3 Suspected Eligible Data Breach
If, and when, Avalon suspects a breach of its network or information systems resulting in the circumstances outlined above, Avalon will:
- Undertake an assessment of the situation with a view to establishing the facts; and do so within a reasonable time (thirty (30) business days).
- When a suspected breach is found to be an actual breach, Avalon will follow the steps above.
If any person suspects or becomes aware of a breach or an impending breach, please contact Us as on the details specified in section 16 of this policy.
13. Queries, comments and complaints about Our handling of personal information
When contacting Us please provide as much detail as possible in relation to your question, comment or complaint.
We will take any privacy complaint seriously and any complaint will be assessed with the aim of resolving any issue within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed. In this case, We will endeavour to respond within sixty (60) business days. We request that you cooperate with Us during this process and provide Us with any relevant information that We may need.
If you are not satisfied with the outcome of Our assessment of your complaint, you may wish to contact the Office of the Australian Information Commissioner.
14. General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU (citizens and residents, even when not physically located in the EU). It also addresses the export of such PI outside the EU.
Avalon acknowledges that it is possible that the PI of such individuals may be processed. If this happens, We will make special arrangements to accommodate you in the exercise of your specific rights. Please ensure that you make Us aware of your status if, and when, you become aware that your PI may be processed by Us.
15. Governing Law
16. Contact Information
If you wish to seek access to or correct or update any personal information We hold about you, or to unsubscribe from Our direct marketing you can also contact Us using the contact details listed above.