As at February 2017
About Ai Group
Ai Group is a not for profit organisation of employers incorporated under the provisions of the Fair Work (Registered Organisations) Act 2009. We provide primarily information services to our broad business membership across Australia. With membership of Ai Group comes the opportunity to access both membership entitlements and other services provided by us (sometimes through government funded programs) and our related parties, as well as any partners or affiliates contractually bound to provide services to our membership. Essentially, our primary purpose is to provide relevant up to date and accurate advisory services by exchanging information on industry, workplace and employment related matters affecting you or your business.
Our Related Parties
- Australian Industry Group Training Services Pty Ltd is a wholly owned subsidiary, operating solely as a trustee of a discretionary trust ( the Australian Industry Group Training Services Trust) that provides apprenticeship and traineeship services ( the GTC services see www.aigroupapprentices.com.au ), accredited VET training (the RTO services – see www.grouptrainingdirectory.com.au) and related policy and commercial services.
- Ai Group Legal Pty Ltd is another wholly owned subsidiary operating as the trustee of a unit trust which provides expert workplace relations and employment law legal services – see www.aigroupworkplacelawyers.com.au .
- Confectionery BTW Pty Ltd is a wholly owned trustee for a special purpose unit trust for the confectionery industry ( while the company is a subsidiary, the trust is privately held: go to www.betreatwise.info
Summary of Policy Principles
This summary sets out the basic tenets of our protection principles which we employ across our businesses.
APP 1 – Open and transparent management of PI
APP 2 – Anonymity and pseudonymity
If you want to communicate with us on a particular matter you may ask to remain anonymous or use a pseudonym provided that if we are collecting your personal information like your real name because we:
- need to verify membership with Ai Group and your authority to act on behalf of a member;
- need it to properly provide whatever service or advice you are seeking from us and it is impracticable for us to do that using a pseudonym or anonymity ;
- to verify or assist you with passwords or other security matters or other technical services like internet access; or
- we are required or authorised by law or a court or tribunal to identify you.
For our membership, we are contractually committed to protect your business confidentiality and we implement a number of governance measures to help protect the privacy of the individuals representing the member when dealing with us. For that reason we need to know that the information or advice we provide is going to the right person within the member entity. Accordingly, it will be only in isolated cases (e.g. when we are doing industry wide surveys) that your personal information can be obscured by anonymity or pseudonymity.
APP 3 – Collecting solicited PI
Ai Group provides and offers services that may include those arising from a government funded program. In that case we may be bound contractually to the government agency presenting that program that only permits us to collect personal information that is reasonably necessary or directly related to that agency’s functions or activities. In all other cases, we only collect the personal information that we need to do what you want us to do (subject to any lawful requirements that compel us to collect more).
For our membership and the individuals representing our members, we collect the personal information that is reasonably necessary for us to efficiently professionally and relevantly provide you with our membership services and to give you the ease of access and opportunities to use the other suite of services we may have available from time to time.
We try and collect your personal information directly from you rather than through others but this is sometimes impracticable or unreasonable. If we have collected your personal data from another source then we will tell you where we got it from and why.
Many of our members and clients are incorporated entities. For them, we have solicited personal information about relevant employees who represent them in their dealings with us. The member itself has arranged for the individuals concerned to consent to us collecting that data for the purpose of providing the member with the relevant services. The member (through their authorised representative or officer) can change those individual details at any time. Alternatively, the individuals may extend the general membership consent to include some specific service areas outside the broad membership scope. In that case notifying us of the changes you require or opting in or out of certain special interest service areas can be effected by the unsubscribe button or contacting us at email@example.com.
APP 4 – Unsolicited PI
Sometimes we receive personal information that we have not asked for directly from the individual concerned (unsolicited). When that happens we will determine whether that information could have been collected directly by us. If we could not have collected it directly, and the information is not part of a Commonwealth record ( e.g. a document or record held by a government agency), then we are required to destroy it or de-identify it as soon as practicable (provided that would be lawful and reasonable to do in the circumstances).
APP 5 – Collection notices
However, if we determine that it was reasonable to have collected it directly then we will give you a notice or take steps to make you aware that we have so received it (sometimes called ‘collection notice’) and in particular:
- Who we are and how you can contact us
- If it is likely that you are not aware we have your personal information, the circumstances by which we came to collect it, and what that personal information is comprised of
- If the collection was a requirement or authorised by law, then we will identify the law and the circumstances which gave rise to us collecting it
- The purposes for which we collected and use it
- The consequences (if any) for you if we do not collect it
- Who we usually would disclose that information to and why
- How you can access it for verification alteration or removal and how and to whom you can complain if you are unhappy with the way we have handled your personal information.
For our membership, this is available in the T&Cs of our membership agreement, on-line in the Members only pages, and from your local Membership Account Executive. For other clients including individuals, you may obtain detailed information from the Ai Group contact with whom you are dealing or from any Branch office of Ai Group on request.
In addition, we have to tell you if it is likely that this information will be disclosed to an overseas recipient, and if so which countries may be involved if that is practicable or at least make you aware of the fact. More about overseas recipients later in this summary.
APP 6 – Hold, Use, Disclose, and Purpose
If we hold your personal information for a particular purpose this is the primary purpose and we cannot use it for any other reason (a secondary purpose) unless:
- you have consented to that use or disclosure; or
- you would have reasonably expected it to be used for that secondary purpose.
We will always try and get your consent wherever practicable. We also try not to deal in sensitive information like health or criminal records or matters of that kind unless it’s necessary for the service we provide or we are compelled to do so for legal reasons. If we do have to collect your sensitive information then your written informed consent will be obtained before it’s disclosed.
If we collect personal information from one of our related parties or they collect it from us, then the primary purpose of the collector is considered to be the primary purpose for the related party. In this respect, as outlined in this summary and more fully in the Policy, our related parties may provide specific expert services in connection with or directly related to our membership services or they may provide those services directly to one of our clients or customers because it’s a necessary part of the relationship we have with the client, members or others.
However, we cannot share your personal information with our related parties if the purpose involves direct marketing unless you have requested or consented to it.
APP 7 – Direct Marketing
It is important that you be aware that the Act and particularly the APPs prohibit the use or disclosure of personal information for the purpose of direct marketing unless:
- We have collected the data directly from you and you would reasonably expect us to use or disclose it for that purpose. In that case we will always provide you with an easy way of requesting us not to bother you again with any marketing material. This is in the form of a telephone call, an email, or sometimes an electronic opt out/unsubscribe facility, provided we can verify the caller. We will immediately take steps to remove you from our marketing communications.
- We collected it from you (but you would never reasonably expect to receive marketing material from us or for your data to be disclosed for that purpose)
we collected it from someone else
in either case you have consented to the use or disclosure or it’s impracticable to get your consent.(In either of these instances we will offer you the same easy means of removing yourself from that marketing list and we will include a prominent statement in every such communication that you can request to be so removed.)
- In the case where we are a contracted service provider to a government agency under a Commonwealth contract and we have collected the personal information for the purpose of meeting our obligations under that contract and the use of your personal information is in fact necessary to so meet that obligation.
In all cases where we use or disclose personal information (whether for membership or otherwise) for the purposes of our own direct marketing or to facilitate another organisation’s direct marketing, you can always request that you be removed from the marketing list and or ask us not to disclose your data to the other organisation(s) for that purpose and also require us to tell you where we got the information from. There is no charge for you to action this right.
(Note that the Spam Act and the Do Not Call Register Act both continue to apply regardless of the APPs.)
APP 8 – Cross border disclosures
We endeavour to bring cost effective and timely service to our membership and clients and this necessarily involves us in reviewing our providers and the providers’ service deliverables regularly. So, while most of our data is presently residing in datacentres in Australia, there may be times when your data, due to the nature of the transaction you seek with us, is available to overseas recipients for software solutions, help desk support or for simply storage purposes through contracted service providers or facilities we use that include cloud options.
We will take all reasonable steps to find out if any of our telecommunications providers or their contractors and other service providers use cloud or any service that may involve our data (which could include your personal information) being disclosed to overseas recipients, where they are located and why they may get access if the data is more than simply routed through an offshore provider. These are required by APP 8.1. But the reality and practicalities of modern technologies means that in most cases this is going to be impracticable as the breadth of service and the subcontracting within specialist fields of service puts Ai Group far from the actual datacentre provider.
So it is imperative that you be aware that by using our telecommunication facilities and specifically internet access, you will be consenting to the possibility of the data we collect for the service transaction or relationship being disclosed overseas and to unknown destinations and in that case you will have consented to APP8.1 not applying. This covers those cases where we are simply undertaking normal business activity.
Obviously if we learn of a risky destination and our providers advise us of either changes they will adopt or they want us to adopt to ensure that we maintain our high standards of security, or that our data may have been put at risk, then we will take all reasonable actions to prevent the continuing possible infringement of our confidentiality and your privacy. Nevertheless, we cannot guarantee or assure you that there is no risk or that we will be able to take any remedial action.
On the other hand, if the very service or transaction you are requiring from us involves you necessarily providing us with your personal data that needs to be sent overseas, (e.g. in a trade or international service) then we will be acting as your agent in the transfer and you will need to be comfortable with the destination of, and the people who will have access to, that information. Where we can help we will certainly direct you to government sites that may provide some assistance in this respect so that you may make an informed decision about your disclosure overseas but in any case, APP8.1 will expressly not apply to Ai Group. Your consent will be part of the request for us to take the action on your behalf. If you are concerned about the potential for that personal information to be misused overseas and withdraw your consent, then we will be unable to complete the service or activity on your behalf.
APP 9 – Government identifiers
Ai Group does not use government identifiers (e.g. Medicare numbers, Tax File Numbers, etc) for the purpose of identification of individuals in our membership or client base.
APP 10 – Quality of PI held
APP 11 – Security
APP 12 – Access
APP 13 – Correction
We use strict protocols to guard the integrity and quality of and access to the personal information we collect or hold. We review our service providers’ contracts to ensure as far as practicable that they have implemented the security measures appropriate to reasonably protect us and you from misuse, interference and loss and particularly from unauthorised access amendment or disclosure. In particular, credit card and financial information is held under strict security until able to be deleted or destroyed: unless you tell us to do so, we do not retain such information for future transactions.
We have implemented procedures that facilitate the destruction or de-identification of personal information when it is no longer necessary for the purposes for which it was collected (unless it is needed for legal reasons).
There is no charge for this service and we promise to action your request as promptly as possible (subject only to the usual qualifications like legal compulsion or compliance obligations).
PART 111C – Notifiable breaches
This new Part 111C of the Act deals with notifiable breaches of the Act. Ai Group has already instigated some internal controls and processes to address the identification and notification rules that will apply to us as an entity subject to the Act. While specific guidelines have yet to issue in respect of compliance with this Part 111C, the intention is for Ai Group to ensure that in both cases where it controls the PI and where the control is vested in a third party (e.g. servers or data storage are based overseas) eligible data breaches are promptly managed in accordance with following general requirements of the Act:
- ‘eligible data breaches’ will be notified to the Information Commissioner and to relevant individuals in connection with the PI affected.
- notification is mandatory where serious harm to any of the individuals is likely. The threshold tests which trigger the notice obligations are based on an objective test of what a reasonable person would conclude.
- An ‘eligible data breach’ occurs when, in respect of personal information, credit reporting information, credit eligibility information or tax file number information, the following conditions are satisfied:
- there is unauthorised access to, or unauthorised disclosure of, the information, or where the information is lost, unauthorised access to, or unauthorised disclosure of, the information, is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to which the information relates (in the case of lost information assuming that unauthorised access or unauthorised disclosure were to occur).
- There are some important exceptions to notification:
- where remediation is taken that has reduced the risk of serious harm.
- Where legal enforcement obligations or secrecy provisions apply
- If a notifiable breach occurs which is not subject to an exception or exemption, then we must issue the notification of breach to the individuals affected. Where the actual identity of a single individual is not the issue (i.e. where a group of individuals or a class of persons in a data holding centre may have been subject to a breach) then the statement will be published on our website and in any other format required by the OAIC without identifying the individuals themselves.
Finally, if you have a complaint or a concern or an enquiry, then contact us first:
The Australian Industry Group
51 Walker Street North Sydney NSW Australia 2060
The Privacy Officer
PO Box 7622, Melbourne Victoria Australia 3004
Telephone: (+61) 1300 556677
go to the contacts list on our website : www.aigroup.com.au.
If we cannot help or resolve your issue, then we can offer a number of dispute resolution processes or you can apply directly to the OAIC for assistance or action. OAIC is the Office of the Australian Information Commissioner – refer to www.oaic.gov.au.