Privacy Policy

About this policy

This Privacy policy applies to all employees, consultants, contractors, and volunteers of RAC Limited.

Purpose

The purpose of this privacy policy is to:

  • clearly communicate the personal information handling practices of Rumbalara Aboriginal Co-operative (RAC) Limited.
  • enhance the transparency of our operations.
  • give individuals a better and more complete understanding of the sort of personal information that we hold, and the way we handle that information.

Outline of this policy

Part A – Personal Information Handling Practices explains our general information handling practices across the organisation including information about how we collect, use, disclose and store your personal information.  This is a summary-level description.

Part B – Types of Personal Information handled by RAC Limited offers further detail by explaining our personal information handling practices in relation to specific RAC Limited functions or activities such as complaint handling. Here you can find out what sort of records we keep and why. You may find this section helpful if, for example, you have made a request to know how your personal information will be used and managed.

Part C – Online explains our personal information handling practices when you visit our website.

Part A – Our Personal Information Handling Practices

Our obligations under the Privacy Act

This privacy policy sets out how we comply with our obligations under the Privacy Act 1988 (Cth) (Privacy Act). As an Australian Government agency, we are bound by the Australian Privacy Principles (APPs) in the Privacy Act which regulate how organisations and government agencies may collect, use, disclose and store personal information, and how individuals may access and correct personal information held about them.

In this privacy policy, ‘personal information’ has the same meaning as defined by section 6 of the Privacy Act:

Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

The Privacy Act also defines ‘sensitive information’, which includes (in summary):

information or an opinion about an individual’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; or criminal record; health information about an individual; or other genetic or biometric information.

Collection of personal information

We may collect personal information about you such as your name, contact details, gender, date of birth, etc. We may also collect sensitive information about you including whether you are identify as Aboriginal or Torres Strait Islander origin or health information. It is your choice whether to provide information to RAC.

It is our usual practice to collect personal information directly from the individual or their authorised representative.

Sometimes we collect personal information from a third party or a publicly available source, but only if the individual has consented to such collection or would reasonably expect us to collect their personal information in this way, or if it is necessary for a specific purpose such as the investigation of a privacy complaint.

In limited circumstances we may receive personal information about third parties from individuals who contact us and supply us with the personal information of others in the documents they provide to us.

We only collect personal information for purposes which are directly related to our functions or activities under the Privacy Act. We also collect personal information related to employment services, human resource management, and other corporate service functions. These purposes are listed below, with links to where you can find more detail in Part B.

Public enquiries, awareness and events

  • When an individual contacts us asking for information or advice about our functions and activities.
  • When people ask to be on an email or mailing list so that we can send them information about its activities or publications.
  • When we record who we have had contact with in relation to media or other public relations events.
  • When an individual consents to their image or quote being used in communications materials.
  • When we conduct conferences, seminars or other events.

RAC membership

  • When an individual submits an application for membership of RAC.
  • To maintain and update details needed to administer their membership over time.

Administrative activities

  • When we process freedom of information applications.
  • When we manage the personnel and corporate service functions of RAC.

For more detailed information about these purposes and the information handling practices that apply to them, see Part B.

We also collect personal information (including contact details) as part of our normal communication processes directly related to those purposes, including:

  • When an individual emails staff members.
  • When an individual telephones us.
  • When an individual hands us their business card.

Use and disclosure

We only use personal information for the purposes for which it was given to us, or for purposes which are directly related to one of our functions or activities, and we do not give it to other government agencies, organisations or anyone else unless one of the following applies:

  • The individual has consented.
  • The individual would reasonably expect, or has been told, that information of that kind is usually passed to those individuals, bodies or agencies.
  • It is otherwise required or authorised by law.
  • It will prevent or lessen a serious and imminent threat to somebody’s life or health.
  • It is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.

Data quality

We take steps to ensure that the personal information we collect is accurate, up to date and complete. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times as necessary.

Data security

We take steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification or disclosure. These steps include password protection for accessing our electronic IT system and other IT security measures such as firewalls, secure servers and encryption of credit card transactions, securing paper files containing sensitive personal information in locked cabinets and physical access restrictions (eg. building security)

When no longer required, personal information is destroyed or deleted in a secure manner.

Access and correction

If an individual requests access to the personal information we hold about them, or requests that we change that personal information, we will allow access or make the changes unless we consider that there is a sound reason under the Privacy Act,  or other relevant law to withhold the information, or not make the changes.

Individuals can obtain further information about how to request access or changes to the information we hold about them by contacting us (see details below).

How to contact us

Contact us

P: +61 03 5820 0000

Assisted Contact

If you are deaf, or have a hearing or speech impairment, contact us through the National Relay Service:

  • TTY users phone 133 677 then ask for 03 5820 0000
  • Speak and Listen users phone 1300 555 727 then ask for 03 5820 0000
  • Internet relay users connect to the NRS then ask for 03 5820 0000

If you do not speak English, or English is your second language, and you need assistance to communicate with us, call the Translating and Interpreting Service on 131 450 then ask for 03 5820 0000.

Note: Apart from the local call cost these are free services for you.

Postal address

PO BOX 614
Mooroopna VIC 3629
Australia

P: 03 5820 0000
E: privacy@raclimited.com.au

If you are not satisfied

If you are not satisfied with RAC Limited’s handling of a complaint or enquiry about your personal information or privacy, you can make a complaint to the Office of the Privacy Commissioner.

Part B – Types of personal information handled by RAC

 

Enquiries, public awareness, communication materials and events

 

Purpose

We may collect personal information to respond to specific enquiries (which may be received by phone, e-mail, writing or in person) about RAC’s functions and activities on a case-by-case basis.

We maintain contacts lists which include contact information about individuals who may have an interest in RAC’s activities. We use these contacts lists to distribute information about our activities and publications.

When we host events, including meetings, seminars, and conferences, we may collect personal information about potential attendees and participants to issue invitations and to manage and support individuals’ attendance or participation.

When individuals or groups consent to allowing RAC to use their image or quotes in communications material, we maintain copies of signed release / consent forms as evidence of consent for the purposes identified. We also maintain this record in case we need to contact the individuals or groups again in relation to new or varied uses of their image / quote.

Collection

It is our usual practice to collect personal information in contacts lists directly from individuals, for example, where they have asked to be added to a contact list.

When organising events and conferences, we may use a third party to assist with organisation and communication.  In those cases, we may provide personal information in contacts lists to that party for the exclusive purpose of organising that event on our behalf, and that party may collect personal information to compile contacts lists for that purpose.

We may also collect personal information when recording contact we have had with the media or public relations representatives in relation to RAC’s events and activities.

Personal information for image/quote use consent is collected directly from individuals through paper-based forms or emails.

Sometimes we collect personal information from a third party or from a publicly available source such as a website or telephone directory. We usually only collect personal information in this way if the individual would reasonably expect us to, or has given their consent. For instance, we might collect this information if we thought that the individual (or the organisation they work for) would like to receive information about events or research we are carrying out, or that they might be likely to consider this information useful in the work they do.

Use and disclosure

Where we collect personal information to respond to enquiries, we will only use the information for that purpose, unless the individual indicates they would like to be included on a contact list or receive further information in the future.

We only use personal information in contacts lists for the purpose of managing public and stakeholder relations or events.

We do not give personal information about an individual to other agencies, organisations or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.

RAC uses a number of online channels, including social media platforms, to communicate with individuals and organisations with an interest in our services and other activities and events. The use of these services is governed by the online channel’s Terms and Conditions and Privacy Policies. Users may be required to supply some personal information such as name and email address to use these channels to communicate with the RAC. Using these services to communicate with us may make some personal information visible to the RAC and third parties.

Data quality

We maintain and update personal information in our contacts lists when we are advised by individuals that their personal information has changed. We also regularly audit contacts lists to check the currency of the contact information. We will remove contact information of individuals who advise us that they no longer wish to be contacted. In accordance with the Spam Act 2003, all electronic messages contain an unsubscribe option and we will remove contact information of individuals who advise us that they no longer wish to be contacted.

Data security

The personal information in the contacts lists is stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in contacts lists is destroyed or deleted in a secure manner.

Routine access to contacts lists is limited to the staff who have responsibility for maintaining the contacts lists. Other staff members have access to the personal information in contacts lists on a need to know basis.

Access and correction

For information about how to access or correct personal information please contact us.

RAC membership

The RAC Constitution provides for membership of the Organisation. Find out more about RAC membership

Purpose

We collect personal information to enable us to:

  • Correspond with applicants for membership of RAC
  • Assess applications for membership against the criteria set out in the RAC Constitution
  • Administer the membership including distributing information, organising events involving members and arranging renewal as required.

The personal information held may include contact information, application form, and other information provided in support of applications, and other information about proof of Aboriginality.

Collection

We collect personal information directly from applicants/members or their authorised representatives.

Use and disclosure

We only use the personal information we collect to carry out activities to assess applications for membership, administer the membership and provide information and support to members.

The personal information provided in membership applications will be disclosed to the members of the RAC Board, and the staff that support it.  This enables the Board to assess and make decisions about the membership applications.  We also use the personal information we hold to contact applicants.

We use the personal information we hold about members to provide them with information about RAC’s activities and events and other matters of interest.

Data quality

We maintain and update the personal information we hold as necessary or when we are advised by individuals that their personal information has changed.

Data security

The personal information collected is held in an electronic database. Some personal information is also held in paper files.

The following staff members have access to the electronic databases and paper files on a need to know basis:

  • Executive Unit staff, including the Chief Executive
  • IT staff
  • Records management staff.

When no longer required, personal information in paper files is destroyed, in a secure manner.

Personal information stored in our electronic databases, when no longer required, is deleted in a secure manner. The databases maintain audit trails whenever personal information is accessed, included, amended or deleted on the database.

Access and correction

For information about how to access or correct personal information held in membership files contact the xx at members@raclimited.com.au or phone 03 5820 0000.

Administration

Administration includes personnel and other corporate services such as security, and applications under the Freedom of Information Act.

Purpose

Personnel Records

The purpose of personnel records is to maintain current employee information for business and employment related purposes, or where authorised or required by law. The personal information in these files relates to the employee and may include:

  • Application(s) for employment including the employee’s résumé(s), statement(s) addressing the criteria and referee reports
  • Written tasks undertaken by the employee during the selection process
  • Notes from the selection committee during the selection process
  • The employee’s employment contract, and other records relating to their terms and conditions of employment
  • Details of financial and other personal interests supplied by some employees and their immediate family members for the purpose of managing perceived or potential conflicts of interest
  • Proof of Australian citizenship
  • Proof of Aboriginality
  • Certified copies of academic qualifications
  • Records relating to the employee’s salary, benefits and leave
  • Medical certificates or health related information supplied by an employee or their medical practitioner
  • Contact details
  • Taxation details
  • Superannuation contributions
  • Information relating to the employee’s training and development
  • Copy of drivers’ license of staff who drive RAC vehicles.

The purpose of keeping records on candidates for employment (“applicant files”) is to allow us to assess the suitability of candidates for employment at RAC. Information that RAC holds may include:

  • Application(s) for employment including the employee’s cover letter(s), résumé(s), statement(s) addressing the criteria and referee reports
  • Written tasks undertaken by the employee during the selection process
  • Notes from the selection panel during the selection process
  • Contact details.

RAC may also keep applicant files for future vacancies (eligibility lists) for up to 12 months.

Security

Personal information is collected to protect the security of RAC personnel and assets at its operating premises.  This includes photographs of present and past staff, information from the register of visitors to RAC’s’ operating premises and images of visitors to the premises.

Collection

Personnel records

RAC generally collects personal information directly from employees and applicants but may also collect personal information from intermediaries such as recruitment agents and personnel providers.

RAC may also collect personal information about employees and applicants from third parties when it is relevant to the selection process.

Security

RAC collects personal information about visitors from the individual. Images are collected from closed circuit cameras located around the exterior and publicly accessible areas of the interior of the building, such as the reception desk.

Use and disclosure

Personnel records

Personal information in personnel files is only used for the purpose of maintaining current employee data and information for business and employment related purposes.

We only use personal information in applicant files for the purpose of assessing and processing applications for employment.

We do not give personal information held in these files to other agencies, organisations or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.

The circumstances in which personal information may be disclosed to another agency, with the knowledge of the individual concerned wherever possible, would include during the transfer of a staff member from or to another agency and to the provider of our payroll service.

Security

Employee photographs are retained in a database, during and after the individual’s employment with RAC.  They are used on staff security passes for the duration of the individuals’ employment.

Information from the visitors’ register and security cameras are used only in the event of a security incident or an emergency.  In those circumstances, they may be disclosed to police or emergency services.  The visitors register is kept as a paper record and then destroyed after one year. Closed circuit camera footage is retained for a period of some months and then, if not required due to a security incident, written over.

Freedom of Information

We only use the personal information in FOI files for the purpose of assessing and processing the FOI application.

We do not give personal information held in FOI files to other agencies, organisations or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.

Data quality

RAC maintains and updates personal information in our personnel, applicant and Freedom of Information files as necessary, or when we are advised by individuals that their personal information has changed.

Data security

Personnel files

RAC will take all reasonable steps to ensure that all personnel or application files in its possession or control are protected against loss, unauthorised access, misuse, disclosure or modification and that only authorised employees have access to such material.

Personnel files are stored in locked cabinets in paper form. Previous employee files are scanned, archived in boxes and stored in secure location. Scanned files are held on a restricted drive only accessible by human resources staff.  Personal information relating to payroll is stored in a secure location.

Applicant files are filed and stored on password protected electronic media which are stored on a USB and locked in cabinets. These applicant files are stored for 7 years and then destroyed in a secure manner or deleted. Any duplicate copies of applications used as part of the selection process are disposed of securely at the end of the process.

The following staff members have access to personnel and applicant files on a need to know basis:

  • CEO and COO
  • Board Members
  • Staff sitting on the selection committee
  • Human Resources manager
  • Human Resources staff

Security

Footage from security cameras is accessible only by

  • CEO and COO
  • Executive Manager, People & Culture
  • Facilities and security staff

Freedom of Information

FOI files are stored in the Executive unit or the Corporate Services Registry. When no longer required, personal information in FOI files is destroyed in a secure manner or destroyed in accordance with the AIATSIS’ Information and Records Management Policy.

The following staff members have access to FOI files on a need to know basis:

  • CEO and COO
  • Executive Manager, People & Culture
  • Other staff involved in responding to an FOI application
  • Records management and IT staff

Access and correction

For information about how to access or correct personal information in administrative files, please contact us.

Part C – Information collected online by RAC

Collection

It is our usual practice to collect information about all visitors to our online resources. That information is very limited and only used to identify generic behavioural patterns.

Sometimes we use third party platforms to deliver information. These are sites hosted and managed by organisations other than ourselves. Before deciding if you want to contribute to any third party site you should read their privacy policy.

There are several methods and packages that we use to collect visitor behaviours on each of our online platforms. We use Google Analytics on our websites. Information and data collected through Google Analytics is stored by Google on servers in the United States of America, Belgium and Finland. You can opt out of the collection of information via Google Analytics by downloading the Google analytics opt-out browser add on.

When you visit any of our online resources, our metric tools may collect the following information about your visit for statistical purposes:

  • server address
  • top level domain name (for example .com, .gov, .au, .org etc.)
  • date and time of your visit to the site
  • pages you accessed and documents downloaded during your visit
  • previous site you visited
  • if you’ve visited our site before
  • type of browser used.

We record this data to maintain our server and improve our services. We do not use this information to personally identify anyone.

Cookies

Most of our online platforms use sessions and cookies. A cookie is a short piece of data which is sent from a web server to a web browser on the user’s machine when the browser visits the server’s website and is stored on the user’s machine. The core functionality on these platforms will be largely unaffected if you disable cookies in your browser but you may be unable to access some advanced functions.

Our cookies do not collect personal information. If you do not wish to receive cookies, you can set your browser so that your computer does not accept them.

We use Microsoft Forms (a third party software supplier) to administer online surveys. Microsoft Forms use third party cookies. The information collected by these cookies is not capable of identifying you and is only used to ensure our surveys run smoothly. We will only use the information collected from the surveys for statistical and maintenance purposes, unless you have given permission to use your responses in another manner.

Use and disclosure

We do not give personal information collected online to other agencies, organisations, or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.

Data quality

We will delete or correct any personal information that we hold about you on request.

If you are on one of our automated email lists, you may opt out of further contact from us by clicking the ‘unsubscribe’ link at the bottom of the email or contacting us directly.

Data security

There are inherent risks in transmitting information across the internet and we do not have the ability to control the security of information collected and stored on third party platforms.

We will take all reasonable steps to protect the personal information in order to prevent misuse, loss, or unauthorised access, including by means of firewalls, password access, secure servers and encryption of credit card transactions.

Access and correction

For information about how to access or correct personal information collected on our website, please contact us.

Further reading