1.2 For the purposes of this Policy, a reference to “our”, “us” or “we” is a reference to Hill Rogers; and a reference to “you” is a reference to a prospective, past or current customer, client, employee or supplier of Hill Rogers or other person from whom we collect and handle personal data. ‘Data’ and ‘information’ have the same meaning under this Policy.
1.3 Our legal obligation when collecting and handling your personal data is governed by a range of legislation. In particular, we are committed to complying with the Privacy Act 1988 (Cth) (Privacy Act) and the General Data Protection Regulation (GDPR) in the European Union (EU) in relation to all personal data we collect which is demonstrated in this Policy. The Privacy Act incorporates the Australian Privacy Principles (APPs). The APPs and the GDPR set out the way in which personal data must be treated.
1.4 This Policy also incorporates our policy on managing credit data (see particularly section 8 onwards).
Who does the Policy apply to?
1.4 This Policy applies to any person for whom we currently hold, or may in the future collect, personal data.
What information does the Policy apply to?
1.5 This Policy applies to personal data. In broad terms, ‘personal data is information or opinions relating to a particular individual who can be directly or indirectly identified.
1.6 Information or data is not personal data where the data cannot be linked to an identifiable individual.
2. HOW DO WE MANAGE THE PERSONAL DATA WE COLLECT?
2.1 We manage the personal data we collect in numerous ways, such as by:
(a) implementing procedures for identifying and managing privacy risks;
(b) implementing security systems for protecting personal data from misuse, interference and loss from unauthorised access, modification or disclosure;
(c) regularly providing staff with training on privacy issues;
(d) appropriately supervising staff who regularly handle personal data;
(e) implementing procedures for receiving and responding to complaints;
(f) appointing a Privacy and Data Protection Officer (see section 10 below) within the business to monitor privacy compliance.
(g) having access to audit trails of information accessed; and
(h) allowing individuals the option of not identifying themselves, or using a pseudonym, when dealing with us in particular circumstances.
2.2 As with all personal data, we will take reasonable steps to destroy or permanently de-identify personal data if that data is no longer needed for the purposes for which we are authorised to use it.
2.3 In limited circumstances, it may be possible for you to use a pseudonym or remain anonymous when dealing with us. If you wish to use a pseudonym or remain anonymous you should notify us when making first enquiries or providing initial instructions. We will use our best endeavours to deal with your request, subject to our professional obligations and ability to perform the accounting service to you without using your name. In most cases, our professional obligations will require you to deal with us using your real name.
2.4 We are also subject to professional obligations which may affect how we deal with personal data.
3. WHAT KINDS OF DATA DO WE COLLECT AND HOLD?
3.1 We may collect and hold personal data about you, which may include:
3.1.1 Customer Data
(a) sensitive data (see below);
(b) contact information, such as your postal address, email address, mobile and phone number;
(c) financial information, such as your billing address, credit or other bank card details including name, card number, expiry date and CCV/CVC (if making payments over the phone using St George PayWay or electronically through our website);
(d) date and place of birth;
(e) employment history and arrangements;
(f) tax returns and tax file numbers;
(g) insurance history, such as workers compensation, travel insurance, professional indemnity and public liability insurance details;
(h) family situations, such as your marital status and number of dependants;
(i) credit data;
(j) banking details, such as the branch, account name, BSB and account number;
(k) any other personal information required to perform the financial or accounting service for you.
3.1.2 Supplier Data
(a) As a supplier, we may collect data such as your name, contact information, banking details, signature and your title/role at the business whose services we are engaging.
3.2.3 Employment Data
(a) As a prospective, past or current employee we may collect data such as your name, contact information, signature, employment and other vocational experience, academic history, tax file number and bank account details.
(b) As a prospective, past or current employee, we may also collect health information, including information collected during general health assessments, project specific medical assessments, and drug and alcohol screenings.
(c) As a referee for a prospective employee, we may collect data such as your name, contact information and your title/role at the business or educational institution in which you work/ed.
3.1.4 Website data
(b) This data is anonymous and is not linked to the name or identity of a user.
(c) We may collect the above types of personal data directly from you or from third parties such as Google Analytics.
3.2 ‘Sensitive data’ is a subset of personal data and includes personal information that may have serious ramifications for the individual concerned if used inappropriately.
3.3 The sensitive data we collect and hold about an individual may include any of the following if it is relevant in providing the accounting or financial service to the individual (such as completing tax returns):
(a) health information;
(b) religious affiliation;
(c) political opinions;
(d) membership of professional or trade associations; and
(e) membership of trade unions.
3.4 We will not collect sensitive data without the individual’s consent to whom the information relates unless permitted under the Privacy Act or the GDPR if the data relates to citizens in the EU.
Cookies & Analytics
3.5 A cookie is a piece of data that is stored on a user’s hard drive containing information about the user. Cookies, by themselves, do not tell us any personally identifiable information.
For more information on how Google uses the data when using third party websites or applications, please visit: https://policies.google.com/technologies/partner-sites
3.7 You may decide to disable cookies by selecting the appropriate settings on your browser, although this may limit the full functionality of our website. In addition to declining cookies, you can install the Google Analytics Opt-out Add-on to your browser which prevents Google Analytics from collecting your information. You can do so by clicking here.
4. HOW AND WHEN DO WE COLLECT PERSONAL DATA?
4.1 Our usual approach to collecting personal data is to collect it directly from you, when you contact us via telephone or email, or when you complete an online form that is on our website.
4.2 When you complete an online form, the data you submit will be collected by Gravity Forms. The data is then emailed to select staff at Hill Rogers, and a back up of that data is stored on our webserver which is hosted by Netvirtue. Your data will remain within their secure database unless you specifically request the removal in writing.
4.2 We may also collect personal data in other ways, which may include:
(a) through referrals from individuals or other entities;
(b) from third party providers and suppliers;
(c) from paid search providers;
(d) from government agencies (such as the ATO); and
(e) when conducting marketing and business development events.
5. HOW DO WE HOLD PERSONAL DATA?
5.1 Our usual approach to holding personal data includes:
(i) at our premises (securely); and
(ii) off-site, by third party physical storage providers (securely);
(i) on secure online servers;
(ii) on a private cloud;
(iii) by a third-party data storage provider; and
(iv) on our website.
5.2 We secure the personal data we hold in numerous ways, including:
(a) using security cards to access areas that contain personal data;
(b) using secure servers to store personal data;
(c) using unique usernames, passwords and other protections on systems that can access personal data;
(d) keeping certain sensitive documents in secure storerooms; and
(e) archiving specific documents when they are no longer being used.
6.WHY DO WE COLLECT, HOLD, USE OR DISCLOSE PERSONAL DATA?
6.1 We take reasonable steps to use and disclose personal data for the primary purpose for which we collect it. The primary purpose for which data is collected varies, depending on the particular service being provided, but is generally to provide accounting or financial services to your or your business;
6.2 In the case of potential employees or graduates, the primary purpose the data is collected is to assess the individual’s suitability for employment or to contact you regarding your graduate application form.
6.3 Personal data may also be used or disclosed by us for secondary purposes which are within your reasonable expectations and which are related to the primary purpose of collection.
6.4 For example, we may collect and use your personal data:
(a) to provide you with updates that are relevant to you or your business;
(b) to invite you to events.
(c) to communicate with you as a prospective, past or current client, supplier, employee or referee of a prospective employee;
(d) for internal business administrative purposes;
(e) for analytical, market research or business development purposes;
(f) for marketing and advertising purposes, including to send you promotional information but only when you have opted to receive such information.
6.5 We may disclose personal data:
(a) to other service providers or referral partners in order to provide the accounting or financial service to you, or to assist our functions or activities (such as debt collection agencies or law firms);
(b) to other third parties with your consent;
(c) to our external auditors;
(d) to government agencies (such as the ATO);
(e) to our third-party technology providers (such as our data storage providers); and
(f) to comply with our legal obligations and resolve any disputes we may have;
6.6 Otherwise, we will only disclose personal data to third parties if permitted by the Privacy Act or the GDPR if the data relates to EU citizens.
7. WILL WE DISCLOSE PERSONAL DATA OUTSIDE AUSTRALIA?
7.1 We do disclose some limited personal data to former employees located in Asia and the United Kingdom who we engage for limited functions from time to time. We also provide access to some limited data to an outsourcing company in India for data processing of corporate secretarial work who have limited access to our systems for that purpose.
Otherwise, we do not usually disclose personal data to overseas recipients.
7.2 We take reasonable steps to ensure that the overseas providers are accessing the information in a secure manner, and in a way that is compliant with the APPs and the GDPR.
8. HOW DO WE MANAGE YOUR CREDIT DATA?
What kinds of credit data may we collect?
What kinds of credit data may we collect?
8.1 In the course of providing accounting or financial services to you, we may collect and hold the following kinds of credit data:
(a) your identification data;
(b) data about any credit that has been provided to you;
(c) your repayment history;
(d) data about your overdue payments;
(e) if terms and conditions of your credit arrangements are varied;
(f) if any court proceedings are initiated against you in relation to your credit activities;
(g) data about any bankruptcy or debt agreements involving you;
(h) any publicly available data about your credit worthiness; and
(i) any data about you where you may have fraudulently or otherwise committed a serious credit infringement.
8.2 In some circumstances, we may collect credit data and personal data from credit reporting agencies (e.g. Veda). The kinds of data we collect may include any of those kinds of data mentioned above in sections 3.1and 8.1.
8.3 We may also collect personal data from other credit providers (e.g. banks) that collect data, which may affect your credit worthiness, from credit reporting agencies. The kinds of personal data we collect may include any of those kinds of data mentioned above in section 3.1.
How and when do we collect credit data?
8.4 In most cases, we will only collect credit data about you if you disclose it to us and it is relevant in providing you with the accounting or financial service.
8.5 In limited circumstances, we may collect credit data from credit reporting bodies.
8.6 Other sources we may collect the credit data from include:
(a) banks and other credit providers;
(b) other individuals and entities via referrals; and
(c) your suppliers and creditors.
How do we store and hold the credit data?
8.7 We store and hold credit data in the same manner as outlined in section 3 of this Policy.
Why do we collect the credit data?
8.8 Our usual purpose for collecting, holding, using and disclosing credit data about you is to enable us to provide you with the accounting or financial service.
8.9 We may also collect the credit data:
(a) to process payments;
(b) to assess eligibility for credit; and
(c) for other purposes incidental to our services as professional accountants.
Overseas disclosure of the credit data
8.10 We may disclose some limited credit data to a former employee located in the UK, if it is necessary for them to have the data to provide the service to us.
8.11 Otherwise, we will not disclose your credit data to entities without an Australian link unless you expressly request us to.
Choice and Consent
9.1 You have the right to refrain from providing personal data to us, however, if you do, it may:
(a) affect our ability to provide products and services as professional accountants to you;
(b) affect your ability to use our website, products or services and to communicate with us.
9.2 In providing your personal data to us, you consent to us colleting, holding, using and disclosing your personal data in accordance with this Policy.
9.3 If you are under 18 years of age, you must have, and you warrant to the extent permitted by law to us that you have, your parent or legal guardian’s permission to access and use our website and your parent or guardian have consented to you providing us with your personal data.
9.4 If you are a third party providing personal data about somebody else, you represent and warrant that you have such person’s consent to provide the personal data to us.
9.5 You have the right to obtain confirmation from us that we collect, hold and use your personal data and to request a copy of your personal data that we hold.
9.6 In keeping with our commitment to protect the privacy of personal data, we may not disclose personal data to you without proof of identity.
9.7 We may deny access to personal data if:
(a) the request is unreasonable;
(b) providing access would have an unreasonable impact on the privacy of another person;
(c) providing access would pose a serious and imminent threat to the life or health of any person;
(d) providing access would compromise our professional obligations; or
(e) there are other legal grounds to deny the request.
9.8 You have the right to have inaccurate personal data rectified and incomplete personal data completed, where relevant. If the personal data that we hold is not accurate, complete and up-to-date, we will take reasonable steps to correct it so that it is accurate, complete and up-to-date, where it is appropriate to do so.
9.9 You have the right to have your personal data held about you erased, in the following circumstances;
(a) The personal data is no longer necessary for the purpose for which it was originally collected;
(b) You have withdrawn your consent (where consent was the sole basis for us holding the data);
(c) You object to the use of your personal data for the purpose of direct marketing;
(d) We have collected, held or used your personal data unlawfully; or
(e) We are legally compelled to erase the data.
Restriction of Processing
9.10 You have the right to limit and restrict the way we use your personal data, in circumstances where:
- You would like to verify the accuracy of the personal data;
- We have collected, held or used your data unlawfully, and you request restriction of the data as opposed to erasure;
- We no longer need your personal data but you have requested that we continue to hold it so you may establish, exercise or defend a legal claim or dispute; or
- You dispute our right to use your personal data.
9.11 You have the right to receive personal data that we hold about you in a structured, commonly used and machine-readable format, and to request that we transmit the data directly to another party, in circumstances where we carry out the processing of your personal data by automated means (that is, excluding paper files).
9.12 You have the right to object to our use of your personal data.
9.13 If you believe we are in breach of Australian or EU privacy laws and wish to make a complaint, please contact the Privacy & Data Protection Officer by using the contact details below and provide us with full particulars of the alleged breach in writing.
9.14 We will promptly investigate your complaint and respond to you in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint.
9.15 In the event that your complaint is not resolved to your satisfaction, you have the right to contact the Office of the Australian Information Commissioner or if you are a citizen of the EU, the UK’s Information Commissioner’s Office if you wish to make a complaint.
10. HOW TO CONTACT US
10.1 You may exercise any of the rights set out in section 9 of this Policy or comment on this Policy by contacting the Privacy and Data Protection Officer in writing using the following details:
Contact Anita Cohen (Privacy & Data Protection Officer)
Postal Address GPO Box 7066, Sydney NSW 2001
Telephone number (02) 9232 5111
Email address email@example.com
11. Changes to the policy
11.1 We may update, modify or remove this Policy at any time without prior notice. Any changes to this Policy will be published on our website.
11.2 This Policy was last updated in August 2018. If you have any comments on the Policy, please contact the Privacy and Data Protection Officer using the contact details in section 10 of this Policy.