CARAVAN TRADE & INDUSTRIES ASSOCIATION OF VICTORIA

PRIVACY POLICY

Purpose of policy

The Caravan Trade & Industries Association of Victoria (ABN 67 413 472 774) (Association) is committed to responsible privacy practices and compliance with the Privacy Act 1988 (Cth) (Privacy Act).

This policy states how the Association will manage personal information so as to comply with the Australian Privacy Principles (APPs) set out by the Privacy Act. The APPs regulate the way the Association can collect, use, store and disclose personal information.

Where applicable, the Association will handle personal information relying on the employee records exemption in the Privacy Act and any other applicable exemptions in the Privacy Act or other legislation.

Responsibility and authority

Managers and Staff

All managers and staff of the Association, including contractors, must ensure compliance with this policy.

Privacy Officer

The Association's Privacy Officer oversees the Association's privacy compliance program and manages privacy matters as they arise, for example:

• privacy complaints;
• requests by individuals to access or correct information the Association holds about them; and
• data breach incidents.

What is personal information?

"Personal information" has the meaning set out in the Privacy Act. Essentially, personal information is information or an opinion about an individual who is identified or reasonably identifiable.

Some types of personal information are designated as "sensitive information", which are subject to additional protection under the Privacy Act. For example, these can include information about your health, trade union membership, or trade association membership.

What types of personal information do we collect?

The types of personal information the Association collects depend on the circumstances in which the information is collected.

Typically, the Association may collect contact details including an individual's name, address, email address and telephone number.

In some cases the Association may collect other information such as an individual's:

• age or date of birth (for example in relation to our Caravanning Explorers' Club, which is for children);
• gender (for example for marketing purposes);
• bank account details (for example in order to pay them or receive a payment); or
• qualifications and employment history (for example to consider a job application).

We may also collect the following personal information from you if you attend a venue for an event the Association is running:

• your name;
• phone number and/or email address;
• information about the venue you are checking into;
• the time and date you were at the venue;
• the details you entered about anyone who attended the venue with you; and
• information about the technology you used to log your attendance to the venue.

Generally, we will not collect sensitive information about you. However, in certain circumstances, we may need to collect limited sensitive information. For example, health information in order to accommodate a person with a disability.

The Association will not collect sensitive information about an individual unless:

• the individual has consented and the information is reasonably necessary for the Association's functions or activities; or
• the collection is required or permitted by law.

The Association may also collect other types of personal information, where permitted or required by law.

How do we collect personal information?

Generally, the Association will collect personal information about an individual directly from that individual, and not from third parties. The Association collects personal information in a number of ways. The most common ways include:

• via information provided in membership applications;
• via our website or when an individual deals with us online (including through social media);
• via a third party venue attendance logging QR codes and applications;
• when an individual enters a competition or promotion the Association is running;
• when an individual registers to attend an event (whether virtual or in-person) the Association is running;
• from publicly available sources;
• from third parties (for example from referees if an individual applies for a position as an employee or contractor with us); or
• directly from an individual or third party organisation when they supply goods or services to the Association, we supply goods or services to them, they make enquiries of us or we have other dealings with them in the course of our business.

Can an individual choose not to disclose their personal information?

If an individual contacts the Association to make a general enquiry about the Association or any of its members, the individual does not have to identify themselves or provide any personal information. Alternatively, the individual can also notify the Association that they wish to deal with the Association using a pseudonym.

However, if the Association is not able to collect personal information about the individual, the Association may not be able to provide the individual with the information or assistance the individual may require. For example, the Association will not be able to send the individual information the individual has requested if the individual has not provided the Association with a valid email address or telephone number.

How do we use personal information?

Personal information will only be collected to the extent reasonably necessary for one or more of the Association's functions or activities, and will only be collected by lawful and fair means.

In general, the Association collects, uses and discloses personal information about individuals so that we can do business with those individuals and for purposes connected with our business.

Some specific purposes for which the Association collects, uses and discloses personal information include:

• to provide services to our members;
• to otherwise provide goods or services to an individual or their organisation;
• to receive goods or services from an individual or their organisation;
• to improve our products and services;
• to facilitate an individual's entry into and participation in a competition or trade promotion;
• to consider an individual for a job with the Association (whether as an employee or contractor);
• to address any issues or complaints that the Association or an individual has regarding the relationship between the Association and the individual;
• to contact an individual regarding any of the above, including via electronic messaging such as SMS and email, by mail, by telephone or in any other lawful manner; and
• for COVID-19 contact tracing purposes.

The Association may also use and disclose personal information about an individual for the purpose of direct marketing to them where:

• they consented to the Association doing so; or
• it is otherwise permitted by law.

Direct marketing involves communicating directly with an individual for the purpose of promoting goods or services to them. Direct marketing can be delivered by a range of methods including mail, telephone, email or SMS. An individual can unsubscribe from our direct marketing, or change their contact preferences, by contacting the Association.

The Association will only use personal information for the primary purpose for which it was collected. However, the Association may use or disclose personal information for another purpose (a secondary purpose) if:

• the individual has consented; or
• the Association is otherwise authorised or required by law to do so.

To whom do we disclose personal information?

The types of third party to whom the Association may disclose an individual's personal information include:

• our members;
• contractors to the Association (including mailing houses, marketing agencies, market researchers, insurance providers, website and data hosting providers and other IT suppliers);
• other persons or organisations who perform services for the Association;
• companies who may use an individual's personal information in order to tailor electronic advertising to the individual (for example on a webpage) in relation to the Association's products and services;
• the Association's accountants, insurers, lawyers, auditors and other professional advisers;
• any third parties to whom the individual has directed or permitted the Association to disclose their personal information (for example referees);
• in the unlikely event that the Association or its assets may be acquired or considered for acquisition by a third party, that third party and its advisors;
• third parties that require the information for law enforcement or to prevent a serious threat to public safety;
• Federal and State or Territory government health departments; and
• other third parties as permitted or required by law.

If the Association discloses personal information to a third party the Association will use reasonable commercial efforts to ensure that the third party only uses the personal information as reasonably required for the purpose for which the Association disclosed it to them and in a manner consistent with the Australian Privacy Principles. For example, where commercially practical the Association will include suitable privacy, security and confidentiality clauses in its agreement with a third party service provider to which the Association discloses personal information.

Disclosure of personal information outside Australia

The Association does not generally transfer personal information outside Australia.

Data quality

The Association will take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.

Data security

The Association will take reasonable steps to protect personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure.

However, except to the extent liability cannot be excluded due to the operation of statute, the Association excludes all liability (including in negligence) for the consequences of any unauthorised access to, disclosure of, interference with, misuse of or loss or corruption of any personal information. Nothing in this policy restricts, excludes or modifies or purports to restrict, exclude or modify any statutory consumer rights under any applicable law including the Competition and Consumer Act 2010 (Cth).

Please notify us immediately if you become aware of any breach of security in relation to personal information.

Management of data breaches

A data breach occurs when personal information, in any format, held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure or other misuse or interference.

The Association is committed to complying with its obligations under the Notifiable Data Breaches (NDB) scheme under the Privacy Act.

The NDB scheme requires the Association to notify individuals affected by a data breach and the Office of the Australian Information Commissioner (OAIC) if an 'eligible data breach' occurs. A data breach is eligible if it is likely to result in serious harm to any of the affected individuals.

A breach may be exempt from being defined as eligible if the Association takes remedial actions prior to any serious harm occurring.

Destruction or de-identification of personal information no longer needed

Generally, we will retain your personal information for the period necessary for the purposes for which your personal information was collected (as outlined in this Privacy Policy) unless a longer retention period is required by law or if it is reasonably necessary for us to comply with our legal obligations, resolve a dispute or maintain security. The Association will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed by the Association.

Government identifiers

The Association will not adopt as its own identifier an identifier that has been assigned by a government agency (or by the government’s agent or contractor). Examples are an individual’s Medicare or tax file number. The Association will not use or disclose an identifier assigned to an individual by a government agency except where permitted by law.

Access and correction

If the Association holds personal information about an individual, it will provide the individual with access to the information on request in accordance with the Privacy Act, subject to certain exemptions that may apply.

The Association may require that the person requesting access provide suitable identification and where permitted by law we may charge an administration fee for granting access to personal information.

If the Association holds personal information about an individual and the individual is able to establish that the information is or may be inaccurate, incomplete, out of date, irrelevant or misleading the Association will take reasonable steps to correct the information.

Complaints

A person may make a complaint if they feel their personal information has been handled inappropriately by the Association.

In the first instance, complaints should be directed to the Association’s Privacy Officer by email sent to rlucas@ciavic.com.au. The Association will investigate the complaint and prepare a response to the complainant in writing within a reasonable period of time.

If the complainant is not satisfied with the Association’s response or the manner in which the Association has dealt with the complaint, the individual may make a formal complaint to the OAIC. The OAIC's contact details are:

Amendments to this policy

The Association may amend this policy from time to time. It will post any amended version on its website.

This version of this policy is dated 14 April 2021.