We are also required to comply with any applicable registered APP code and with other legislation relating to privacy, such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
What information is covered by the Act?
The Act covers ‘personal information’ and ‘sensitive information’.
Personal information is information or an opinion (whether true or not) about an identified individual (or an individual who is reasonably identifiable) whether the information or opinion is recorded in a material form or not.
Sensitive information includes personal information about an individual’s racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices and criminal record and also health and genetic information about an individual.
What kinds of information do we collect and hold?
Depending on the nature of your dealings with us, we collect and hold personal information such as your name, address, contact details, date and place of birth, Medicare number, job title, employer details, financial details and all other information that you provide us or we collect during the course of your matter or in any other dealings with us and/or our clients. This may include information contained in allegations that you have made against another person, or in allegations that a person has made against you.
We only collect sensitive information about you where that information is reasonably necessary for us to carry on our functions or activities and you have consented or where we are required or permitted by law to do so.
How do we collect personal information?
We collect personal information from you in a number of ways, such as directly from you or from another source such as a third party.
We collect personal information from you directly when you personally provide that information to us, for example, in person, over the telephone, electronically or through written correspondence. You may provide that personal information in a number of ways such as when you:
- are a client of the firm;
- are involved in a matter on which we are working;
- apply for a position of employment with us;
- request that you are placed on our mailing list;
- supply goods or services to us;
- send us an enquiry;
- provide us with feedback;
- are involved in a dispute with our client; or
- provide information by using our website (such as via cookies).
The nature of our business is such that it is sometimes impractical or unreasonable to collect personal information from you directly. In such situations, we collect personal information about you when another person provides us with personal information or when we obtain personal information from other sources, for example, from another person who is our client (or related to our client) and who discloses information about you in the course of that retainer, public registers and third party service providers, recruitment agencies or past employers, regulatory bodies or government departments, credit reporting bodies and credit providers and surveillance cameras.
How do we hold the personal information?
We hold information in a number of ways, including electronically (such as electronic databases and email contact lists) and in hard copy (such as paper files held in drawers and cabinets). Paper files may also be archived in boxes and stored in secure facilities.
For what purposes do we collect your personal information?
We collect, hold, use and disclose personal information that is reasonably necessary for us to carry out our functions or activities. The main purposes for which we collect, hold, use and disclose personal information are:
- provide legal advice;
- send you information;
- obtain goods and services;
- perform research and statistical analysis;
- answer queries and resolve complaints; and
- recruit staff and contractors.
We may also collect, hold, use and disclose personal information for other purposes where you have consented to this or where we are permitted or required by law to do so.
When do we use and disclose the personal information?
We use the personal information to enable us to properly look after your matter and to advance your interests, and to enable us to contact you in relation to your matter or when we are permitted or required by law to use it. We may also use the information to determine whether we will accept your instructions to act on your behalf or whether to offer you employment.
We only disclose information where we need to in order to advance your interests, or when we are permitted or required by law to disclose it. In these circumstances we may, for example, disclose the information to:
- an insurance company;
- a doctor;
- a Court or Tribunal;
- a financial institution;
- a barrister or expert;
- a government regulator;
- a referee whose details are provided to us by job applicants;
- our contracted service providers; or
- a legal firm that is our agent in another jurisdiction.
Generally we will try to ensure that you are aware whenever information is being disclosed to a third party.
If we are permitted by law, we may use your personal information to send you newsletters, updates, invitations, articles, other legal information and other material about our products and services. Where you have consented to receiving these communications, that consent will remain current until you advise us otherwise. You can opt out at any time by email at email@example.com or phone (02) 6285 8000.
Unless we engage the services of an overseas recipient (such as a law firm that is a Meritas member or another law firm outside Australia), we are not likely to disclose the information to an overseas recipient. However, we may disclose the information to an overseas recipient when we are required or permitted by law to disclose it if we have engaged that overseas recipient in order to enable us to properly look after your matter and to advance your interests.
It is not practicable to specify in which countries the overseas recipients are likely to be located as this depends on the nature of your question or matter.
Security of your personal information
We take reasonable steps to protect your personal information. However we are not liable for any unauthorised access to this information.
Data breach notification
The Privacy Amendment (Notifiable Data Breaches) Act 2017 requires us to conduct an assessment within 30 days of a potential ‘eligible data breach’ occurring. This occurs when there is unauthorised access to or unauthorised disclosure of your personal information, credit reporting information, credit eligibility information or tax file number information that is likely to have serious physical, psychological, economic or emotional harm to yourself, or serious harm to your reputation.
In the instance that an eligible data breach is deemed to have occurred following mandatory assessment, we are required to provide a statement to you, including details as to the breach and the recommended course of action. Further, we are required to provide a copy of the statement to the Office of the Australian Information Commissioner (OAIC).
Can you access the information?
You are entitled to ask what information we hold about you. Within a reasonable time, we will inform you of the personal information and/or sensitive information that we hold about you. You may then ask us to show you the information so that you can check to ensure that it is accurate, complete and up to date.
We will give you access to the information unless we are entitled to refuse access pursuant to APP 12.3, in which case we must provide you with a written notice setting out, among other things, the reasons for the refusal.
You may ask us to amend the information if it is not accurate, complete or up to date and we will respond to that request within a reasonable time. If we refuse to amend the information, we will provide you with a written notice setting out, among other things, the reasons for that refusal. If we refuse to amend the information, you may ask us to attach a note to the information indicating that you think it is inaccurate, incomplete or out of date and we will respond to that request within a reasonable time.
Consequences if all or part of the information we request is not provided
You may choose not to provide us with some or all of the information that we request. If you choose to do this it may cause extensive delays in progressing your matter, and in some circumstances we may not be able to properly act for you, advance your interests or contact you to provide you with advice.
Complaints or queries
We will deal with any complaint diligently and fairly and respond to you within a reasonable time.