Ë¿¹ÏÊÓƵ

Introduction

The Queensland Hotels Association (Ë¿¹ÏÊÓƵ) aims to build and maintain positive relationships with its members, stakeholders, clients, and the general public by maintaining the highest standards of honesty, fairness, proper and ethical dealings, and confidentiality. A significant part of our business involves the collection, storage and transmission of information about people, businesses, and corporate entities, and the Association understands and accepts the requirement to protect the privacy and nature of the information held by it.

Purpose

This document specifies and explains the Association’s privacy policy, and how it collects and manages the information given to and held by it.

Legislation

The over-arching legislation relevant to this policy is the Commonwealth Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). This policy embraces the 13 Australian Privacy Principles (APPs) enunciated in the Act.

Australian Privacy Principles

The Ë¿¹ÏÊÓƵ will take all reasonable steps to implement practices, procedures and systems to ensure that it complies with the Australian Privacy Principles and to deal with inquiries or complaints from individuals about the Ë¿¹ÏÊÓƵ’s compliance with those APPs, which are listed below:

  • APP1 – Open and transparent management of personal information
  • APP 2 – Anonymity and Pseudonymity
  • APP 3 – Collection of Personal Information
  • APP 4 – Dealing with Unsolicited Personal Information
  • APP 5 – Notification of the Collection of Personal Information
  • APP 6 – Use or Disclosure of Personal Information
  • APP 7 – Direct Marketing
  • APP 8 – Cross-border Disclosure of Personal Information
  • APP 9 – Adoption, Use or Disclosure of Government Related Identifiers
  • APP 10 – Quality of Personal Information
  • APP 11 – Security of Personal Information
  • APP 12 – Access to Personal Information
  • APP 13 – Correction of Personal Information

Use and Disclosure

The Queensland Hotels Association will only use and/or disclose information for the purpose for which it was collected. The information collected by the Association is generally of two types:

  • Personal information – information about individuals which is collected and stored on file generally in relation to applications for employment, applications for training, evaluative information, and information comprising resumes or CVs. It could include: names, mailing address, telephone numbers, email addresses, academic qualifications and so on. More sensitive information such as ethnic origin, religion, political orientation, criminal records or sexual orientation is not generally collected or held by the Association. Irrespective, the Association will not disclose any personal information to third parties without the specific, written consent of the owner of the information. This information is generally held on a paper or electronic file, and is securely destroyed at the end of the mandated holding period. The Association may disclose personal information where it is under a legal obligation to do so, including circumstances where it is under a lawful duty of care to disclose information. The Association will tell the individual about this disclosure, unless doing so is itself unlawful.
  • Information about businesses and organisations – as a peak industry body, the Association collects, stores, uses, manipulates and shares information about businesses and organizations in the hotel and hospitality industries. It also collects information to support its database of hotel and corporate members, and its corporate sponsors and industry stakeholders. Although much of this information is on the public record, the information can also include: postal address, telephone contact details, key appointments, and email and website information. This information is generally used for the purposes of conducting the business of the Association, including research, data interpretation, marketing, and statistical and issues analysis. The Association does disclose basic details of its membership information to Ë¿¹ÏÊÓƵ sponsor organizations, and to Ë¿¹ÏÊÓƵ Corporate Members, for marketing purposes.

Collection

The Association collects information provided by individuals and organizations from correspondence, application forms, and data collection forms such as questionnaires which are raised from time to time. Information from a wide range of areas such as training, business practice, workplace health and safety, employment and industrial relations, and marketing is collected in the normal course of the interaction between the Association and its members. When collecting information the Association, either through its website or through individual privacy notices on forms and letters, will tell a client:

  • Who is collecting the information
  • How the Association can be contacted
  • The main purpose of collecting the information
  • Whether the information will be disclosed to third parties
  • Any privacy implication relevant to specific information collection activities (surveys etc)

Privacy Statements

Where feasible, and in good faith, the Association will place simple privacy statements on its published material, especially where that material is produced for the purposes of gathering or soliciting information. This includes application and census forms, questionnaires, contract documents, and forms used for the collection of personal information, such as recruitment material. Such statements will be along the lines :

Privacy Statement: The Queensland Hotels Association collects personal or corporate information in the conduct of its normal business activities. Personal information will be protected, and other information will be handled, in accordance with the requirements of the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), and the Australian Privacy Principles.

Information and Data Security

The Association will take all reasonable precautions and steps to protect the personal and organizational information it holds from misuse, and from unauthorized access, disclosure, modification, or theft. This will include password protection of electronic records, security of stored information in locked cabinets, filing systems or rooms, and/or the physical protection of its records within locked and secured office spaces. Information of a particularly sensitive nature, including Registered Training Organisation training records, will be secured in a locked and fire-protected safe.

Access to Information Held by the Association

Individuals or organizations whose information is held by the Association will be given access to the information held by the Association upon request. Information or advice in relation to information may be obtained by visiting the offices of the Association or by contacting the Association Office Manager by telephone, email or in person. All reasonable requests will be met in a timely manner, unless prevented by a reason as detailed in the Act.

Points of Contact

The officers responsible for the administration of the Ë¿¹ÏÊÓƵ’s Privacy Policy are:

  • The Chief Executive; and
  • The Office Manager.

Both of these members are authorized to respond to requests for information or advice relating to this policy.

APP 1 – Open and transparent management of personal Information

The Ë¿¹ÏÊÓƵ will manage personal information in an open and transparent way. The Ë¿¹ÏÊÓƵ will at all times maintain this Privacy Policy in relation to the management of personal information by the Ë¿¹ÏÊÓƵ.

The kinds of personal information that the Ë¿¹ÏÊÓƵ collects and holds

The Ë¿¹ÏÊÓƵ may collect and hold information, including sensitive information, required to conduct its usual activities and functions. Such information may include, but is not limited to:

  • Identity information, including full name and date of birth
  • Contact information, including residential and postal address, telephone numbers and email address
  • Employment information, including occupation, employer name and income
  • Tax File Numbers (TFNs)
  • Australian Business Numbers (ABNs)
  • Queensland Liquor Licence Numbers
  • Certain financial information such as credit card and bank account details (used for financial transactions only)

How the Ë¿¹ÏÊÓƵ collects and holds personal information

Information is generally collected from members when they complete and sign an application to join the Ë¿¹ÏÊÓƵ. This application forms part of the relevant Ë¿¹ÏÊÓƵ membership data. Additional information may also be collected from other Ë¿¹ÏÊÓƵ documentation, for example personal contact details may be required if a member applies for industry training with the Ë¿¹ÏÊÓƵ. Employers may also provide salary and other employment related information in seeking specialist industrial relations advice.

All information is stored in secure physical storage facilities and/or in electronic form. Electronic data is only accessible by authorised persons for appropriate purposes and is password protected.

The purposes for which the Ë¿¹ÏÊÓƵ collects, holds, uses and discloses Personal Information

The Ë¿¹ÏÊÓƵ will only collect, hold, use and disclose the information it reasonably requires for its usual business functions and activities. Further details of these are set out later in this Policy.

How an individual may access personal information about the individual that is held by the Ë¿¹ÏÊÓƵ and seek the correction of such information

As noted below, except in certain limited circumstances, individuals may access their personal information and advise the Ë¿¹ÏÊÓƵ of any corrections to that information.

How an individual may complain about a breach of the Australian Privacy Principles that binds the Ë¿¹ÏÊÓƵ and how the Ë¿¹ÏÊÓƵ will deal with such a complaint

An individual may complain about a breach of the Australian Privacy Principles by writing to the Ë¿¹ÏÊÓƵ seeking such information. Written and email requests are acceptable forms of communication.

Disclosure of personal information to overseas recipients

The Ë¿¹ÏÊÓƵ may disclose personal information to an overseas recipient where such disclosure is part of the Ë¿¹ÏÊÓƵ’s normal business activities. Such disclosure will only be made in accordance with the provisions outlined elsewhere in this Policy.

Countries in which recipients of personal information are likely to be located

The Ë¿¹ÏÊÓƵ does not usually conduct business with any entity or persona located outside of Australia.

Availability of the Policy

The Policy will be available on the Ë¿¹ÏÊÓƵ’s website and may also be obtained free of charge from the Ë¿¹ÏÊÓƵ in any reasonable form.

APP 2 – Anonymity and Pseudonymity

When dealing with the Ë¿¹ÏÊÓƵ in relation to a particular matter, individuals have the option of not identifying themselves, or of using a pseudonym, where it is practical and lawful to do so.

Given the nature of the Ë¿¹ÏÊÓƵ’s activities and its interactions with members and the wider public, it is generally impractical for the Ë¿¹ÏÊÓƵ to deal with individuals who have not identified themselves or who have used a pseudonym.

APP 3 – Collection of Personal Information

Personal information other than sensitive information

The Ë¿¹ÏÊÓƵ will not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the Ë¿¹ÏÊÓƵ’s functions or activities.

Sensitive Information

The Ë¿¹ÏÊÓƵ will not collect sensitive information about an individual unless the individual consents to the collection of the information and the information is reasonably necessary for one or more of the Ë¿¹ÏÊÓƵ’s functions or activities. Exceptions may apply where the collection of the information is required or authorised by or under an Australian law or a court/tribunal order.

Functions and activities of the Ë¿¹ÏÊÓƵ

Functions and activities that the Ë¿¹ÏÊÓƵ engages in in relation to a particular individual
may include:

  • Setting up one or more membership accounts
  • Collecting Tax File Numbers as required by superannuation legislation
  • Receiving and posting information on behalf of Ë¿¹ÏÊÓƵ members, either by the member themselves, their employer or their spouse
  • Collecting and assessing health/medical information for the purpose of providing employment or industrial relations advice to members
  • Obtaining salary and income information in relation to industrial relations advice or in support of job applications
  • Collecting personal contact information related to applications for industry training

Means of collection

The Ë¿¹ÏÊÓƵ will only collect personal information by lawful and fair means. Wherever it
is reasonable and practical to do so, the Ë¿¹ÏÊÓƵ will only collect personal information
about an individual from that individual. In practice, some information is usually
provided to the Ë¿¹ÏÊÓƵ by an individual’s employer in the normal course of business.

APP 4 – Dealing with Unsolicited Personal Information

If the Ë¿¹ÏÊÓƵ receives personal information and the Ë¿¹ÏÊÓƵ did not request that information (unsolicited information) the Ë¿¹ÏÊÓƵ will, within a reasonable period after receiving the information, determine whether or not Ë¿¹ÏÊÓƵ could have collected the information under Australian Privacy Principle 3, if the Ë¿¹ÏÊÓƵ had solicited the information.

If the unsolicited information could not have been collected under APP3, the Ë¿¹ÏÊÓƵ will, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.

APP 5 – Notification of the Collection of Personal Information

At or before the time or, if that is not practicable, as soon as practicable after, the Ë¿¹ÏÊÓƵ collects personal information about an individual, the Ë¿¹ÏÊÓƵ will take such steps as are reasonable in the circumstances to advise the individual:

  • The identity and contact details of the Ë¿¹ÏÊÓƵ
  • The fact that the Ë¿¹ÏÊÓƵ has collected the personal information and the circumstances of that collection
  • The purposes for which the Ë¿¹ÏÊÓƵ collects the personal information
  • The main consequences (if any) for the individual if all or some of the personal information is not collected by the Ë¿¹ÏÊÓƵ
  • The name of any other entity subject to the Privacy Act, body or person, or the types of any other such entities, bodies or persons, to which the Ë¿¹ÏÊÓƵ usually discloses personal information of the kind collected by the Ë¿¹ÏÊÓƵ
  • That the Ë¿¹ÏÊÓƵ’s Privacy Policy contains information about how the individual may access the personal information about the individual that is held by the Ë¿¹ÏÊÓƵ and seek the correction of such information
  • That the Ë¿¹ÏÊÓƵ’s Privacy Policy contains information about how the individual may complain about a breach of the Australian Privacy Principles and how the Ë¿¹ÏÊÓƵ will deal with such a complaint
  • Whether the Ë¿¹ÏÊÓƵ is likely to disclose the personal information to overseas recipients and if this is so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them
  • If the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order, the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/ tribunal order, that requires or authorises the collection).

APP 6 – Use or Disclosure of Personal Information

Information about an individual that the Ë¿¹ÏÊÓƵ collects for a particular purpose (the primary purpose), will not be used or disclosed for another purpose (the secondary purpose) unless the individual has consented to the use or disclosure of the information. The primary purpose in relation to the Ë¿¹ÏÊÓƵ is to obtain membership and industry training information.

The consent of the individual to the use or disclosure of information other than for the primary purpose may not be required where:

  • The individual would reasonably expect the Ë¿¹ÏÊÓƵ to use or disclose the information for the secondary purpose and the secondary purpose is:
    o if the information is sensitive information—directly related to the primary purpose; or
    o if the information is not sensitive information—related to the primary purpose.
  • The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order
  • A permitted general situation (as defined in section 16A of the Act) exists in relation to the use or disclosure of the information by the Ë¿¹ÏÊÓƵ
  • A permitted health situation (as defined in section 16B of the Act) exists in relation to the use or disclosure of the information by the Ë¿¹ÏÊÓƵ
  • The Ë¿¹ÏÊÓƵ reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. In such cases, the Ë¿¹ÏÊÓƵ will make a written note of the use or disclosure.

APP 7 – Direct Marketing

The Ë¿¹ÏÊÓƵ will not use or disclose personal information for the purpose of direct
marketing except where:

  • The Ë¿¹ÏÊÓƵ collected the information from the individual, and
  • The individual would reasonably expect the Ë¿¹ÏÊÓƵ to use or disclose the information for the purpose of direct marketing, and
  • The information is not sensitive information.

Unless the individual requests otherwise, the Ë¿¹ÏÊÓƵ may from time to time use
personal information to:

  • Conduct member research to find out views on existing and proposed products
    and services; or
  • Provide information about Ë¿¹ÏÊÓƵ products and services, industry seminars or any
    other Ë¿¹ÏÊÓƵ related products.

The Ë¿¹ÏÊÓƵ will at all times provide a simple means by which an individual may easily request not to receive direct marketing communications from the Ë¿¹ÏÊÓƵ. Where such a request has been received, the Ë¿¹ÏÊÓƵ will cease to use or disclose personal information for the purpose of direct marketing.

Individuals that do not wish to receive direct marketing communications should advise the Ë¿¹ÏÊÓƵ via one of the following means:
Telephone: 07 3221 6999
Fax: 07 3221 6649
In writing: Ë¿¹ÏÊÓƵ GPO Box 343 Brisbane Qld 4001
Email: info@qha.org.au
The Ë¿¹ÏÊÓƵ will never disclose an individual’s personal information to a third party for the purposes of direct marketing unless that individual has given their express consent for such disclosure and use.

APP 8 – Cross-border Disclosure of Personal Information

The Ë¿¹ÏÊÓƵ will not disclose personal information about an individual to a person or organisation that is not in Australia (or one of its territories) without taking reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

The Ë¿¹ÏÊÓƵ may disclose personal information to an overseas recipient in one or more of the following circumstances:

  • The overseas recipient of the information is subject to conditions that have the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information and there are mechanisms that the individual can access to take action to enforce that protection
  • The individual is informed that, in the normal course of business, information may be disclosed to an overseas recipient and consents to the disclosure The disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order
  • A permitted general situation (as defined in section 16A of the Act) exists in relation to the disclosure of the information.

APP 9 – Adoption, Use or Disclosure of Government-related Identifiers

Adoption of government related identifiers

The Ë¿¹ÏÊÓƵ will not use a government-related identifier of an individual as its own identifier of the individual.

Use or disclosure of government-related identifiers

The Ë¿¹ÏÊÓƵ will not use or disclose a Government-related identifier of an individual unless:

  • The use or disclosure of the identifier is reasonably necessary for the Ë¿¹ÏÊÓƵ to verify the identity of the individual for the purposes of the Ë¿¹ÏÊÓƵ’s activities or functions, or
  • The use or disclosure of the identifier is reasonably necessary for the Ë¿¹ÏÊÓƵ to fulfil its obligations to a Government agency or a State or Territory authority, or The use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order, or
  • A permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of the Act) exists in relation to the use or disclosure of the identifier, or
  • The Ë¿¹ÏÊÓƵ reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

APP 10 – Quality of Personal Information

The Ë¿¹ÏÊÓƵ will take such steps as are reasonable in the circumstances to ensure that the personal information that the Ë¿¹ÏÊÓƵ collects is accurate, up to date and complete.

The Ë¿¹ÏÊÓƵ will also take such steps as are reasonable in the circumstances to ensure that the personal information that the Ë¿¹ÏÊÓƵ uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.

APP 11 – Security of Personal Information

The Ë¿¹ÏÊÓƵ will take such steps as are reasonable in the circumstances to protect the personal information it collects from misuse, interference and loss, and from unauthorised access, modification or disclosure. Ë¿¹ÏÊÓƵ records are kept either in the secured office of the Ë¿¹ÏÊÓƵ or in an electronic form which is password protected.

Where the Ë¿¹ÏÊÓƵ holds personal information about an individual and:

  • The Ë¿¹ÏÊÓƵ no longer needs the information for any purpose for which the information may be used or disclosed by the Ë¿¹ÏÊÓƵ, and
  • The information is not contained in a Commonwealth Government record, and
  • The Ë¿¹ÏÊÓƵ is not required by or under an Australian law, or a court/tribunal order, to retain the information,

the Ë¿¹ÏÊÓƵ will take such steps as are reasonable in the circumstances to destroy the
information or to ensure that the information is de-identified.

APP 12 – Access to Personal Information

Where the Ë¿¹ÏÊÓƵ holds personal information about an individual, the Ë¿¹ÏÊÓƵ will, on request by the individual, give the individual access to that information. Such a request can be made by the means set out above. The Ë¿¹ÏÊÓƵ will take reasonable steps to confirm the identity of the individual before providing access to personal information.

Denying access to information.

The Ë¿¹ÏÊÓƵ may deny access to personal information where:

  • The Ë¿¹ÏÊÓƵ reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
  • Giving access would have an unreasonable impact on the privacy of other individuals; or
  • The request for access is frivolous or vexatious; or
  • The information relates to existing or anticipated legal proceedings between the Ë¿¹ÏÊÓƵ and the individual, and would not be accessible by the process of discovery in those proceedings; or
  • Giving access would reveal the intentions of the Ë¿¹ÏÊÓƵ in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
  • Giving access would be unlawful; or
  • Denying access is required or authorised by or under an Australian law or a court/ tribunal order; or
  • Both of the following apply:
    o the Ë¿¹ÏÊÓƵ has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the Ë¿¹ÏÊÓƵ’s functions or activities has been, is being or may be engaged in; and
    o Giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
  • Giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  • Giving access would reveal evaluative information generated within the Ë¿¹ÏÊÓƵ in connection with a commercially sensitive decision-making process.

Providing access to information

The Ë¿¹ÏÊÓƵ will respond to a request for access within a reasonable period after the request is made and will give access to the information in the manner requested by the individual if it is reasonable and practicable to do so.

If the Ë¿¹ÏÊÓƵ declines to give access to personal information because of one of the conditions outlined in this policy, or declines to give access in the manner requested by the individual, it will take such steps as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual. This may include providing access through the use of a mutually agreed intermediary. The
Ë¿¹ÏÊÓƵ will also provide:

  • The reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
  • The mechanisms available to complain about the refusal; and
  • Any other information required to be given by law.

Where the Ë¿¹ÏÊÓƵ imposes a charge for an individual to access personal information,
such charge will be reasonable and will not apply to the making of the request.

APP 13 – Correction of Personal Information

Where the Ë¿¹ÏÊÓƵ holds personal information about an individual and it is found that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading, or the individual requests that the Ë¿¹ÏÊÓƵ correct the information, the Ë¿¹ÏÊÓƵ will take such steps as are reasonable in the circumstances to correct that information to ensure that it is accurate, up to date, complete, relevant and not misleading.

If the Ë¿¹ÏÊÓƵ corrects personal information about an individual that the Ë¿¹ÏÊÓƵ has previously disclosed to another party and the individual requests that the Ë¿¹ÏÊÓƵ notify the other party of the correction, the Ë¿¹ÏÊÓƵ will take such steps as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.

Where appropriate, the Ë¿¹ÏÊÓƵ may request that the individual provides suitable evidence that the information subject to correction is inaccurate, out of date, incomplete, irrelevant or misleading.

If the Ë¿¹ÏÊÓƵ refuses to correct the personal information as requested by the individual, the Ë¿¹ÏÊÓƵ will give the individual a written notice that sets out:

  • The reasons for the refusal except to the extent that it would be unreasonable to
    do so; and
  • The mechanisms available to complain about the refusal; and
  • Any other matter prescribed by law.

If the Ë¿¹ÏÊÓƵ refuses to correct the personal information as requested by the individual and the individual requests the Ë¿¹ÏÊÓƵ associates with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading, the Ë¿¹ÏÊÓƵ will take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

The Ë¿¹ÏÊÓƵ will deal with a request to correct personal information within a reasonable period after the request is made and will not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).

Review of the Policy

This Policy will be reviewed annually or earlier if required by changes to relevant legislation or by the lawful direction of an appropriate regulatory authority.

Conclusion

The personal, commercial and general information of its members and clients is important to the Queensland Hotels Association, and the Association will take all reasonable measures to ensure that such information is protected and guarded, and not disclosed to those who are not authorized to access it. The Association will abide by the requirements of the Privacy Act 1988, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), and the Australian Privacy Principles, and will review this policy from time to time to ensure its continued relevance and accuracy.