PCST is required by the Privacy Act 1988 (Commonwealth) (Privacy Act) to comply with the Australian Privacy Principles (APP). The APPs regulate the manner in which personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal.
PCST is also required to comply with the Spam Act 2003 (Commonwealth) (Spam Act); the Do Not Call Register Act 2006 (Commonwealth) (Do Not Call Register Act); the European Union General Data Protection Regulation (GDPR); and the Notifiable Data Breaches (NDB) Scheme.
What is personal information?
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. Special provisions apply to the collection of personal information which is sensitive information. PCST does not collect sensitive information (as defined by the Privacy Act) without consent.
The kinds of personal information PCST collects and holds include:
- an individual’s name, address and email address
- post-nominal letters
- employment details
Collection of personal information by PCST
To the extent required by the Privacy Act, PCST will not collect personal information about you unless that information is necessary for one or more of our functions or activities, for example:
- conferences, meetings, events and presentations
- newsletters or publications
- membership procedures
When PCST collects personal information directly from you, we will take reasonable steps at or before the time of collection to ensure that you are aware of certain key matters, such as the purpose for which we are collecting the information, the organisations (or types of organisations) to which we would normally disclose information of that kind, the fact that you are able to access the information and how to contact us.
When we collect payment details, we will not store them, or they will be masked or encrypted after your payment has been processed. Where PCST collects information about you from a third party, we will take reasonable steps to ensure that you have consented or have been made aware of the details as set out above.
Similarly, PCST may be required to provide your contact details to third party suppliers of services which you would reasonably expect PCST to do in order to provide its services. PCST provides the opportunity to opt-out of such third party arrangements.
PCST acknowledges that there is no obligation for an individual to provide it with personal information. However, if an individual chooses not to provide PCST with personal details, PCST may not be able to provide the individual with the services.
Use and disclosure of personal information by PCST
If PCST uses or discloses your personal information for a purpose (secondary purpose) other than the main reason for which it was originally collected (primary purpose) to the extent required by the Privacy Act, we will ensure that:
- the secondary purpose is related to the primary purpose and you would reasonably expect that PCST would use or disclose your information in that way
- you have consented to the use and disclosure of your personal information for the secondary purpose
- the use or disclosure is required or authorised by or under law
- the use or disclosure is otherwise permitted by the Privacy Act
For each visitor to our website or social media site or e-news, we may collect the following type of information for statistical purposes:
- number of users who visit
- date and time of the visits
- pages accessed
- user’s top-level domain name (for example .com or .gov)
- previous site visited
- type of browser used
- type of device used, users’ operating system (such as Windows or Macintosh)
- website or mobile device activity
The PCST system requires that the web browser accept cookies, which are used to make logging-in possible. Cookies are pieces of information that a website can transfer to an individual’s computer hard drive for record-keeping. Your cookie may be sent at various times during your visit to our website and may be updated as you access different areas. These cookies are not used to collect, store, track or monitor any personal information.
As would reasonably be expected, PCST may collect website and mobile device (e.g. apps) statistics (which includes pages accessed and search terms used) but this information is not identifiable (i.e. PCST cannot tell who you are): Google Analytics: (or other third-party vendor) demographics and interest reporting (such as what country you are from, what language your computer is set to, age group, gender and interest area).
This is anonymous statistical data and no attempt will be made to identify users. We use this data to evaluate our website and to improve the content we display to you.
This cookie does not in any way identify you or give access to your computer. The cookie or similar technology is used to say: “This person visited this page, so show them ads relating to that page.”
Why does PCST collect personal information?
PCST collects personal information for a range of purposes, including:
- to process nominations for membership
- manage the membership of PCST
- record and maintain membership details and profile information
- provide information on services and benefits available to members
- notify members and non-members about PCST events
- ensure compliance with PCST’s Constitution
- website traffic data for statistical, reporting and maintenance purposes
- manage conferences, workshops and events, including international conferences
- distribution of PCST products, eg: newsletter
From time to time, PCST may survey its members on a range of issues. These surveys help us to identify and analyse the ongoing needs of our Members and the quality of our products and services. If you do not wish to participate in these surveys, you can opt out of the survey or please let us know.
Our responsibilities under the GDPR
For EU residents that engage with PCST, because we collect, use and store your personal information to enable us to provide you with our goods and/or services, we are a “collector” under the GDPR. As such, we have certain obligations under the GDPR when collecting, storing and using the personal information of EU residents. If you are an EU resident, your personal data will:
- be processed lawfully, fairly and in a transparent manner by us;
- only be collected for the specific purposes we have identified in section the Why does PCST collect personal information? above and personal information will not be further processed in a manner that is incompatible with the purposes we have identified;
- be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
- be kept up to date, where it is possible and within our control to do so (Members may update their data by logging into their Member profile on PCST website and editing details). Please let us know if you would like us to correct any of your personal information, by sending an email to: firstname.lastname@example.org.
- be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal data was collected; and
- be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.
We also apply these principles to the way we collect, store and use the personal information of all non-EU contacts.
Specifically, we have the following measures in place, in accordance with the GDPR:
- Data protection policies: We have internal policies in place which set out where and how we collect personal information, how it is stored and where it goes after we get it, in order to protect your personal information.
- Right to ask us to erase your personal information: You may ask us to erase personal information we hold about you.
- Right to ask us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal information we hold about you is wrong (to give us enough time to verify if the information needs to be changed), and you request us to restrict the processing of personal information rather than it being erased.
- Notification of data breaches: We will comply with the GDPR in respect of any data breach.
How might we contact you?
We may contact you in a variety of ways, including email, social media, mobile devices or apps.
We will not send you any commercial electronic messages such as emails. Any commercial electronic message that we send will identify PCST as the sender and will include our contact details. This message will also provide an unsubscribe facility. If you do not wish to receive commercial electronic messages from us, please let us know.
When does PCST disclose personal information to third parties?
In performing our functions and activities (such as for conferences, presentations, and events as outlined above), we may need to disclose personal information to third parties where you may reasonably expect PCST to use or disclose the personal information for a specific purpose. Third parties with whom PCST may share your personal information include, where appropriate:
- secure online election provider
- printers and distributers of PCST publications and other material
- financial institutions for payment processing
- external business advisers (such as auditors and lawyers)
- travel and conference organisers
Data quality and security
PCST aims to safeguard your information to the best of its abilities, through a combination of technical, administrative and physical measures. This includes the use of Secure Socket Layer (SSL) encryption to protect information transmitted across the internet. Production data is housed in a Tier 3 Data Centre facility and backups are encrypted at rest.
All personal information collected by PCST will be retained as part of a database, which will be securely monitored and maintained by PCST or an approved host. Subject to paragraph When does PCST disclose personal information to third parties?, the data will not be made available to a third party, unless it is legally required and verified, without the authority of the individual who provided the personal information.
PCST will take all reasonable steps to protect the security of the personal information that it holds. This includes appropriate measures to protect electronic materials and materials stored and generated in hard copy. Where information held by PCST is no longer required to be held, and the retention is not required by law, then PCST will de-identify or destroy such personal information by a secure means.
However, if you have reason to believe that your interaction with us is no longer secure (for example, if you feel that your online account has been compromised) please contact our office: email@example.com.
Please note some third-party platforms that you might use to engage with us (for example, LinkedIn, Twitter, Mailchimp or SecurePay) are not under our control. If you have concerns about using these platforms, we encourage you to carefully consider their terms and conditions and other relevant policies.
PCST permits your details to be accessed only by authorised personnel, and our officers and employees maintain the confidentiality of personal information.
Payment security of all financial transactions is maintained by PCST using online technologies. It is our policy to ensure that all financial transactions processed meet industry security standards that ensure payment details are protected.
If you are concerned about sending your information over the internet, you can contact us by email: firstname.lastname@example.org.
Data breach response plan
The Data Breach Response Plan is to enable PCST to contain, assess and respond to a data breach in a timely fashion and to mitigate potential harm to affected individuals.
A data breach occurs when information held by PCST is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Data breaches involving personal information that are likely to cause individuals to be at serious risk of harm must be reported to the affected individual(s) and the Australian Information Commissioner in accordance with the requirements of the Notifiable Data Breaches (NDB) scheme.
Data breaches may arise from: loss or unauthorised access, modification, use or disclosure or other misuse; malicious actions, such as theft or “hacking”; internal errors or failure to follow information handling policies that cause accidental loss or disclosure; and not adhering to the laws of the states and territories or the Commonwealth of Australia.
When a data breach has occurred or is suspected to have occurred, PCST will initiate the process set out below. However, it should be noted that there is no single method of responding to a data breach and in some cases the following steps may need to be modified. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
Suspected or known data breach
When PCST becomes aware or suspects that there has been a data breach, they will assess the risk, document the event and move to rectify the issue. if the breach is the result of an ICT security incident (i.e. an event that affects the confidentiality, integrity or availability of PCST’s information, systems and infrastructure), PCST will work with its IT service manager provider to implement a response:
- stopping the unauthorised practice;
- recovering records;
- shutting down the system that has been breached;
- revoking or changing computer access privileges;
- addressing weaknesses in physical or electronic security
Access and correction of your personal information
PCST will make available for inspection, free of charge, all personal information, based on the information supplied by the individual that it holds in relation to an individual, provided reasonable notice is given. In the event that such a request is made, PCST will review our records to determine what personal information is held and endeavour to respond to your request as soon as possible.
Please note that PCST will request that identification is provided before personal information is released. In the event that any part of the personal information that the individual inspects is determined to be incorrect and requires alteration then PCST will make such alteration in compliance with the corrected advice provided by the individual.
Members are able to update their contact details and profile information online at any time by signing into the Members’ section of the website to Manage Account; or they send details by email: email@example.com.
Subject to the above, where you have consented to receiving communications from PCST, your consent will remain current until you advise us otherwise. However, you can, at no cost, opt out at any time, in the following ways:
Members can opt out of participating in surveys by contacting PCST by email: firstname.lastname@example.org.
Please contact PCST if you have any queries about the personal information that PCST holds about or the way we handle that personal information.