This Policy applies to Central Animal Records Australia Pty Ltd (ACN 052 993 101) (referred to as ‘CAR’, ‘we’, ‘our’, ‘us’) and extends to and covers all of its operations and functions. The word ‘individual’ refers to all persons whose personal information we collect, use or disclose.
This Policy outlines CAR’s obligations to manage and protect personal information. CAR is bound by the Australian Privacy Principles (‘APPs’), the Credit Reporting Privacy Code (‘the Code’) and the Privacy Act 1988 (Cth) (‘Privacy Act’). This Policy also outlines CAR’s practices, procedures and systems that ensure compliance with the Privacy Act, APPs and the Code, including procedures in relation to the following:
• use and disclosure of personal information (Section 9)
• sending information overseas (Section 11)
• management of personal information (Section 10)
• direct marketing (Section 11)
• correction of personal information (Section 14)
• access to personal information (Section 13)
• complaints handling (Section 17)
‘Credit information’ includes information that we have obtained from Third Parties, including individuals, other credit providers and credit reporting bodies (‘CRBs’).
‘On-Line System’ means any electronic system or interface provided by CAR to its clients for the purpose of placing trading orders and payment management.
‘Personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable.
‘Sensitive information’ is a subset of personal information that includes information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences, criminal record, and health information.
‘Third Parties’ means clients, suppliers, sub-contractors, agents or people having a commercial relationship with CAR.
2. What kinds of personal information do we collect and hold?
We may collect and hold the following kinds of personal information about individuals:
• phone numbers
• email addresses
• bank account details
• identification information including drivers’ licence, Medicare and passport details
• any other information that is relevant to the services that we provide
3. How we collect personal information
We generally collect personal information directly from the individual. For example, your personal information will be collected when you register an animal with us, change your details with us via phone, email or website log-in or send us correspondence.
CAR will not collect sensitive information unless the individual has consented or an exemption under the APPs applies. These exceptions include if the collection is required or authorised by law or necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.
If the personal information we request is not provided, we may not be able to process an individual’s animal subscription, or meet our legal obligation as a licenced animal microchip registry, or provide individuals with the benefit of our services, or meet an individual’s needs appropriately.
4. How we manage your personal information
We manage personal information using customer relationship management software. The data from this software program is stored securely in a client database in our own internal company servers and in our Cloud-based servers located in Australia. For more information about how we safeguard your personal information see section 12 below.
If we hold personal information about an individual, and CAR no longer needs the information, we will take reasonable steps to de-identify the personal information. We will only keep your personal information for as long as we need your information for the purposes listed in sections 7 and 10 below, unless we are required by an Australian law or a court/tribunal order to retain the information.
CAR does not give individuals the option of dealing with CAR anonymously, or under a pseudonym, because to do so would breach CAR’s obligations.
5. Unsolicited personal information
We may receive personal information about individuals we have not requested. If we receive unsolicited personal information, we will decide whether the information is reasonably necessary for our activities and could have been collected under the APPs. If we would not have been able to collect the information, we will destroy or de-identify the information.
6. About whom do we collect personal information?
We may collect and hold personal information about the following individuals:
• current and potential clients;
• service providers or suppliers;
• prospective employees, employees and contractors; and
• other Third Parties with whom we come into contact.
7. Why does CAR collect and hold personal information?
• CAR collects and holds personal information for the following purposes:
• to assist in providing services to our clients;
• to enable the reunion of owners/clients with their pets when the pets are found by authorised people and the general public
• to provide clients with information about a product or service;
• to protect our business and other clients from fraudulent or unlawful activity;
• to conduct our business and perform other management and administration tasks;
• to consider any concerns or complaints clients may have;
• manage any legal actions involving CAR;
• to comply with relevant laws, regulations and other legal obligations; and
• to help us improve the products and services offered to clients, and to enhance our overall business.
8. How might we use and disclose personal information?
We ‘use’ personal information when we handle and manage that information within CAR. We ‘disclose’ personal information when we release that information from our effective control.
CAR may use and disclose personal information (excluding credit information) for the primary purpose for which it is collected (reunion of lost or stray pets with their owners), for reasonably expected secondary purposes which are related to the primary purpose, and in other circumstances authorised by the Privacy Act or otherwise by law. For information on how we might use and disclose credit information, see section 10 below.
Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose (unless the individual provides consent to use or disclose the information for another purpose), or where certain other limited circumstances apply (e.g. where required by law).
We will only use government identifiers (e.g. passport and drivers licence details) if is reasonably necessary for us to identify the individual for the purposes of providing our services, or engaging in any of our other functions or activities. We will generally only use identifiers to comply with our legal obligations under animal management legislation to identify our clients.
We use and disclose personal information, excluding credit information, for the purposes outlined in section 7 above.
9. To whom might we disclose personal information?
We may disclose personal information (excluding credit information) to:
• a related entity of CAR (another licenced animal microchip registry);
• an agent, contractor or service provider we engage to carry out our functions and activities, such as our lawyers, accountants, debt collectors or other advisors;
• regulatory bodies, government agencies, law enforcement bodies and courts; and
• anyone to whom we are required and allowed by law to disclose it; and
• anyone else to whom the individual authorises us to disclose it.
We also collect personal information from these organisations and individuals, and deal with that information in accordance with this Policy.
We engage other people to perform services for us which may involve that person handling personal information we hold. In these situations, we prohibit that person from using personal information about the individual except for the specific purpose for which we supply it. We prohibit that person from using your information for the purposes of direct marketing their products or services.
We will not disclose personal information to an overseas recipient unless:
• we have taken reasonable steps to ensure the recipient does not breach the Privacy Act, the APPs and the Code;
• the recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that is substantially similar to the way the APPs protect the information; or
• we have obtained your informed consent to disclose the information prior to any disclosure
10. Management and security of personal information
The APPs require us to take all reasonable steps to protect the security of personal information, including credit information. CAR personnel are required to respect the confidentiality of personal information and the privacy of individuals.
CAR takes reasonable steps to protect personal information held from misuse and loss and from unauthorised access, modification or disclosure, for example by use of physical security and restricted access to electronic records.
All personal information contained in hard copy documents held by CAR is stored in a locked environment.
All personal information stored on CAR’s computer system is backed up regularly and back-up copies are held in a secure location. All data is stored securely in our own internal company servers and our Cloud-based servers located in Australia.
In relation to our client database and Web based application systems, we apply the following guidelines:
• data ownership is clearly defined within CAR, that is, each person who has access to personal information has the required level of access;
• the length and content of passwords are governed by our IT policy, and automatically enforced through our IT systems to ensure that they are of an appropriate length, and not likely to be easily guessed;
• we utilise procedures which change an employee’s access capabilities when he or she is assigned to a new position;
• employees have restricted access to sections of the system which include the marketing database and personnel files;
• unauthorised employees are barred from updating and editing personal information;
• certain fields are masked to bar unauthorised employees;
• all personal computers which contain personal information are secured, physically and electronically;
• CAR is committed to protecting the security of your personal information and we take all reasonable precautions to protect it from unauthorised access, modification or disclosure. Your personal information is stored on secure servers that have SSL Certificates issued by leading certificate authorities, and all Data transferred between You and the Service is encrypted.
However, the Internet is not in itself a secure environment and we cannot give an absolute assurance that Your information will be secure at all times. Transmission of personal information over the Internet is at Your own risk and You should only enter, or instruct the entering of, personal information to the Service within a secure environment.
We will advise You at the first reasonable opportunity upon discovering or being advised of a security breach where Your personal information is lost, stolen, accessed, used, disclosed, copied, modified, or disposed of by any unauthorised persons or in any unauthorised manner.
• print reporting of data containing personal information is limited Certificates
• CAR’s IT policy mandates destruction of personal information when it is no longer required, and provides procedures and controls for the disposal of confidential output and when confidential data is disseminated to authorised individuals; and
• all personal information contained on magnetic disks and cloud storage is overwritten when the information is no longer required. Hard drives containing personal information that is no longer required to be kept are removed from computers that are no longer in use and are physically destroyed.
11. Direct marketing
CAR does not use or disclose personal information we collect from individuals for the purpose of direct marketing unless:
• the personal information does not include sensitive information or credit information; and
• the individual would reasonably expect us to use or disclose the information for the purpose of direct marketing; and
• we provide a simple way of opting out of direct marketing; and
• the individual has not requested to opt out of receiving direct marketing from us. If the individual would not reasonably expect CAR to use or disclose their personal information for the purpose of direct marketing, CAR may still use or disclose the information (unless it is sensitive information or credit information) for the purpose of direct marketing if:
• either the individual has consented to the use or disclosure of the information for direct marketing or it is impracticable to obtain that consent; and
• CAR provides a simple way of opting out of direct marketing; and
• in each direct marketing communication, CAR includes a prominent statement that the individual may make a request to opt out of direct marketing or otherwise draws the individual’s attention to the fact that he or she may make such a request; and
• the individual has not already requested to opt-out of direct marketing from CAR.
We do not disclose personal information we collect to Third Parties for the purpose of allowing them to direct market their products and services.
We do not use or disclose sensitive information or credit information for direct marketing purposes. CAR notes that you have the right to request to opt out of direct marketing and we must give effect to the request within a reasonable period of time.
12. How do we keep personal information accurate and up-to-date?
CAR takes reasonable steps to ensure that the personal information including credit information it collects, uses and discloses is relevant, accurate, complete and up-to-date. We ensure that personal information is collected and recorded in a consistent format, and new information is promptly added to our client database.
We may also remind you from time to time to update your personal information, or contact you to verify your personal information.
We encourage individuals to contact us in order to update any personal information we hold about them and their animals. If we correct information that has previously been disclosed to another entity, we will notify the other entity within a reasonable period of the correction. Where we are satisfied information is inaccurate, we will take reasonable steps to correct the information within 30 days, unless you agree otherwise. We do not charge individuals for correcting the information.
13. Access to your personal information
Subject to the exceptions set out in the Privacy Act, individuals may gain access to the personal information including credit information which CAR holds about them by contacting the CAR Privacy Officer. We will provide access within 30 days of your request. If we refuse to provide the information, we will provide reasons for the refusal and inform the individual of any exceptions relied upon under the Privacy Act.
An individual’s request for access to his or her personal information will be dealt with by allowing the individual to look at his or her personal information at the offices of CAR or on-line through authorised access. We will require identity verification and specification of what information is required.
13.1 For what purpose is my personal information required and how long is the information kept.
According to the Domestic Animal Regulation of 2005 r.34 that is listed on the Department of Environment and Primary Industries HERE, a licenced animal microchip registry like Central Animal Records has to maintain all records relating to an animal for the lifetime of the animal or 30 years after the record was listed on the database – whichever is the lesser. We do not routinely delete records after an animal is deceased but we alter the animal record to a status of “deceased”. Further, if we receive a written request from the listed owner stating that the pet has deceased and specifically wanting their details removed from the database, then both owner and animal records are made “inactive” such that neither record is able to be seen nor updated by any users including the original owner. If an owner has multiple pets listed on the database and Central Animal Records is notified that one of the pets has deceased then that pet will simply be listed as “deceased”. If that owner specifically requests that the details of the deceased pet be removed from the database then that pet’s record will be made “inactive”. The legislation is silent in relation to a requirement to delete owner records once an animal dies but the "inactive" flag on that record has the same net effect as a deletion.
14. Updates to this policy
This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and practices and the changing business environment.
15. Privacy training
16. Non-compliance and disciplinary actions
17. Complaints handling
CAR has an effective complaints handling process in place to manage privacy-related complaints. All complaints will initially be handled and investigated internally. We will investigate your complaint promptly. We will try to resolve your complaint quickly and fairly.
You can make a complaint to CAR about the treatment or handling of your personal information, including credit information, by lodging a complaint with the Privacy Officer.
18. Contractual arrangements with third parties
19. Privacy audits
CAR will conduct periodic privacy audits in order to ensure that it is continuing to comply with its obligations under the Privacy Act, the Code and the APPs. CAR is also subject to periodic audits by the Victorian Government in relation to conditions associated with the holding of a licence to operate as an animal microchip registry within the State of Victoria.
By telephoning: 03 9706 3198
By emailing: info@CAR.com.au
By writing to:
Central Animal Records (Aust) Pty Ltd
22 Fiveways Boulevard
21. What if I am not satisfied with the response?
If you are not satisfied with the result of your complaint to CAR you can also refer your complaint to the Australian Information Commissioner.
You can contact the Office of the Australian Information Commissioner in the following ways:
By visiting: www.oaic.gov.au
By telephoning: 1300 363 992
By emailing: firstname.lastname@example.org
By writing to:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 1042