Collecting Personal Information
We collect Personal Information to provide products to our customers and to maintain and grow our customer base. Sensitive Information may be collected where you have given express consent for us to do so and the information is reasonably necessary for us to provide our services, functions or activities or otherwise as required or authorised under Australian law or for the establishment, exercise or defence of a legal claim.
The types of Personal Information we collect and store may include the following:
If we are unable to collect Personal Information we reasonably require, we may not be able to provide you with our products or services.
- your name;
- current address;
- telephone number;
- email addresses;
- other forms of identification, i.e. driver's license, passport;
- your member login details to The Perth Mint website, i.e. log in credentials;
- purchase records
- correspondence; and
- other information you may provide.
We collect Personal Information directly from you in a number of ways, including, but not limited to, by email, over the telephone, through written correspondence, in person (i.e. when buying at The Perth Mint shop), on-line by use of tracking software, through our website (i.e. subscriptions to our newsletter, member login and registration, and online purchase) and product and service offerings.
If we receive personal information about you that we did not ask for, from someone other than you, and we determine that we could have collected this information from you had we asked for it, we will notify you, as soon as practicable, that we have collected your personal information. If we could not have collected this personal information, we will lawfully de-identify or destroy that personal information.We will not collect any sensitive information from you, revealing your race, ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships or details of health or disability. Exceptions to this include:
- where you have given express consent for us to do so and the information is reasonably necessary for us to provide our services to you or otherwise carry out our functions or activities
- the use of this information is required or authorised under Australian law or a court or tribunal order; or
- when the information is necessary for the establishment, exercise or defence of a legal claim.
We will not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of our functions or activities. If we are unable to collect personal information we reasonably require, we may not be able to do business with you or the organisation with which you are connected.
Storage and Security
We hold Personal Information in several ways, including in electronic databases, email contact lists, and in paper files held in secured drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities. Our policy is to take responsible steps to:
The steps we take to secure the Personal Information we hold include security (such as encryption, firewalls, anti-virus software, login and password protection), secure office access, personnel security, and training and workplace policies.
- make sure that the Personal Information that we collect, use and disclose is accurate, up to date and complete (and in the case of use and disclosure) relevant; and
- protect the information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure.
Personal information about an individual held by us can only be transferred to someone in a foreign country in certain circumstances including, if there is a similarly stringent privacy protection regime binding that foreign country or if the individual consents to the transfer, or if it is in the individual’s interest.
If you reasonably believe that there has been unauthorised use or disclosure of your Personal Information, please contact our Privacy Officer.
If we no longer need your Personal Information, and unless required to be retained by law, we will take reasonable steps to destroy or de-identify your Personal Information.
Notwithstanding the reasonable steps we will take to secure your Personal Information, breaches may occur. We have established procedures in place to investigate whether a data breach has occurred and if notification or other action is required under Privacy Law requirements.
Websites, Applications and Cookies
Personal Information provided to our Online Shop is encoded using Transport Layer Security technology, a powerful encryption protocol that protects data as it travels over the Internet. Credit card transactions are processed using the secure EFTPOS network. Our policy is to ensure that all transactions processed by us meet industry security standards to ensure payment details are protected.
Like many companies, we use 'cookie' technology on our website. 'Cookies' are small text files stored on your computer that websites can use to improve the customer experience, for example by: recognising repeat users, storing registration data, and keeping and facilitating the user's online preferences and use of the websites. Most browsers are set to accept cookies. If you prefer not to receive them, you can adjust your browser to reject cookies, or to notify you when they are being used. Rejecting cookies can, however, limit the functionality of our websites (such as preventing members from logging on and making purchases).
Visitors to our website can request to join a mailing list by completing a form on this site. We maintain this list of Perth Mint Priority Members to inform them of new information on our websites. We do not sell, rent, lease, loan, trade or otherwise divulge the addresses on our lists to third parties or any unauthorised personnel. We comply with the Spam Act 2003 and best practice guidelines in relation to the contents of its commercial electronic messages.
If you are concerned about sending your information over the internet, you can contact us directly by the telephone or postal address below.
Use and Disclosure of Information
The Personal Information we collect is for purposes including how to process your requests and transactions, to provide you with high quality service, to tell you about products we think will be of interest to you, to customise your experience on our site, and to understand your needs so that we may provide you with the most suitable products. We may send this information via post, telephone or any form of electronic communication. We may also use any email address or other Personal Information you provide to us for this purpose.
To help us carry out these activities and functions, on occasion, we may disclose Personal Information to other persons including:
- organisations that we engage to conduct research or analyse data;
- our professional advisors (i.e. auditors and lawyers); and
- government and regulatory authorities (as required or authorised by law).
At any time, you can opt out of receiving marketing material by contacting our Privacy Officer. You agree and acknowledge that if you opt out of receiving marketing material, we will still send you essential information that we are legally required to send you relating to the services we provide. You agree and acknowledge also that removal from our distribution lists may take several business days after the date of your request to be removed.
We take reasonable steps to ensure that any third parties we use are bound by privacy obligations in relation to your Personal and Sensitive Information. In the event of a security incident involving unauthorised access, use or disclosure of Personal Information involving a third party with whom we have shared Personal Information, we will work cooperatively with them to protect the Personal Information that we have shared with them.
Access, Accuracy & Correction - Information
You have the right to request access to your Personal Information that we hold. You also have the right to request its correction if it is inaccurate, incomplete or out of date and we will take reasonable steps to give access to the information in the manner requested and correct it within a reasonable period of time and no longer than 30 days from receipt of your request, subject to any exemptions allowed under the Privacy Law. In these circumstances please contact our Privacy Officer.
Anonymity and Pseudonymity
You have the option to either not identify yourself or to use a pseudonym when you contact us, unless it is impracticable for us to communicate with you in that manner, including based on internal system requirements, or unless we are required or authorised under a law, tribunal or court order, to deal with individuals who have identified themselves.
Adoption, Use or Disclosure of Government-related Identifiers
Gold Corporation does not adopt, use or disclose a government related identifier related to an individual except:
- Where required by Australian law or other legal requirements;
- Where reasonably necessary to verify the identity of the individual; or
- Where reasonably necessary to fulfil obligations to an agency or a State or Territory authority.
Quality of personal information
Gold Corporation takes reasonable steps to ensure that the Personal Information it collects is accurate, up-to-date and complete. Quality measures in place supporting these requirements include:
- Internal practices, procedures and systems to audit, monitor, identify and correct poor-quality or inaccurate personal information;
- Systems and procedures that ensure personal information is collected and recorded in a consistent format, from a primary information source, where possible;
- Timely updating of new personal information is promptly added to relevant existing records;
- Reminding individuals to update their personal information at critical service delivery points, such as when engaging with the individual; and
- Contacting individuals to verify the quality of personal information where appropriate, including when it is about to used or disclosed, particularly if there has been a lengthy period since collection.
We may enter into arrangements with other related entities or third parties outside of Australia to store, access or use personal information in order to provide services to us (including, but not limited to, data processing and analysis). In these circumstances, we will undertake reasonable steps to ensure that the third parties do not breach the APPs, including by requiring that the third party has information security measures and information handling practices in place that are of an acceptable standard to those in Australia and approved by us.
Notifiable Data Breaches
Gold Corporation subscribes to and has implemented clear procedures for the management and notification of data breaches in order to comply with the Privacy Amendment (Notifiable Data Breaches) Act 2017 (an amendment to the Privacy Act) effective 22 February 2018 (as further described in the Annexure).
Your Consent & Variation
Contact Us & Complaints
Please contact us if you have any queries about the Personal Information that we hold about you or the way we handle that Personal Information.
You can complain to us about how we have collected or handled your Personal Information. We will investigate your complaint and we endeavour to respond within 30 days of receiving your complaint or within timeframes designated by Privacy Law.
Our contact details are below:
The Perth Mint
Attention: Privacy Officer
Reply Paid 6297
PO Box 6297
East Perth WA 6892
P: +61 (08) 9421 7222, Monday to Friday, 8.30am - 4.00pm (AWST)
F: +61 (08) 9221 2258
If you contact us and are not satisfied with our response you may refer your complaint to the Office of the Australian Information Commissioner (www.oaic.gov.au):
Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW 2001 or by sending an email to firstname.lastname@example.org
Australian Privacy Principles means the principles under the Privacy Act 1988 by which relevant entities, including Gold Corporation, must use, handle and manage Personal Information.
Personal Information means any information or an opinion about you for which you can be identified or reasonably identified:
Notifiable Data Breach (refer Annexure) means a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. It occurs when personal information held by Gold Corporation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not
Sensitive Information includes, but is not limited to, information or an opinion about your racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, membership of a trade union, sexual preferences, criminal record, health information or genetic information.
NOTIFIABLE DATA BREACH SCHEME
The Privacy Amendment (Notification of Data Breaches) Act 2017 (“NDB scheme”). The NDB scheme applies to us and we have an ongoing obligation to take reasonable steps to handle personal information in accordance with Australian Privacy Principles. This includes protecting personal information from misuse, interference and loss, and from unauthorized access, modification and disclosure.
The Office of the Australian Information Commission (OAIC) is the key regulator responsible for functions that are conferred by the Privacy Act. OAIC has issued a summary fact sheet outlining the application of the NDB scheme and it is replicated at the end of this Annexure. Headings used therein are adopted herein and some content has been replicated to explain the application of the NDB scheme to us.
The NDB scheme imposes mandatory reporting requirements on us when collecting Personal Information, including such things as identity details, residency, financial and transaction information, credit reports, credit eligibility or TFNs. The fundamental purpose of the NDB scheme is to allow customers to undertake corrective procedures in circumstances when their Personal Information has been compromised.
SUSPECTED OR KNOWN DATA BREACH
A data breach is unauthorized access to or unauthorised disclosure of personal information, or loss of Personal Information, that an entity holds. Gold Corporation employees are required to immediately notify the Privacy Officer in relation to a suspected or known data breach.
Gold Corporation is required and will undertake, to first contain a suspected or known data breach and take immediate steps to limit any further access or distribution of the affected personal information, or other possible compromise of other information.
We will next undertake an assessment of the data breach. The NDB scheme is intended to capture “eligible” data breaches. Gold Corporation will create a procedure to conduct an assessment and will follow OAIC’s suggested three-stage process, namely Initiate, Investigate and Evaluate to identify an eligible data breach. The Privacy Officer will lead and take responsibility for this assessment and in doing so will apply the criteria below:
An “eligible data breach” is deemed to have occurred if either:
The Privacy Officer, in undertaking this assessment, should also consider remedial action. The assessment should be expeditious and, generally, within 30 days and should be documented.
- unauthorized access to, or disclosure of, the relevant information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- the relevant information is lost in circumstances where unauthorized access to or unauthorized disclosure of that information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates.
Where serious harm is likely, Gold Corporation must prepare a statement for the OAIC Commissioner that contains:
Gold Corporation must also notify affected individuals and inform them of the content of the statement.
- Gold Corporation identity and contact details;
- A description of the breach;
- The kind/s of information concerned;
- How Gold Corporation will respond to the breach; and
- Recommended steps for individuals.
There are three options for notifying:
Notification exceptions can apply to the mandatory reporting obligations. The most notable exception is if Gold Corporation has taken necessary remedial actions upon discovering a data breach before serious harm has occurred. In this instance, Gold Corporation is not required to report the breach to the OAIC or to affected individuals.
- 1. Notify all individuals;
- 2. Notify only those individuals at risk of serious harm;
If neither of these options are practicable, then:
- 3. Gold Corporation can provide further information in their notification, such as an apology and an explanation of what they are doing about the breach.
Gold Corporation will implement a review process after or during the relevant assessment by the Privacy Officer. The Privacy Officer will take the lead in the process and review the incident and take action to prevent future breaches. These preventative actions may include:
- Investigate and understand the cause of the breach;
- Develop a prevention plan;
- Conduct audits to ensure the prevention plan is implemented and being adhered to; and
- Update relevant policies and procedures and practices, including frequency and nature of staff training. Gold Corporation will also consider whether to report the incident to other relevant bodies.