Privacy Policy

Introduction

Gold Corporation (trading as The Perth Mint ABN 98 838 298 431) (us, we, our) is committed to protecting the privacy of your (you, your) Personal Information. This Privacy Policy has been developed in accordance with the Commonwealth Privacy Act 1988 (Privacy Act), including the Australian Privacy Principles, and the Privacy Amendment (Notification of Data Breaches) Act 2017. Together, we refer to applicable pieces of legislation as “Privacy Law”.

This Privacy Policy applies to how we collect, hold, use and disclose Personal Information and provides information on how we deal with your Personal Information as customers, visitors to our website and in relation to the use of our products or services. The application of this Privacy Policy is conditional on your acceptance of the terms of this Privacy Policy.

We will comply with this Privacy Policy in respect of information provided to us by persons under the age of 18 years, those persons must obtain the consent of a parent or guardian prior to using our website and the parent or guardian will be responsible for appropriately supervising the person’s use of our website.

Scope

This Privacy Policy applies to all Gold Corporation employees, independent contractors, Board members, peers and agents. It also applies to third party suppliers and contractors who provide services to Gold Corporation.

Collecting Personal Information

We collect Personal Information to provide products to our customers and to maintain and grow our customer base. Sensitive Information may be collected where you have given express consent for us to do so and the information is reasonably necessary for us to provide our services, functions or activities or otherwise as required or authorised under Australian law or for the establishment, exercise or defence of a legal claim.

The types of Personal Information we collect and store may include the following:

  • your name;
  • current address;
  • telephone number;
  • email addresses;
  • other forms of identification, i.e. driver's license, passport;
  • your member login details to The Perth Mint website, i.e. log in credentials;
  • purchase records
  • correspondence; and
  • other information you may provide.

If we are unable to collect Personal Information we reasonably require, we may not be able to provide you with our products or services.

This Privacy Policy does not apply to the handling of information with respect to recruitment and employees. For this information please refer to the Privacy Statement – Recruitment & Selection.

We collect Personal Information directly from you in a number of ways, including, but not limited to, by email, over the telephone, through written correspondence, in person (i.e. when buying at The Perth Mint shop), on-line by use of tracking software, through our website (i.e. subscriptions to our newsletter, member login and registration, and online purchase) and product and service offerings.

Storage and Security

We hold Personal Information in several ways, including in electronic databases, email contact lists, and in paper files held in secured drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities. Our policy is to take responsible steps to:

  • make sure that the Personal Information that we collect, use and disclose is accurate, up to date and complete (and in the case of use and disclosure) relevant; and
  • protect the information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure.
The steps we take to secure the Personal Information we hold include security (such as encryption, firewalls, anti-virus software, login and password protection), secure office access, personnel security, and training and workplace policies.

 

Personal information about an individual held by us can only be transferred to someone in a foreign country in certain circumstances including, if there is a similarly stringent privacy protection regime binding that foreign country or if the individual consents to the transfer, or if it is in the individual’s interest.

If you reasonably believe that there has been unauthorised use or disclosure of your Personal Information, please contact our Privacy Officer.

If we no longer need your Personal Information, and unless required to be retained by law, we will take reasonable steps to destroy or de-identify your Personal Information.

Notwithstanding the reasonable steps we will take to secure your Personal Information, breaches may occur. We have established procedures in place to investigate whether a data breach has occurred and if notification or other action is required under Privacy Law requirements.

Websites, Applications, IP addresses and Cookies

Personal Information provided to our Online Shop is encoded using Transport Layer Security technology, a powerful encryption protocol that protects data as it travels over the Internet. Credit card transactions are processed using the secure EFTPOS network. Our policy is to ensure that all transactions processed by us meet industry security standards to ensure payment details are protected.

Like many companies, we use 'cookie' technology on our website. 'Cookies' are small text files stored on your computer that websites can use to improve the customer experience, for example by: recognising repeat users, storing registration data, and keeping and facilitating the user's online preferences and use of the websites. Most browsers are set to accept cookies. If you prefer not to receive them, you can adjust your browser to reject cookies, or to notify you when they are being used. Rejecting cookies can, however, limit the functionality of our websites (such as preventing members from logging on and making purchases).

Our websites contain links to other webpages. We are not responsible for the privacy policy and contents of such webpages nor their policies regarding the collection, storage, use and disclosure of your Personal Information. We recommend you refer to the relevant webpages and encourage you to always read the applicable privacy statement or policy of the linked site.

Visitors to our website can request to join a mailing list by completing a form on this site. We maintain this list of Perth Mint Priority Members to inform them of new information on our websites. We do not sell, rent, lease, loan, trade or otherwise divulge the addresses on our lists to third parties or any unauthorised personnel. We comply with the Spam Act 2003 and best practice guidelines in relation to the contents of its commercial electronic messages.

If you are concerned about sending your information over the internet, you can contact us directly by the telephone or postal address below.

Use and Disclosure of Information

The Personal Information we collect is for purposes including how to process your requests and transactions, to provide you with high quality service, to tell you about products we think will be of interest to you, to customise your experience on our site, and to understand your needs so that we may provide you with the most suitable products. We may send this information via post, telephone or any form of electronic communication. We may also use any email address or other Personal Information you provide to us for this purpose.

To help us carry out these activities and functions, on occasion, we may disclose Personal Information to other persons including:

  • organisations that we engage to conduct research or analyse data;
  • our professional advisors (i.e. auditors and lawyers); and
  • government and regulatory authorities (as required or authorised by law).
At any time, you can opt out of receiving marketing material by contacting our Privacy Officer. You agree and acknowledge that if you opt out of receiving marketing material, we will still send you essential information that we are legally required to send you relating to the services we provide. You agree and acknowledge also that removal from our distribution lists may take several business days after the date of your request to be removed.

 

We take reasonable steps to ensure that any third parties we use are bound by privacy obligations in relation to your Personal and Sensitive Information. In the event of a security incident involving unauthorised access, use or disclosure of Personal Information involving a third party with whom we have shared Personal Information, we will work cooperatively with them to protect the Personal Information that we have shared with them.

Access, Accuracy & Correction - Information

You have the right to request access to your Personal Information that we hold. You also have the right to request its correction if it is inaccurate, incomplete or out of date and we will take reasonable steps to give access to the information in the manner requested and correct it within a reasonable period of time and no longer than 30 days from receipt of your request, subject to any exemptions allowed under the Privacy Law. In these circumstances please contact our Privacy Officer.

Notifiable Data Breaches

Gold Corporation subscribes to and has implemented clear procedures for the management and notification of data breaches in order to comply with the Privacy Amendment (Notifiable Data Breaches) Act 2017 (an amendment to the Privacy Act) effective 22 February 2018 (as further described in the Annexure).

Your Consent & Variation

By use of our website or where express consent is obtained in relation to our products and services, you consent to the collection, storage, use and disclosure of your Personal Information in accordance with this Privacy Policy and as otherwise permitted under Privacy Law.

We may at any time vary the terms of this Privacy Policy to reflect changes, including to privacy legislation, technological changes, company policy and customer feedback. You should check this Privacy Policy regularly so that you are aware of any variations made. You will be deemed to have consented to such variations by your continued use of our website or other products and services that are subject to this Privacy Policy following such changes being made.

Contact Us & Complaints

Please contact us if you have any queries about the Personal Information that we hold about you or the way we handle that Personal Information.

You can complain to us about how we have collected or handled your Personal Information. We will investigate your complaint and we endeavour to respond within 30 days of receiving your complaint or within timeframes designated by Privacy Law.

Our contact details are below:
The Perth Mint
Attention: Privacy Officer
Reply Paid 6297
PO Box 6297
East Perth WA 6892
Australia
E: privacyofficer@perthmint.com
P: +61 (08) 9421 7222, Monday to Friday, 8.30am - 4.00pm (AWST)
F: +61 (08) 9221 2258
Website: www.perthmint.com

If you contact us and are not satisfied with our response you may refer your complaint to the Office of the Australian Information Commissioner (www.oaic.gov.au):
Office of the Australian Information Commissioner
GPO Box 5218,
Sydney NSW 2001 or by sending an email to enquiries@oaic.gov.au.

The Perth Mint Privacy Policy - last updated April 2020.

 

Definitions

Australian Privacy Principles means the principles under the Privacy Act 1988 by which relevant entities, including Gold Corporation, must use, handle and manage Personal Information.

Personal Information means any information or an opinion about you for which you can be identified or reasonably identified:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not

Notifiable Data Breach (refer Annexure) means a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. It occurs when personal information held by Gold Corporation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.

Sensitive Information includes, but is not limited to, information or an opinion about your racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, membership of a trade union, sexual preferences, criminal record, health information or genetic information.

Annexure:

NOTIFIABLE DATA BREACH SCHEME

The Privacy Amendment (Notification of Data Breaches) Act 2017 (“NDB scheme”). The NDB scheme applies to us and we have an ongoing obligation to take reasonable steps to handle personal information in accordance with Australian Privacy Principles. This includes protecting personal information from misuse, interference and loss, and from unauthorized access, modification and disclosure.

The Office of the Australian Information Commission (OAIC) is the key regulator responsible for functions that are conferred by the Privacy Act. OAIC has issued a summary fact sheet outlining the application of the NDB scheme and it is replicated at the end of this Annexure. Headings used therein are adopted herein and some content has been replicated to explain the application of the NDB scheme to us.

The NDB scheme imposes mandatory reporting requirements on us when collecting Personal Information, including such things as identity details, residency, financial and transaction information, credit reports, credit eligibility or TFNs. The fundamental purpose of the NDB scheme is to allow customers to undertake corrective procedures in circumstances when their Personal Information has been compromised.

SUSPECTED OR KNOWN DATA BREACH

A data breach is unauthorized access to or unauthorised disclosure of personal information, or loss of Personal Information, that an entity holds. Gold Corporation employees are required to immediately notify the Privacy Officer in relation to a suspected or known data breach.

 

CONTAIN

Gold Corporation is required and will undertake, to first contain a suspected or known data breach and take immediate steps to limit any further access or distribution of the affected personal information, or other possible compromise of other information.

 

ASSESS

We will next undertake an assessment of the data breach. The NDB scheme is intended to capture “eligible” data breaches. Gold Corporation will create a procedure to conduct an assessment and will follow OAIC’s suggested three-stage process, namely Initiate, Investigate and Evaluate to identify an eligible data breach. The Privacy Officer will lead and take responsibility for this assessment and in doing so will apply the criteria below:

An “eligible data breach” is deemed to have occurred if either:

  • unauthorized access to, or disclosure of, the relevant information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
  • the relevant information is lost in circumstances where unauthorized access to or unauthorized disclosure of that information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates.
The Privacy Officer, in undertaking this assessment, should also consider remedial action. The assessment should be expeditious and, generally, within 30 days and should be documented.

 

NOTIFY

Where serious harm is likely, Gold Corporation must prepare a statement for the OAIC Commissioner that contains:

  • Gold Corporation identity and contact details;
  • A description of the breach;
  • The kind/s of information concerned;
  • How Gold Corporation will respond to the breach; and
  • Recommended steps for individuals.
Gold Corporation must also notify affected individuals and inform them of the content of the statement.

There are three options for notifying:

  1. Notify all individuals;
  2. Notify only those individuals at risk of serious harm;
  3. If neither of these options are practicable, then:
  4. Gold Corporation can provide further information in their notification, such as an apology and an explanation of what they are doing about the breach.
Notification exceptions can apply to the mandatory reporting obligations. The most notable exception is if Gold Corporation has taken necessary remedial actions upon discovering a data breach before serious harm has occurred. In this instance, Gold Corporation is not required to report the breach to the OAIC or to affected individuals.

 

REVIEW

Gold Corporation will implement a review process after or during the relevant assessment by the Privacy Officer. The Privacy Officer will take the lead in the process and review the incident and take action to prevent future breaches. These preventative actions may include:
  • Investigate and understand the cause of the breach;
  • Develop a prevention plan;
  • Conduct audits to ensure the prevention plan is implemented and being adhered to; and
  • Update relevant policies and procedures and practices, including frequency and nature of staff training. Gold Corporation will also consider whether to report the incident to other relevant bodies.