Approval to vary the Queensland Club Industry Privacy Code Section 18BD of the Privacy Act 1988 (Cth)

Case

Approval to vary the Queensland Club Industry Privacy Code

Section 18BD of the Privacy Act 1988 (Cth)

I, Karen Curtis, Privacy Commissioner, pursuant to section 18BD(2) of the Privacy Act 1988, approve the variation to the Queensland Club Industry Privacy Code which is Schedule 1 of this instrument.

This approval shall take effect on 1 May 2009.

[signed]

Karen Curtis

Australian Privacy Commissioner  

22   April  2009

SCHEDULE 1

55 Holland Street, Northgate, QLD 4013 
PO Box 93, Northgate, QLD 4013
Tel: (07) 3252 0770 Fax: (07) 3252 0971
Email: [email protected] 
Website:

 
 

Queensland Club Industry

PRIVACY CODE

© Clubs Queensland 2001

Contents

  1. Recitals ...........................................................................................................1

  1. Legislative Requirements.................................................................................. 2

  1. Definitions..................................................................................................... 3

  1. Goals........................................................................................................... 3

  1. Privacy Principles........................................................................................... 3

    5.1  Collection of Personal Information

    5.2  Use and Disclosure of Personal Information

    5.3  Access, Correction and Openness of Personal Information

    5.4  Security of Personal Information

    5.5  Transborder Flow of Personal Information

  2. Application of the Approved Privacy Code........................................................... 8

  1. Breach of the Approved Privacy Code................................................................. 8

  1. Internal Complaint Resolution Procedures............................................................ 8

  1. Staff Training................................................................................................ 9

  1. Acceptance of and Release from the Approved Privacy Code................................. 10

  1. Implementation of the Approved Privacy Code.................................................... 10

  1. Administration of the Approved Privacy Code..................................................... 10

  1. Review of the Approved Privacy Code............................................................... 11

Schedule

  1. Approval of the Original Privacy Code

  1. Approval of the Privacy Code (Upon Review)

  1. Dictionary

  1. Privacy Notice

  1. In-House Privacy Policy

  1. Register of Complaints and Actions

  1. Register of Training

  1. Acceptance of the Privacy Code Form

  1. Release from Privacy Code Form

  1. Recitals

1.1The Queensland Club Industry Privacy Code ("Approved Privacy Code (APC)") has been developed by Clubs Queensland, in consultation with relevant stakeholders, to enable and facilitate member clubs to comply with the provisions of the Privacy Act 1988 (Cth).

1.2The APC replaces the National Privacy Principles (NPPs) with equivalent industry-specific privacy obligations regarding the collection, use, storage and disclosure of personal information of club members or patrons. It also provides procedures that member clubs must follow when collecting, using, storing and disclosing such information.

1.3Member clubs understand that the APC is voluntary and they may or may not choose to be bound by it. If they choose to be bound by the APC, they will comply with the APC in lieu of the NPPs. If they choose not to be bound by the APC, they will be, by default, bound by the NPPs, unless they are exempt from the operation of the Privacy Act.

1.4Member clubs also understand that they can seek to be released to be bound by the APC at any time after they accept it. To avoid any doubt, a member club will be released from complying with the APC upon the receipt by the Privacy Code Administrator of a completed and executed ‘Release from the Queensland Club industry Privacy Code’ form.

1.5A member club that is bound by the APC will automatically cease to be bound by the APC if the member club ceases to be a financial member of Clubs Queensland. In this event, the NPPs will apply by default, unless the member club is exempt from the operation of the Privacy Act.

1.6Clubs Queensland is the Privacy Code Administrator of the APC and it will maintain an up-to-date and publicly available register of member clubs bound by the APC, as well as meet other obligations pertaining to effective administration of the APC.

1.7The original Privacy Code was approved by the Privacy Commissioner on 7 August 2002 and took effect on 23 August 2002 (SCHEDULE 1). As required by the Privacy Act, Clubs Queensland reviewed the original Privacy Code, in consultation with relevant stakeholders, in 2005. All comments were considered and, where appropriate, were incorporated in this version of the Privacy Code, which received approval on 22 April 2009 and took effect on 1 May 2009 (SCHEDULE 2).

1.8The Privacy Commissioner may, at any stage, revoke the APC on his or her own initiative or on application by a member club that is bound by the APC. If the APC is revoked, it will cease to have effect or operation from the date of revocation. It is the responsibility of Clubs Queensland, as the Privacy Code Administrator, to advise member clubs, public and other interested parties of the revocation.

1.9The APC is subject to the following limitations, exclusions and conditions:

1.9.1Amendments to the NPPs or related provisions of the Privacy Act which have a direct bearing on this APC and enacted after the coming into effect of the APC will be treated as if they are included in this APC.

1.9.2The APC does not cover acts or practices of employer organisations which are directly related to a current or former employment relationship between the employer and an individual, and are also directly related to an employee record held by the organisation relating to that individual. Such acts and practices are exempt from the NPPs.

1.9.3The APC does not cover any acts or practices exempted by sections 7B(1), (2), (4), (5) and 7C of the Privacy Act. The acts and practices which are exempted by these sub-sections are:

(a)  individuals acting in a non-business capacity;

(b)  organisations acting under Commonwealth contract;

(c)  organisations acting in the course of journalism;

(d)  organisations acting under a State or Territory contract; and

(e)  political acts and practices.

1.9.4None of the Privacy Principles in the APC are intended to derogate from Part VIA of the Privacy Act, which permits the collection, use and disclosure of personal information when an emergency declaration is in force in relation to emergencies and disasters in Australia or overseas.

1.9.5The APC does not have its own complaints handling mechanism and all complaints are to be handled as set out in the Privacy Act. However, in most instances the Privacy Commissioner considers it appropriate for the complainant to deal initially with the relevant member club. In this regard, the APC outlines complaint facilitation procedures that member clubs are encouraged to follow to ensure a consistent, fair, visible, accessible, responsive and accountable approach to privacy complaint resolution. In all instances where a member or patron has made a complaint in respect of their privacy to a member club, that member club must use reasonable endeavours to ensure that it maintains principles of procedural fairness and uphold obligations of confidentiality as required under the Privacy Act.

  1. Legislative Requirement

2.1The reference document for the APC is the Privacy Act.

2.2The Privacy Act defines privacy code to mean a written code regulating acts and practices that affect privacy, which must be approved by the Privacy Commissioner, hence "approved privacy code" (APC). The APC functions in lieu of the NPPs which are contained in the Privacy Act.

2.3The Privacy Act requires the following organisations to comply with the NPPs or an APC:

2.3.1businesses, including not-for-profit organisations such as charitable organisations, sports clubs and unions, with a turnover of more than $3 million;

2.3.2Australian government contractors;

2.3.3health service providers that hold health information (even if their turnover is less than $3 million);

2.3.4organisations that carry on a business that collect or disclose personal information for a benefit, service, or advantage (even if their turnover is less than $3 million);

2.3.5small business with a turnover of less than $3 million that choose to opt-in;

2.3.6incorporated State Government business enterprises; and

2.3.7any organisation that the regulations says is covered.

2.4The Privacy Act defines annual turnover as follows: The annual turnover of a business for a financial year is the total of the following that is earned in the year in the course of the business:

2.4.1the proceeds of sales of goods or services;

2.4.2commission income;

2.4.3repair and service income;

2.4.4rent, leasing and hiring income;

2.4.5government bounties and subsidies;

2.4.6interest, royalties and dividends;

2.4.7other operating income.

2.5The Privacy Act requires applicable organisations to comply with the NPPs, as minimum privacy standards. The NPPs operate as default principles, unless replaced by a privacy code approved by the Privacy Commissioner. The privacy code must be drafted in accordance with the Privacy Act, the prescribed standards and other guidelines issued by the Privacy Commissioner. The privacy code must demonstrate having obligations at least the overall equivalent of all the obligations set out in the NPPs.

2.6Organisations that join the privacy code, once it has been approved by the Privacy Commissioner, must comply with the privacy principles as set out in the APC rather than the NPPs as set out in the Privacy Act. The APC will have official status and the obligations under APC will be binding on them and enforceable by law.

2.7The Privacy Act defines enforcement bodies to include both federal and state agencies such as the Australian Federal Police (AFP), Australian Crime Commission (ACC), Australian Securities and Investments Commission (ASIC), Queensland State Police (QSP) and the Criminal Justice Commission of Queensland (CJCQ).

  1. Definitions

SCHEDULE 3 provides definitions of some terms used in the APC. In the event of an inconsistency, the definitions provided in the Privacy Act, as amended from time to time, take precedence over the definitions used in the APC.

  1. Goals

4.1The goals of the APC are to set industry-wide privacy standards by:

4.1.1ensuring proactive compliance of the Privacy Act, including meeting or exceeding the standards stipulated by the NPPs;

4.1.2creating a culture of confidence and security in the services provided by member clubs that involve collection, use, storage and disclosure of personal information;

4.1.3demonstrating commitment to best practices regarding secure, proper and consistent handling of member’s or patron’s information; and 

4.1.4establishing industry-specific procedures and guidelines to facilitate privacy complaints in instances where a member or patron may be required by the Privacy Commissioner to first contact the relevant member club before lodging a complaint with the Privacy Commissioner.

4.2It is hoped that the industry-specific approach to privacy through the APC will make member clubs not just passive recipients of the Privacy Act but strengthen their capacity to handle privacy issues through an ownership and commitment to the APC, including in some cases going beyond the legislation to additional best practice measures.

  1. Privacy Principles

5.1      Collection of Personal Information

5.1.1The member club will only collect (or otherwise gather, acquire or obtain) personal information from members or patrons that is necessary for it to meet or fulfil its activities or functions. If personal information is not provided by members or patrons, the member club may, in some instances, be unable to provide the activities or services requested by members or patrons.

5.1.2The member club will use its best endeavours to ensure that the personal information is collected directly from the relevant members or patrons. If the member club decides to collect information about a member or patron from a third party, it will take reasonable steps to inform the member or patron (about whom the information is collected) of the matters listed in 5.1.5, except to the extent that making the member or patron aware of the matters would pose a serious threat to the life or health of any individual.

5.1.3The member club will take reasonable steps to ensure that the personal information it collects is accurate, complete and up-to-date.

5.1.4The member club will use lawful and fair means which are not unreasonably intrusive when collecting personal information.

5.1.5The member club will provide the following details to members or patrons from whom the information is collected, prior to, or when, the personal information is collected or as soon as practicable after it is collected:

(a)  the proper trading name and contact details of the member club; and

(b)  the purpose or reason why the personal information is being collected by the member club, including any legislative requirements for the information to be collected; and

(c)  details of those individuals or organisations likely to receive the personal information; and

(d)  the way the member or patron giving the personal information can access, update and amend their personal information held by the member club; and

(e)  the major consequences that may result if the member or patron does not provide the personal information requested by the member club; and

(f)    the way the member or patron can notify or communicate to the member club if they do not wish to receive direct marketing communication.

5.1.6The member club will include a statement setting out the details referred to in 5.1.5 as part of all new membership application forms. In line with the constitutional requirements of some member clubs, this statement may also include a statement that a potential member’s personal information will be publicly displayed at the club prior to consideration of a potential member’s application.

5.1.7The member club will take special precautions regarding collection of sensitive information and will not collect sensitive information, unless the relevant member or patron has consented, or the information is required by law, or is necessary under special circumstances. The member club will collect sensitive information directly from the relevant member or patron and will permanently de-identify or destroy sensitive information once it is no longer required by the member club.

5.1.8The member club will give an option to members or patrons to interact anonymously with the member club, where lawful and practicable, such as making the name and address of respondents optional in direct marketing surveys undertaken by the member club.

5.1.9The member club will not adopt, use or disclose any identifiers that have been assigned by an Australian Government agency, such as Medicare or tax file number. The ABN of the member club is not an identifier under this Privacy Code.

5.1.10The member club must not use or disclose an identifier assigned to an individual by an agency, or by an agent of an agency or a contracted service provider for a Commonwealth contract (acting in its capacity as contracted service provider for that contract) unless the use or disclosure is necessary for the member club to fulfil its obligations to the agency, or if one or more of conditions in 5.2.6 (c)-(g) apply to the use or disclosure.

5.2      Use and Disclosure of Personal Information

5.2.1The member club will generally hold personal information about a member or patron, such as name, street, telephone number(s), date of birth, email address, occupation, or any other information provided through the membership application form, customer surveys, direct marketing communications or otherwise and will ensure that all information it uses or disclosures is accurate, complete and up-to-date.

5.2.2If requested by the member or patron, the member club will notify relevant third parties to inform them that they have received inaccurate, incomplete or not up-to-date information about the member or patron.

5.2.3The member club will keep a written record of all uses and disclosures of personal information of a member or patron.

5.2.4The member club will not disclose personal information about a member or patron to any person, member club or organisation except in accordance with APC.

5.2.5The member club will, subject to clause 5.2.6 and 5.2.7, only use or disclose the personal information for the primary purpose for which the information is collected. There can only be one primary purpose for a particular collection.

5.2.6The member club will not use or disclose the personal information for a secondary purpose unless:

(a)the secondary purpose is directly related to the primary purpose of collection and the member or patron would reasonably expect the member club to use or disclose the personal information for the secondary purpose; or

(b)the member or patron has consented to the use or disclosure of the personal information; or

(c)the member club reasonably believes that the use or disclosure of the personal information is necessary to lessen or prevent:

(i)  a serious and imminent threat to an individual’s life, health or safety; or

(ii)   a serious threat to public health or public safety; or

(d)if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:

(i)      the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and

(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA of the Privacy Act for the purposes of this subparagraph; and

(iii)   in the case of disclosure—the recipient of the genetic information is a genetic relative of the individual; or

(e)the member club has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(f)the use or disclosure is required or authorised by or under law; or

(g)the member club reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i)    the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a prescribed law;

(ii)    the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii)   the protection of the public revenue;

(iv)     the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v)   the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of orders of a court or tribunal.

5.2.7The member club will use personal information (other than sensitive information) for direct marketing as follows:

(a)The member club will use personal information for its direct marketing if:

(i)      it is impracticable for the member club to seek the member’s or patron’s  consent before that particular use; and

(ii)    the member or patron has not made a request to the member club to not receive the direct marketing communication; and

(iii)   each direct marketing communication provides an option for the member or patron to not receive any further direct marketing communication and the member club does not charge the member or patron for giving effect to this request; and

(iv)     contact details of the member club (including electronic contact details) are included in the direct marketing communication.

(b)A member or patron may at any time request the member club not to use the member’s or patron’s personal information for direct marketing. If such a request is made, the member club must comply with the request as soon as practicable.

(c)The member club will retain and maintain accurate records in respect of any requests made by members or patrons to cease sending any direct marketing material.

5.2.8The member club will adhere to the use and disclosure requirements under APC when using or disclosing information collected from a related body corporate or when disclosing information to a related body corporate.

5.3      Access, Correction and Openness of Personal Information

5.3.1The member club will give access to personal information should the member or patron to whom the information relates requests the information in writing. The member club will endeavour to provide this access within 14 days. This access entitlement will be granted, provided that:

(a)access, in the case of personal information other than health information, does not pose a serious and imminent threat to the life or health of any individual; or

(b)access, in the case of health information, does not pose a serious threat to the life or health of any individual;

(c)access does not unreasonably impact upon the privacy of other individuals; or

(d)the request for access is not frivolous or vexatious; or

(e)the information does not relate to existing or anticipated legal proceedings between the member club and the member or patron and the information would not be accessible by the process of discovery in those proceedings; or

(f)access to the information does not reveal the intention of the member club in relation to negotiations with the member or patron in such a way as to prejudice those negotiations; or

(g)access is not unlawful; or

(h)denial of access of the information is authorised or required by or under law; or

(i)providing access would not prejudice an investigation of possible unlawful activity; or

(j)access does not prejudice the:

(i)      prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii)    enforcement of laws relating to the confiscation of proceeds of crime;

(iii)   protection of the public revenue;

(iv)     prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v)   preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders

by or on behalf of an enforcement body; or

(k)an enforcement body performing a lawful security function does not ask the member club not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

5.3.2If the member club is not required to provide the member or patron with access to the information because of 5.3.1, the member club must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

5.3.3Where providing access would reveal evaluative information generated within the member club in connection with a commercially sensitive decision-making process, the member club may give the member or patron an explanation for the commercially sensitive decision rather than direct access to the information. 

5.3.4The member club will not charge any fees for lodging a request for access to personal information but may charge a reasonable fee for providing access to personal information.

5.3.5The member club will update the information as soon as reasonably practicable if informed by a member or patron that the information held by the club about the individual is inaccurate, incomplete or not up-to-date.

5.3.6The member club will take reasonable steps to associate with the requested information a statement claiming that the information is inaccurate, incomplete or not up-to-date if the member or patron and the member club are unable to agree that the information is accurate, complete and up-to-date and the member or patron requests the club to provide the statement.

5.3.7The member club will a provide reason for any denial of access or refusal to correct personal information.

5.3.8The member club will put the notice in SCHEDULE 4 in a prominent location in the member club to inform members or patrons about its information management practices, including the type of information it holds, for what purpose, and how it collects, holds, uses and discloses personal information.  A member club will take reasonable steps to inform a person of these information management practices on request.

5.4      Security of Personal Information

5.4.1The member club will take reasonable steps to safeguard the personal information it collects and holds by locating the personal information in a secure place in the club.

5.4.2The member club will establish guidelines as to which staff members can access personal information and under what circumstances.

5.4.3The member club will prevent unauthorised access, modification or disclosure and misuse or loss of personal information by putting in place appropriate measures.

5.4.4The member club that has internet and email facilities will implement an email/internet policy regarding the transmission of personal information through the internet and by email. The member club will provide regular training and awareness sessions to ensure staff understand their privacy obligations in this regard.

5.4.5The member club will take reasonable steps to destroy or permanently de-identify any personal information that is no longer needed.

5.4.6The member club will take reasonable steps to instruct staff members not to discuss among themselves personal, health or other sensitive information of members or patrons unless it is necessary for the staff member to perform their duties in relation to the member or patron.

5.4.7If a member club discloses personal information to a third party contractor for the purpose of performing a function on behalf of the member club, it will require the contractor, as a condition of the contractor’s engagement, to take reasonable steps to protect that information.

5.5      Transborder Flows of Information

5.5.1The member club, subject to clause 5.5.2, will only transfer personal information of a member or patron to a recipient in a foreign country if:

(a)the member or patron consents to the transfer; or

(b)where the transfer is for the benefit of the member or patron and it is impracticable to obtain the consent of the member or patron to the transfer and if it were practicable to obtain such consent, the member or patron would be likely to give it;  or

(c)the transfer is necessary for the performance of a contract between the member or patron and the organisation, or for the implementation of pre-contractual measures taken in response to the member’s or patron’s request; or

(d)the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the member or patron between the organisation and a third party; or

(e)the member club has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the APC.

5.5.2The member club will not transfer information to a recipient in a foreign country in circumstances where the:

(a)recipient of the information is in a jurisdiction not subject to a law substantially similar to the protection accorded under the NPPs in the Privacy Act; or

(b)the member or patron about whom the information relates has not consented to the transfer of information; or

(c)information may be used in ways which are inconsistent with the privacy principles in the APC.

5.5.3The member club may, when in doubt, ask for a written assurance from the parties involved that the information will remain secure before transferring the information.

  1. Application of the Approved Privacy Code

SCHEDULE 5 outlines a possible in-house policy that member clubs can use to meet their privacy obligations under the APC. Member clubs should note that the policy is not an exhaustive list but only outlines the most common examples of the application of the APC in the member club.

  1. Breach of the Approved Privacy Code

A member club commits a breach if the member fails to adhere to a provision of the APC.

  1. Internal Complaint Resolution Procedures

8.1The complaint handling procedures established under the APC and the Privacy Act (and accompanying guidelines) will apply to the resolution of a privacy complaint made by a member or patron against a member club.

8.2If a complaint is instigated or made by a member or patron whilst the member club is (or was) bound by the APC, the member club will be required to resolve the matter to the extent provided in the APC.

8.3The APC relies on the Privacy Commissioner to deal with all unresolved privacy complaints. The member club is obliged to comply with any declaration made by the Privacy Commissioner and must not repeat or continue the relevant activity or conduct that was the cause of the complaint. In this regard, member clubs must provide all reasonable co-operation, as requested by the Privacy Commissioner.

8.4The Privacy Act requires all complaints to be resolved at the local level as far as reasonably possible. As such, the complainant in most instances should complain about the alleged breach to the relevant member club (respondent) in the first instance.

8.5In the event that a member club receives a privacy complaint, the member club will endeavour to respond to the complainant’s concerns as follows:

8.5.1The member club will designate a staff member as the point of contact in the club regarding privacy issues.

8.5.2The designated staff member will liaise with the complainant and identify and define the nature and cause of the complaint (and ask, if necessary, for the complaint to be put in writing).

8.5.3The designated staff member will then inform the complainant of their rights under the APC and Privacy Act, and the timeframe (within 30 days) in which the club will be able to respond to the complaint. The designated staff member, for instance will inform the complainant that they may take their complaint directly to the Privacy Commissioner in the event that the complainant is not satisfied with the outcome after the initial approach and discussion with the member club.

8.5.4The designated staff member will inform the complainant of the response, if any, by the member club, including the basis (legislation, APC, policies) on which the response was framed.

8.5.5If the outcome of this liaison between the complainant and the member club is not to the satisfaction of the complainant, the designated staff member will advise the complainant that the complaint is escalated and should be handled in accordance with s.36 of the Privacy Act.

8.5.6The designated staff member will record details of the complaint and action taken in the Register of Complaints and Actions in SCHEDULE 6.

8.6The member club must ensure that all complaints are dealt with in a reasonably appropriate timeframe so that any decision (if any decision is required to be made) is made expeditiously and in a manner that does not compromise the integrity or quality of any such decision.

  1. Staff Training

9.1Relevant staff will be provided with appropriate training so that they are aware of the contents, procedures and application of the APC, including referring all privacy complainants to the designated staff member who will be the point of contact for privacy issues in the member club.

9.2The designated staff member who will be responsible for privacy issues will undergo further training so that he/she is well informed and better positioned to facilitate in instances where the complainant is required to first contact the club (respondent) before approaching the Privacy Commissioner.

9.3The member club will keep a record of the training in the Register of Training in SCHEDULE 7.

  1. Acceptance of and Release from the Approved Privacy Code

10.1The APC is voluntary and the member club has a choice to either accept or not accept compliance with it. Where a member club does not accept the APC, the NPPs will apply as default privacy principles unless the member club is exempt from the operation of the Privacy Act.

10.2If the member club decides to accept the APC, the member club will then indicate its formal acceptance by completing the Acceptance of the Queensland Club Industry Privacy Code form in SCHEDULE 8.

10.3The member club can complete the Release from the Queensland Club Industry Privacy Code form in SCHEDULE 9 at any time after formally accepting the APC, if the member club decides to opt out of the APC. However, if a complaint is instigated or made by a member or patron whilst the member club is (or was) bound by the Privacy Code, the member club will be required to resolve the matter to the extent provided in the APC. To avoid any doubt, a member club will be released from complying with the APC upon the receipt by the Privacy Code Administrator of a completed and executed ‘Release from the Approved Privacy Code’ form.

10.4The member club can re-join the APC at any time after the date referred to in 10.3, provided it meets the requirements set out in clause 10.2 and makes a written submission for re-subscription and receives written approval for re-subscription from the Privacy Code Administrator.

10.5Member clubs must return the completed forms/documents referred to in 10.2, 10.3 and 10.4 to the Privacy Code Administrator (in person, by fax or post) to enable the Privacy Code Administrator to maintain accurate, complete and up-to-date electronic and paper records of the Privacy Code members, as required by the Privacy Commissioner.

10.6Member clubs that cease to be financial members of Clubs Queensland will automatically cease to be bound by the APC.

  1. Implementation of the Approved Privacy Code

11.1Once a member club has accepted the APC, it will have all measures in place within one month of the date of the acceptance.

11.2The member club will inform members or patrons about the operation of the APC and will prominently display the availability of the Privacy Code in a suitable location in the club.

11.3The member club will undertake regular audits of the operation of the club privacy procedures to ensure that the procedures comply with the APC.

11.4The member club will submit information on the operation of the APC to the Privacy Code Administrator, as requested, to enable the Privacy Code Administrator to fulfil its obligations under the APC and the Privacy Act.

  1. Administration of the Approved Privacy Code

12.1Clubs Queensland will perform the role of the Privacy Code Administrator and will be responsible for the administration of the APC, including complying with the reporting and review requirements under the APC and Privacy Act. It will allocate sufficient resources for the administration and on-going monitoring of the APC.

12.2The Privacy Code Administrator will liaise with member clubs in relation to the implementation and compliance with the APC. Member clubs will direct any questions or feedback in relation to the APC to the Privacy Code Administrator.

12.3Each member club will nominate a staff member who will be responsible for the general administration of the APC at the member club. The designated staff member must report to the Privacy Code Administrator all information that is relevant to the operation of the APC at the member club.

12.4The designated staff member of each member club must also advise the Privacy Code Administrator (in writing) of any systemic problems that they discover through their own compliance experiences. If any systemic problems are identified, then the Privacy Code Administrator will endeavour to address them appropriately and in accordance with the Privacy Act.

12.5The Privacy Code Administrator will maintain an accurate, up-to-date easily accessible on-line record of members of the APC on its website, with a hypertext link to the Privacy Commissioner’s website.

12.6If any at any stage the Privacy Commissioner revokes the APC (in accordance with its powers under Section 18BE of the Privacy Act), the Privacy Code Administrator will advise the member clubs, public and all other interested parties accordingly.

12.7All member clubs and individuals are requested to contact Clubs Queensland to obtain any information they require about the Privacy Code Administrator.

13.    Review of the Approved Privacy Code

13.1The Privacy Code Administrator will, in consultation with relevant stakeholders that include member clubs and other interested parties, review the APC at least every three years and is committed to allocating sufficient resources for the review process. The Privacy Code Administrator will provide the review report, with a response to the review report by the Privacy Code Administrator, to the Privacy Commissioner within 30 days of the review being finalised. The Privacy Code Administrator will make available a copy of the above review report to member clubs upon a written request.

13.2The Privacy Code Administrator will make necessary changes and amendments to the APC from time to time, in consultation with member clubs, and will seek the approval of the changes and amendments from the Privacy Commissioner before incorporating the changes and amendments in the APC.

13.3Where the Privacy Code Administrator proposes major changes and amendments to the APC, it will undertake adequate consultation with relevant stakeholders, including members clubs, and include a report on the result of the consultation process with the application for approval for the variation of the APC to the Privacy Commissioner. 

____________________

Schedule 1 – Approval of the Original Privacy Code

Schedule 2 – Approval of the Privacy Code (Upon Review)

Schedule 3 - Dictionary

contractor means a party that has a contractual relationship with a member club to provide a service or product;

direct marketing means any approaches made or activities undertaken that promote, advertise or market products or services;

health information means:

(a)information or an opinion about:

(i)the health or a disability (at any time) of an individual; or

(ii)an individual’s expressed wishes about the future provision of health services to him or her; or

(iii)a health service provided, or to be provided, to an individual;

that is also personal information; or

(b)other personal information collected to provide, or in providing a health service; or

(c)other personal information about an individual collected in connection with the donation, or intended donation, by the individual or his or her body parts, organs or body substances; or

(d)genetic information about an individual in a form that is, or could be, predictive of the health of the individual or genetic relative of the individual.

health service means:

(a)an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

(i)     to assess, record, maintain or improve the individual’s health; or

(ii)    to diagnose the individual’s illness or disability; or

(iii)   to treat the individual’s illness or disability or suspected illness or disability; or

(b)    the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

member means any individual who is an on-going financial member of a member club;

member club means a club that is an on-going financial member of Clubs Queensland;

patron means any member of the public who has contacted or been in contact with a member club;

personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

primary purpose means the sole, dominant or fundamental reason or purpose for collecting information;

Privacy Code Administrator means Clubs Queensland located at 55 Holland Street, Northgate Qld 4013. Telephone: (07) 3252 0770, Facsimile: (07) 3252 0971, Website and Email [email protected];

Privacy Commissioner means the Privacy Commissioner (Federal);

reciprocal club means a club that has a reciprocal arrangement with another club under Clubs Queensland Reciprocal Arrangement;

related body corporate means:

(a)      a holding company of another body corporate;

(b)      a subsidiary of another body corporate; or

(c)      a subsidiary of a holding company of another body corporate.

Sensitive information means:

(a)      information or an opinion about an individual’s

(i)       racial or ethnic origin; or

(ii)      political opinions; or

(iii)     membership of a political association; or

(iv)     religious beliefs or affiliations; or

(v)      philosophical beliefs; or

(vi)     membership of a professional or trade association; or

(vii)    membership of a trade union; or

(viii)    sexual preferences or practices; or

(ix)     criminal record;

that is also personal information; or

(b)health information about an individual; or

(c)genetic information about an individual that is not otherwise health information.

secondary purpose means any reason or purpose other than a primary purpose;

special circumstances means only those circumstances associated with preventing or lessening a serious and imminent threat to the life or health of an individual where the individual to whom the information relates is incapable or unable (either by law, a physical limitation or otherwise) to provide consent to the collection of information.

Schedule 4 – Privacy Notice


Schedule 5 – In-House Privacy Policy


Schedule 6 – Register of Complaints and Actions

Schedule 7 – Register of Training

REGISTER OF TRAINING
Staff Details Name/ ID Read and signed the following documents Other Privacy Training Undertaken (Date, Course Title, Certification etc)
Queensland Club Industry Privacy Code In-house Procedures (eg: Privacy Complaint Resolution Procedures etc)

Schedule 8 – Acceptance of the Privacy Code Form


Schedule 9 – Release from the Privacy Code Form

Actions
Download as PDF Download as Word Document


Cases Citing This Decision

0

Cases Cited

0

Statutory Material Cited

0