P rivacy P olicy T raining For in-house training by member clubs, as per instructions on the final slide

Introduction Privacy Policy outlines how staff must handle personal information -“Handle” means the entire information cycle – from collection to use and disclosure to storage, access, correction and de-identification or destruction Training highlights some key points but you must always refer to the full Privacy Policy You must read, understand and comply with the Privacy Policy to avoid a breach of the laws or disciplinary action: -$1.7 million for the club and $340,000 for officers -Adverse impact on business due to loss of member’s trust

1. Personal Information Personal information is any information or opinion that can identify a person Examples nclude: -Name -Address -Marital status -Photo -Bank / credit card details -Information on likes / dislikes Personal information does not necessarily have to be in a recorded form. It is irrelevant whether it is true or false

2. Sensitive Information Sensitive information is a subset of personal information that relate to: -Racial / ethnic origin -Political beliefs / memberships -Religious beliefs / affiliations -Philosophical beliefs -Trade union / professional association membership -Sexual orientation / practices -Criminal records -Health / genetic / biometric information Examples: problem gambling information (e.g. depression) or food restrictions based on religious beliefs Sensitive information must not be collected without consent or used for direct marketing (unless exempted)

3. Collection Only collect personal information that is necessary to carry out one or more activities of the club -Personal information should match the purpose of collection Collect personal information directly from the person If collected from a third party, take reasonable steps to inform the person that his or her personal information has been collected and the reason for collection You can refuse to provide services to a person who refuses to give you the required (mandatory) personal information

4. Use and Disclosure Use and disclose personal information for: -the primary purpose (which is the reason for collection such as processing a membership application) -a purpose that a person has consented to in relation to the club’s activities (such as facilitating reciprocal membership) -a secondary purpose (which is one related to the primary purpose and the person would reasonably expect such use or disclosure such as sending club s) -a purpose that is authorized by law or for law enforcement (such as to prevent an unlawful activity) -Direct marketing (see slide 7) A person can request his or her personal information to be not used for anything, other than the primary purpose, but cannot stop the law enforcement purpose

5. Disclosure to Organisations You can disclose personal information to related bodies of the club but only in relation to goods or services relating to the clubs activities Related bodies include: -Other clubs (e.g. for reciprocal membership) -Club Sponsors -Trade providers -Industry associations (e.g. Clubs Queensland) -Club agents (e.g. accountant, solicitor) Ensure, as far as possible that these organisations are aware of the Privacy Policy

6. Photography and CCTV You can collect personal information (e.g. footage) through Closed Circuit Television (CCTV): -Footage is stored for a minimum retention period of 28 days -If an incident is identified, footage is retained for a minimum of one year after the retention period or given to an authority -Where no incident is identified, footage is automatically deleted within 30 days after the retention period You can take photographs of people attending the club and can use the photos for marketing and advertising purposes, unless advised otherwise by the person. -No compensation is paid to a person whose photo is used in this regard

7. Direct Marketing You can use personal information for direct marketing: where a person has given consent if it would be within reasonable expectation of a person, given a transaction or communication with the club You can disclose personal information to another organisation such as a trade supplier that may sent marketing materials to the person A person can contact the club and request personal information to be not used for direct marketing Direct marketing communication must identify the club, must include a functional unsubscribe facility and not be sent to a person who has made a request not to receive it

8. Cross Border Disclosure The club can transfer or store personal information at a destination outside Australia such as by using overseas website hosting facilities A person agrees that the above may occur and consents to the disclosure, transfer, storage or processing of personal information outside of Australia A person understands that overseas agents may not accord the same privacy protection but the club will take reasonable steps to ensure their handling of personal information is in accordance with the Privacy Policy A person can contact the club and request personal information to not be disclosed to overseas agents

9. Data Quality and Security The club will take reasonable steps to ensure personal information is safe The club will take reasonable steps to ensure personal information is: -accurate, complete and up-to-date -protected from misuse and abuse -destroyed or permanently de-identified if no longer needed for the purpose of collection The club encourages a person to contact the club and update personal information: -e.g. change of name and address

10. Access and Correction A person can access and edit personal information the club holds about him or her The club can deny access in certain circumstances such as where giving access: -would pose a serious threat to public health or safety -unreasonably impact on the privacy of other persons -would breach a law such as the secrecy obligation under the AML/CTF laws for suspicious matters reporting Any change made to personal information must be approved, recording and kept on file for ongoing reference

11. Consent A person agrees to the terms of the Privacy Policy if he or she visits the club, uses the club website or engages in a product or service that mentions the Privacy Policy The club can modify the Privacy Policy at per its business needs and changes can be notified in various ways such as web posting A person can refuse to agree to the revised Privacy Policy (in which case he or she may be denied access to service if mandatory information is not provided)

12. Privacy Complaint A person can lodge a complaint regarding the handling of his or her personal information by the club If a privacy compliant is received, the club will take reasonable steps to resolve it in a timely manner: -The club can ask for further information on the nature and cause of the complaint, including asking that the complaint be made in writing The club will keep the person informed on the progress of the resolution process The club will keep a record of any action taken in a register

Summary Safeguarding privacy is important for business because the club must retain members’ trust There are financial and non-financial implications for a penalties such as fines under the law and adverse impact on the club’s reputation If you are unsure, do not hesitate to ask the Club Manager or the designated Privacy Officer

Training Instructions 1.The club manager or the designated privacy officer can conduct this training using the document titled Staff Guide to the Industry Privacy Policy which contains the necessary explanatory materials. a.The training slides are based on the generic industry privacy policy (including the same title and numbering of section headings). As each club is required to customise the policy to its particular circumstances, the club manager / privacy officer should do the same with the training slides. b.Ensure that the training reflects the Privacy Policy, as a material difference between the Privacy Policy and what the club does in practice may expose the club and its officers to non-compliance and liability. 2.All staff and volunteers should attend the training. They should receive a copy of the club’s Privacy Policy, as well as any procedure document relating to privacy practices at the club. 3.The club manager / privacy officer should keep a record of the training and can use the document titled Register of Privacy Training for this purpose. At an appropriate time, employees / volunteers must sign the register which contains a declaration that they understand and agree to abide by the Privacy Policy. _______________________________________ © 2013 Clubs Queensland All rights reserved. Except for purposes defined under the Copyright Act 1968, this publication must not be reproduced in part or full without written permission from Clubs Queensland. A limited exemption applies to member clubs of Clubs Queensland. Disclaimer: The training slides are not legal advice and clubs should conduct their own due diligence, including obtaining independent legal and professional advice. Clubs Queensland cannot be held liable for any omissions, errors, actions or decisions made on the basis of the information contained in this resource. For assistance or clarification: Dr Mukesh Prasad Policy and Research Manager t: (07) e: