About this policy
The policy outlines how individuals can correct their personal information held by DMPL, how to make a complaint about a breach of privacy, and how complaints will be handled.
Individuals who wish to contact DMPL about information privacy or their personal information can do so by contacting DMPL’s Privacy Officer on 9701 3850 or by mail at PO Box 7022, Dandenong. DMPL is required to make this policy freely available in an appropriate form, and accordingly it is able to be accessed on our public website at dandenongmarket.com.au.
Individuals who would like to request a copy of this policy in an alternate form, for example suitable for the vision impaired, or individuals from a non-English speaking background, may do so by contacting our Privacy Officer, and reasonable steps in the circumstances will be taken to provide the policy in an appropriate form. Privacy Act 1988 (Cth)
DMPL is required to meet certain obligations under the Commonwealth Privacy Act 1988 (theAct), and is bound by the Australian Privacy Principles (APPs). The Act governs how DMPL collects, uses, stores and discloses the personal information of individuals, and how they may access or correct their information.
Personal information broadly means information or an opinion about an individual, whether true or not, which could reasonably lead to the identification of the individual in the particular circumstances. Personal information can include name or address details, dates of birth, telephone numbers, email addresses, financial information such as banking details, or photographic or video material. An individual’s name does not have to be included in information for it to constitute personal information. The test is whether the information considered as a whole would enable the individual to be identified. A special category of personal information is known as “sensitive information”, and can include information about race or ethnicity, political opinions or membership, religious or philosophical beliefs, professional or trade association or union membership, sexual preferences or practices, criminal records, health information and genetic/biometric information such as fingerprints. There are additional obligations for the management of sensitive information required by the Act.
What types of personal information does DMPL collect?
DMPL collects the personal information of employees, members of the public, customers, suppliers, traders, and tenants. The type of personal information collected will depend on the nature of the individual’s relationship or interaction with DMPL and its staff. DMPL will only collect personal information where it is reasonably necessary for, or directly related to, one or more of its functions or activities.
Personal information collected can include names, dates of birth, gender details, financial and banking details, and address/contact details including email addresses. Personal and business details of suppliers, traders and tenants are also collected.
Additional personal information concerning employees which is collected can include job applications, work histories, curriculum vitaes, details of salary and wages, training records, performance assessments, counselling details and personnel records.
Sensitive information is sometimes collected when appropriate, such as criminal record check details for recruitment and employment purposes. Health information collected can include incident and accident reports, first aid records, workers’ compensation claims and documents, rehabilitation and attendance records, medical or other health service provider records, medical histories and other assessments for insurance or employment purposes. Information about third parties is sometimes collected in the context of insurance claims.
How does DMPL collect personal information?
DMPL collects personal information by way of several channels or methods. Personal information can be collected when individuals telephone DMPL or interact verbally, or make contact by mail or email. It is also collected when individuals access our website or use it to communicate with us. In most cases DMPL collects information directly from individuals, however where information about you is collected from another person or organisation, it is dealt with according to the requirements of the Act.
Personal information can be collected when individuals use our online feedback service, or make enquiries or complaints. It is collected when applications for bookings are made, for example for a stall at the market or to arrange a tour, whether these applications have been requested by DMPL or not, and whether they are successful or not. Our website uses “Cookies” which collect user information and data for statistical and analytic purposes. We also use a CCTV system for security monitoring purposes.
Personal and business details of suppliers, traders and tenants are collected when they interact with DMPL, so that appropriate financial and business records can be maintained. Personal information of job applicants and employees is also collected during the application process (whether or not it is successful) and during the period of employment, which may also include sensitive information. Health information can be collected when circumstances require that first aid be administered, for administering sick leave or carers leave, or where injury or insurance claims arise.
When personal information is collected, DMPL takes reasonable steps in the circumstances to notify the individual (either at or before the time of collection, or as soon as practicable thereafter) or make them aware of certain matters. These “collection statements” are included on all forms that DMPL uses to collect personal information, displayed on our website at the point of collection, or relayed via telephone when individuals provide their personal information to us.
DMPL is required to use its best endeavours to offer individuals the option of not identifying themselves, or using a pseudonym, when they interact with us. This requirement does not apply if we are required by law or authorised by a Court or Tribunal to only deal with individuals who have identified themselves, or where it is impracticable to deal with individuals in this manner.
How does DMPL use personal information?
When DMPL holds your personal information, it can only be used for the particular purpose for which it was collected (known as the “primary purpose”), unless certain exceptions apply.
Personal information can be used for secondary or other purposes where consent has been obtained, where it is reasonably expected to be used for a related purpose, where required or authorised by law or a Court/Tribunal order, where reasonably necessary for enforcement purposes conducted by or on behalf of an enforcement body, or where certain “permitted general situations” exist.
Permitted general situations are where circumstances exist involving serious threats to life, health or safety of any individual, or to public health or safety, suspected unlawful activity or serious misconduct, missing persons, legal or equitable claims and alternative dispute resolution processes.
DMPL uses personal information provided during booking processes for the purposes of fulfilling customer requests, providing personalised services, maintaining accounts and records, statistical analysis, conducting market research and marketing, and assessing and evaluating the use of our website.
Personal information is used for stall application assessment, administration of licences, and in some circumstances in obtaining references for future tenancies. Other uses include complaint management, tour bookings, function and event bookings, competitions, security purposes, and administration of job applications and employment, which may include criminal record checking and employment screening. Personal information may also be used by DMPL in obtaining legal advice, and participating in legal proceedings.
When does DMPL disclose personal information, and who can access it?
In most circumstances, DMPL is restricted in how it may disclose your personal information. Personal information can only be disclosed for the particular purpose for which it was collected (known as the “primary purpose”), unless certain exceptions apply. Personal information can be disclosed for secondary or other purposes where we have consent to do so, where it is reasonably expected to be disclosed for a related purpose, where required or authorised by law or a Court/Tribunal order, where reasonably necessary for enforcement purposes conducted by or on behalf of an enforcement body, or where “permitted general situations” as described above exist.
Circumstances where personal information may be disclosed broadly include compliance with statutory obligations, arranging for insurance, progressing insurance claims and meeting occupational health and safety obligations. DMPL may disclose personal information of members of the public, customers, suppliers, traders, stallholders, and tenants provided during booking processes for the purposes of fulfilling customer requests, providing personalised services, maintaining accounts and records, statistical analysis, conducting market research and marketing, and assessing and evaluating the use of our website.
Personal information may also be disclosed for stall application assessment, administration of licences, and in some circumstances in obtaining references for future tenancies. Other circumstances where it may be disclosed include complaint management, tour bookings, function and event bookings, competitions, security purposes, and administration of job applications and employment, which may include criminal record checking and employment screening. Personal information may also be disclosed by DMPL in obtaining legal advice, and participating in legal proceedings.
Personal information may be given to government agencies and other individuals/organisations including Victoria Police, the Department of Justice, WorkSafe Victoria, loss adjusters, security companies, insurance companies and health service providers. It will only be disclosed to third parties where permitted by the Act, and only disclosed to DMPL staff where necessary for the performance of their duties and where they are authorised to access it.
DMPL may use or disclose personal information (other than sensitive information) for direct marketing purposes where it has collected the information directly from the individual, the individual would reasonably expect the information to be used for that purpose, where a simple means for the individual to opt out of direct marketing communications has been provided and where the individual has not done so.
Direct marketing can also can also occur where DMPL has consent to use personal information for that purpose, whether or not the information was collected from the individual, where a simple means for the individual to opt out of direct marketing communications has been provided with each direct marketing communication and where the individual has not done so.
DMPL can use sensitive information for direct marketing communications where consent to do so has been obtained.
When DMPL uses personal information for direct marketing purposes or to facilitate direct marketing by another organisation, the individual may request not to receive marketing communications, request that DMPL not use or disclose their personal information to facilitate direct marketing by another organisation, and request that DMPL inform the individual of the source of their personal information where practicable or reasonable (or inform the individual that it cannot do so).
DMPL cannot charge an individual for dealing with a request not to receive direct marketing communication, that their information not be disclosed to another marketing organisation, or to provide its source of information. It must deal with these requests within a reasonable period of time, and will usually do so within seven days.
Management of personal information by DMPL
DMPL is required to take reasonable steps to ensure that the personal information it collects, holds, uses and discloses is accurate, up to date and complete, with reference to the purpose for which it is collected, used or disclosed. Information held by DMPL is subject to regular reviews and audits for this purpose. Where it is determined that it is no longer necessary or legally required for DMPL to hold and store personal information, reasonable steps are taken to de-identify or destroy the information.
DMPL stores information using a combination of physical files and electronic files. Internal access protocols ensure that only authorised staff can access personal information in circumstances where they are required to do so in the performance of their duties.
Governance mechanisms employed by DMPL to ensure the appropriate management of personal information and include maintaining a designated privacy officer role.
Requests to access or update/correct personal information
Requests made by individuals to access their personal information held by DMPL will generally be granted, unless certain limited circumstances apply. Those circumstances may include where it is reasonably determined that granting access would pose a serious threat to the life, health, or safety of an individual or to public health or safety, where granting access would have an unreasonable impact on the privacy of other individuals, where the request is frivolous or vexatious, or where legal proceedings are on foot. DMPL may also deny access in some circumstances where it is required to do so by law or access would be unlawful, where commercial negotiations or decision making processes may be prejudiced, where unlawful activity or serious misconduct is suspected, or where enforcement related activities may be prejudiced.
DMPL responds to requests to access personal information within a reasonable period (usually 10 working days), and gives access to the information in the manner requested where it is reasonable and practicable. If access needs to be refused due to one of the above exceptions, DMPL will take reasonable steps in the circumstances to provide access that meets the needs of DMPL and the individual.
If access is refused, DMPL will give the individual a written notice which sets out the reasons for refusal, how to complain about the refusal, and where it relates to a commercially sensitive decision-making process, the reasons for refusal may include an explanation of the nature of the commercially sensitive decision.
DMPL may require that reasonable charges be paid in respect of granting access to personal information, however the charges must not be excessive, and must not apply to the making of the request. Requests for access to personal information can be made using the dedicated form by contacting our Privacy Officer.
Requests to update or correct
If DMPL holds personal information about an individual, and is satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading (having regard to the purpose for which it is held), or the individual requests that DMPL correct the information, then DMPL will take reasonable steps to correct the information to ensure that it is accurate, up to date, complete, relevant and not misleading.
When DMPL corrects personal information that it previously disclosed to someone else, and the individual requests that DMPL notify the other person of the correction, then DMPL will take reasonable steps in the circumstances to give that notification unless it is impracticable or unlawful to do so. If in some circumstances DMPL refuses to correct personal information as requested, it will provide the individual with a written notice that sets out the reasons for refusal, and how to complain about the refusal.
When DMPL refuses to correct personal information as requested, and the individual requests DMPL to add a statement to their record that the information is inaccurate, out of date, incomplete, irrelevant or misleading, then DMPL will take reasonable steps in the circumstances to add the statement to the record in a manner that will make it apparent to users of the information. DMPL will respond to requests to correct/update or add a statement within a reasonable period after the request is made, and will not charge the individual for the making of the request, the correction, or the adding of the statement.
Requests to update or correct personal information can be made by contacting our Privacy Officer. Requests will usually be met or responded to within 30 days.
All complaints concerning breaches of the Act and APPs will be examined, and unless they are considered frivolous or vexatious, will be investigated by DMPL’s Privacy Officer.
Complaints should be submitted in writing directly to the Privacy Officer via the contact details on page 2 of this policy. DMPL follows dedicated procedures for identifying and reporting privacy breaches, and for receiving and responding to complaints.
DMPL’s Privacy Officer maintains a complaint register, and will investigate complaints concerning the mishandling of personal information, security breaches, allegations of breaches of the Act and the APPs, and any matters which are referred from the Office of the Australian Information Commissioner (OAIC). Your complaint will be promptly acknowledged, and will be dealt with within a reasonable amount of time depending on the complexity of the matter. You will receive updates as to the progress of your complaint if the investigation takes longer than expected. Less complex complaints can usually be dealt with within 30 days, however more complex matters may take longer to resolve.
Where a notification of a breach of privacy, or a complaint about the handling of personal information is received, DMPL’s Privacy Officer will take immediate steps to contain the breach, which may involve securing or quarantining personal information or DMPL’s files which contain the personal information. A preliminary assessment will be conducted and any necessary actions taken. These actions may include notifying the individual(s) whose personal information is subject of the breach/complaint.
Where the preliminary assessment finds that the matter is complex or of a serious nature, independent investigators and/or legal advisors may be retained to assist with the investigation. All investigations will determine whether or not there appears to have been a breach of DMPL’s obligations under the Act. At the conclusion of the investigation, recommendations may be made as to changes to information handling practices and protocols within DMPL. The complainant (or if the matter was referred by it, the OAIC) will be informed of the outcome of the investigation, any relevant findings, and any actions taken as a result.
If the complainant is not satisfied with the investigation or the outcome, they may make a further complaint to the Office of the Australian Information Commissioner.