1. Policy Statement
Peninsula Hot Springs Group (PHS Group) respects the right to privacy of our employees, guests, website visitors, people who apply for employment with us, contractors, and suppliers (you/your).
PHS Group is required to comply with the Privacy Act 1988 (Cth) (Privacy Act) and any other applicable privacy laws. These laws regulate the collection, storage, use, disclosure, and transfer of your Personal Information.
The policy sets out how we collect, store, use, disclose and transfer your Personal Information.
This policy applies to all employees, guests, website visitors, people who apply for employment with us, contractors, and suppliers of PHS Group.
4.1 Responsibilities of PHS Group
PHS Group must;
- Protect and respect the privacy of its employees, contractors and guests and meet any privacy obligations set out in the Privacy Act that might apply to it.
4.2 Responsibilities of Employees
- Not disclose the confidential personal data or information, including personal telephone number/mobile number and/or home address for any employees or guests.
- If requested to disclose Personal Information on the grounds of an emergency situation, obtain the phone number and name of the person making the request and forward to/or contact your People & Culture Representative
- Managers with access to confidential personal data/information of their employees must respect the privacy of that information and comply with this policy.
5.1 Personal Information
For the purpose of this policy, "Personal Information" is any information or an opinion (whether true or not, and whether it is recorded in a material form or not) about an identified individual, or an individual who is reasonably identifiable from the information.
Personal Information does not include an "employee record". An employee record is a record of Personal Information relating to the employment of an employee and includes information relating to an employee’s:
- Engagement, training, disciplining, resignation, or termination
- Terms and conditions of employment
- Personal and emergency contact details
- Performance or conduct
- Hours of employment, salary, or wages, and
- Annual, long service, sick, personal, maternity, paternity, and other leave
5.2 Sensitive Information
"Sensitive Information" is a type of Personal Information which is subject to a higher level of protection under the Privacy Act.
It includes health and genetic information about an individual such as:
- The health or a disability (at any time) of an individual
- An individual's expressed wishes about the future provision of health services
- A health service provided or to be provided to an individual, or
- Other personal information collected to provide or in providing a health service
6.1 Types of Personal Information
The types of Personal Information we collect includes (but is not limited to):
- Name, postal address and other contact details such as email address and phone number
- Transaction history, preferences for goods or services, frequency of your visitations and method of payment
- Financial information to enable us to process the products and services you may purchase and to facilitate any cancellation fees, and
- During recruitment, employment information such as employment history and qualifications as relevant to the process or your employment
Given the nature of our business, we may also collect Sensitive Information such as information concerning any health conditions you may have.
6.2 Collection of Personal Information
PHS Group usually collects Personal Information from individuals who communicate with us directly. This includes (but is not limited to) our employee’s personal and employment information, when a guest books an experience, subscribes to a PHS Group mailing list, enters a competition, emails or telephones, fill out a form on PHS Group premises, provides feedback via email, makes a restaurant reservation or submits an application for employment. Guests may choose to deal with PHS Group anonymously (or by providing a pseudonym) unless it is impracticable to deal with you on that basis.
PHS Group may collect Personal Information from a third party or publicly available source, including (but not limited to):
- Accommodation partners (e.g. where Personal Information has been provided to book an experience through them)
- Research organisations who aggregate data of guests to develop guest profiles for analytical and marketing purposes.
- Customer Relationship Management (CRM) suppliers, and
- Employment screening services providers.
Generally, PHS Group will only collect Personal Information from sources if it is unreasonable or impracticable to collect Personal Information directly.
We will only collect Sensitive Information where you have consented to provide that information and it is necessary for us to provide products or services to you.
6.3 Use of Personal Information
PHS Group collects, uses, discloses and stores your Personal Information for the primary purpose for which it was collected. PHS Group will not use or disclose your Sensitive Information for a secondary purpose unless it is directly related to the primary purpose it was collected, and you would reasonably expect us to.
The purposes for using and disclosing your Personal Information include (but are not limited to):
- Providing products and services to you
- Contacting you and managing our relationship with you, including providing you with our products and services
- Providing newsletter subscriptions
- Sharing with you items, services or events at Peninsula Hot Springs you might be interested in based on your preferences or past transactions
- Managing and administering our services to you
- Confirming your bookings and advising changes if required
- Improving our customer experience
- Maintaining safety across our site
- Managing, operating and improving our website
- Making a gift certificate transaction
- Considering any requests for information or complaints
- Accounting, billing and internal administrative purposes and complying with our legal obligations.
- Recruitment and selection of staff and contractors
- Engagement of staff and contractors
- Personnel administration
- When required by law or certain government agencies
- Via third parties during the course of recruitment and engagement activities
We disclose your Personal Information to our third-party suppliers in confidence and in accordance with the law for the purpose of providing our product and services to you, conducting our business and communicating with you.
The suppliers include (but are not limited to):
- eCommerce providers
- CRM database management agencies
- Mail house providers
- Webhosting providers
- Customer research agencies
- Accommodation partners
- Other business management services
- Our professional advisors, agents, contractors, consultants and related bodies corporate
- Insurance providers
- Software providers
- Delivery and courier suppliers
- Recruitment and labour hire agencies (as required)
- People or entities considering acquiring an interest in Peninsula Hot Springs’ enterprise or assets, and
- Competition facilitators
We do not disclose Personal Information to overseas recipients.
We may contact you by email, mail, SMS or telephone. In the event you do not wish to receive such communications, you can opt-out by contacting us or through any opt-out mechanism contained in a marketing communication or newsletter that you have been provided with.
6.4 Storage of Personal Information
We take steps to ensure that your Personal Information is protected from misuse, interference, and loss and from unauthorised access, modification, or disclosure. We hold personal information in both hard copy and electronic forms in secure databases on secure premises, accessible only by authorised staff.
We use several business management systems including customer management, financial and HR information systems to store some Personal Information. Information contained within these databases can only be deleted by instruction from our Directors. Any information is held secure in a manner designed to protect information from internal and external access by anyone other than specifically authorised staff.
We will destroy or de-identify Personal Information in circumstances where it is no longer required unless we are otherwise required or authorised by law to retain the information.
6.5 Current & Former Employees
During the course of employment, we may obtain Personal Information about employees. We may disclose this information to third parties where it is authorised under the Privacy Act.
We will not collect Sensitive Information about employees without consent, provided that where it is reasonably necessary for an employment related purpose (including for safety purposes), we may direct that it be provided, or we draw an adverse inference about the failure to provide the information.
6.6 What information is collected when visiting our website?
When you visit our website (www.peninsulahotsprings.com) we may collect certain information such as browser type, operating system, and the website visited immediately before coming to our site. This information is used in an aggregated manner to analyse how people use our site, such that we can improve our services. We may share this aggregate data with our affiliates, agents and business partners. This aggregate information does not identify you personally. We may also disclose aggregated information in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.
Some cookies are essential in order to help you successfully navigate around our website and use the features, including eCommerce functionality, to help optimise your user experience.
We use performance cookies (which are anonymous) to help us understand the user experience on our website, aggregating consumer journeys to help optimise and improve our website, improving functionality where required.
We also use functionality cookies which allow our website to remember the choices you make (for example your username, your past searches, your transaction history) to enable us to deliver improved and more personal features.
Where applicable we may also use targeting and sharing cookies which offer you a customised browsing experience by providing you with interest-based services – both on this site and on some other websites too where we might advertise our products or services. The cookies may link to social networks and help both our business and our advertising agency partners understand the effectiveness of our advertising campaigns, providing information to our agency partners to allow them to present you with advertising which may be of interest based on your preference.
Our site may from time to time have links to other websites not owned or controlled by us. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Please be aware that we are not responsible for the privacy practises of other such websites. We encourage our users to be aware, when they leave our website, to read the privacy statements of each and every website that collects Personal Information.
6.7 How to access information
We have measures in place to ensure that the information we hold about you is accurate, complete and up-to-date before acting on it. You can access or update your information yourself with your name and password, or you can ask us for a copy of it. If you learn that Personal Information we hold about you is inaccurate, incomplete or not up-to-date you should contact us so that your information can be updated.
We will not charge you for lodging a request for a copy of your Personal Information but you may be asked to pay a reasonable fee for the work involved in providing you with this information and for associated costs such as photocopying. You will be notified of any likely costs before your request is processed.
To obtain access to your Personal Information you will need to provide proof of identity to ensure that Personal Information is provided only to the correct individual and that the privacy of others is protected. We request that you be reasonably specific about the information you require. We will endeavour to respond to your request to access or correct your personal information within 30 days from your request.
6.8 Complaints and concerns
If you have a privacy complaint or concern, especially if you think your privacy has been affected or you wish to question a refusal to update or grant access to our records of your Personal Information, you should contact us as detailed below for an examination of your concern.
Any complaints will be treated seriously, dealt with promptly and in a confidential manner, and will not affect your existing obligations or affect the commercial arrangements between us. In the event that you are dissatisfied with the outcome of your complaint, you may refer the complaint to the Office of the Australian Information Commissioner (OAIC). Please see www.oaic.gov.au for information as to how to raise a concern with OAIC.
6.9 Notifiable Data Breaches
The Privacy Act requires us to notify you and the OAIC in certain circumstances where an "Eligible Data Breach" has occurred.
An "Eligible Data Breach" occurs when:
- There is unauthorised access to, or unauthorised disclosure of. Personal Information, or a loss of personal information, that we hold
- This is likely to result in serious harm to one or more individuals, and
- We have not been able to prevent the likely risk of serious harm with remedial action.
Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as reputational harm.
6.10 Responding to a data breaches
Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks.
In general, a data breach response should follow four key steps: contain, assess, notify and review.
The usual process for dealing with data breaches is:
- The Chief Financial Officer is to be advised as soon as the breach has been identified, is suspected or where there is potential. Anyone can report a data breach.
- The Chief Financial Officer will:
- Contain the data breach to prevent any further compromise of personal information by liaising with the relevant internal stakeholders.
- Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected clients and, where possible, take action to remedy any risk of harm.
- Notify each client whose information has been breached if required. Notify the OAIC via the online form (https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB) if required
- Review the incident and consider what actions can be taken to prevent future breaches
- The team member involved (if any) will:
- Work with the IT Operations Manager & People & Culture Director to gather all relevant information.
- Add a file note detailing the breach to the client’s CRM record or employee’s file.
7. Contact & Further Information
Employees can contact their direct manager or People and Culture Representative for further information.
Garry Williams – Chief Financial Officer Email: firstname.lastname@example.org Phone: (03) 5950 8792 Postal address: 140 Springs Lane, Fingal, Victoria, 3939
Employee Assistance Program (EAP) Lifeworks – 1300 361 008
8. Related Policies
Code of Conduct
9. Policy Owner
People & Culture Department.
Peninsula Hot Springs Group reserves the right to review and amend this policy at any time.