internal privacy standard
TRANSCRIPT
Internal Privacy Standard
© This document contains confidential and proprietary information of Ampol Limited or one of its subsidiaries (collectively the “Ampol Group”). Any use of this document outside Ampol without express, prior, written permission from Ampol is prohibited.
Date: March 2021 Custodian: Shifra Symonds Owner: Chief Governance and Risk Officer Version: 1.0 Initial release
Contents
Overview and Purpose 2
1. What is Personal Information? 4
2. Collecting Personal Information 7
3. Personal Information Use and Retention 9
4. Securing Personal Information 11
5. Accuracy of Personal Information 12
6. Personal Information Destruction 13
7. De-identification of Personal Information 15
8. Third Party Due Diligence 16
9. Cross Border Disclosure of Personal Information 18
10. Enquiries and Complaints Management 20
2
Overview and PurposeThis Internal Privacy Standard aims to ensure you understand what personal information is and how it should be handled and protected at Ampol, in compliance with Australian and any other relevant privacy laws.
How Ampol handles personal information is one aspect of the broader data governance framework at Ampol, which includes
the quality, availability, security and usability of data within Ampol.
Please also refer to the following related IT policies and documents which also govern how data is handled at Ampol.
• Ampol Data Breach Response Plan, which covers Ampol’s obligations under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).
• Data Management Policy, which outlines data handling standards and requirements that cover the collection, storage and transmission of such data at Ampol.
• Information Security Policy for individuals, which sets out the roles and responsibilities of all Ampol IT system users regarding the usage of information assets.
• IT System Owners Security Policy, which provides a framework on how to securely implement and operate IT systems in the Ampol environment.
For additional guidance on the Australian Privacy Principles - visit www.oaic.gov.au
3
Our Expectations of You
You are expected to:1. Have a clear understanding of how
this Standard applies to your work and behaviours.
2. Seek assistance if you have any questions or concerns about this Standard, or any other standard, policy or practice, or what is expected of you.
3. Act ethically and with integrity, in a manner that is consistent with the Ampol values, standards, policies and delegations of authority.
4. Comply with all applicable laws, regulations and Ampol policies and procedures.
5. Promptly raise known or suspected breaches of this Standard by others or by you.
Key privacy-related rolesPrivacy Champions: Team members with privacy expertise who are appointed as the first point of contact to provide advice and guidance on privacy matters relevant to you. The Privacy Champions for each team are listed on The Tank.
Business Data Owner: The Ampol employee or role responsible for the data set and regulatory requirements attributed to that data, as set out in the Data Governance Blueprint (under development at the time this Standard was published), or if not yet named in the Data Governance Blueprint, the person or position that approved the collection of the data asset and holds the DOA to do so.
Privacy Compliance Officer: The Ampol Personnel appointed to provide advice on privacy matters relating to the Company (or a specific Ampol subsidiary). The current Ampol Privacy Compliance Officer is listed on The Tank.
All employees, contractors and directors of Ampol Limited and its wholly owned subsidiaries, as well as those in our operated joint ventures (‘Ampol’), must adhere to this Standard, regardless of the country in which they work (‘Ampol Personnel’). Please take the time to read and understand this Standard and its supporting policies and apply them in your work every day.
If there are privacy laws or regulations that apply to you which are more stringent than the requirements set out in this Standard (e.g. privacy laws of the country in which you work) you must adhere to the more stringent requirements. Talk to your legal contact if you are unsure whether this applies to you.
Failure to comply with the processes and obligations under this Standard could have serious consequences for both the individual(s) whose personal information it relates to and Ampol. If you are held to have breached this Internal Privacy Standard, you may be required to attend additional training, take other steps or, in the event of serious, deliberate, reckless or negligent violations of this Standard, you may be subject to disciplinary action including termination of your employment or contract with Ampol.
3
1. What is Personal Information?
Ampol Personnel need to be able to recognise personal information. Personal information needs to be treated with caution, in-line with the law and Ampol’s requirements.
4
5
1. What is Personal Information?
Before collecting, using, disclosing or otherwise handling data, you must undergo a classification process to understand whether the data you are handling is personal information or not and what requirements it is subject to.
Personal Information
Sensitive Information
What is it?
Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable:
• whether the information or opinion is true or not;
• whether the information or opinion is recorded in a material form or not.
What is it?
Sensitive information is a subset of personal information that includes information or an opinion about an individual that is more personal or sensitive in nature.
The types of information that are considered sensitive information are listed in the Privacy Act and include, for example, information about someone’s race or ethnicity, political opinions, religion, sexual orientation and health information.
How should you handle it?• It must be handled in
accordance with the Australian Privacy Principles, any other applicable privacy laws, Ampol’s publicly available Privacy and Credit Reporting Policy, this Internal Privacy Standard, and must be subject to heightened security protections.
• You should ensure it is only available to approved team members following authorisation from the Business Data Owner.
• You must take all reasonable steps to protect this data from interference or misuse. Stringent audit and monitoring is required.
How should you handle it?• Sensitive information
should not be collected except in very limited circumstances as reasonably necessary, in which case a greater degree of care and confidentiality is required.
Example
A customer’s name, title, contact information (e.g. address, phone number, email address), date of birth, image captured in photograph or video recording, passport number, driver’s licence, tax file number, car registration.
Examples
An individual’s health or genetic information, ethnic origin, sexual orientation, criminal history, membership of a political or professional association, philosophical or religious beliefs.
Collecting information about why individuals are taking personal leave may be considered sensitive information if it reveals their religious beliefs.
Note: for the purposes of this Standard, personal information includes personal information relating to Ampol employees.
Information will be about an ‘identified’ individual when, within a group of persons, he or she is ‘distinguished’ from all other members of a group.
Example By itself, information that allows Nina to be contacted (e.g. telephone number or street address) may not be about an ‘identifiable’ individual. However, Nina is likely to be identified if this information can be used to search Ampol’s customer database to locate an entry about Nina.
6
Identifying Personal Information
When someone is the subject of the information, it will usually be personal information.
Always consider whether information is personal information in the context of what other information is available in the circumstances, and the practicability of using that information to identify an individual. This may change over time, so classifications of information should be periodically reviewed.
Example An AmpolCard number in the hands of a non-Ampol employee would not allow them to identify the cardholder, so it may not be personal information. However, that same piece of information in the hands of an Ampol employee with access to a customer database may be.
Example Jane’s name, phone number and email address are collected by Ampol to create a customer contact file. Jane’s customer contact file is personal information as she is the subject of the record.
Information will also be ‘about’ someone where it reveals or conveys something about them — even where the person may not, at first, appear to be a subject matter of the information.
Example Fred’s AmpolCard number is listed as an unpaid account due to bankruptcy. For Ampol, there is a clear connection between the card number and Fred and the inclusion of his number in this list reveals that he is bankrupt. Therefore this is Fred’s personal information.
The more information about an individual that an entity holds or to which it has access, the more likely it is that the person will be ‘reasonably identifiable’ from that information.
Example If Ampol holds only one item of information about Sylvia (e.g. her first name) it may not be possible to identify her just from that information. However, if Ampol also holds additional information about Sylvia (e.g. age, gender, postcode or occupation), it is increasingly likely that Ampol will be able to identify her and therefore it will amount to personal information.
1. What is Personal Information?
Personal information is information or an opinion about
an identified individual, or an individual who is reasonably
identifiable:
a) whether it is true or not; or
b) whether it is recorded in a material form or not.
2. Collecting Personal Information
There are four key rules to remember when you are collecting personal information.
7
1. Reasonably Necessary
Only collect or solicit personal information by lawful and fair means.
• Lawful: Examples of ‘unlawful’ collection includes collecting through computer hacking, trespassing or through commercial electronic message without consent in breach of the Spam Act 2003 (Cth).
• Fair: What is considered ‘fair’ will vary depending on the circumstances. Examples of collecting personal information unfairly include
the collection from a file or electronic device which is lost or left unattended, collecting by deception or misrepresenting the purpose or effect of collection.
• You must not collect personal information unless you provide a link to Ampol’s Privacy and Credit Reporting Policy and ask the relevant individual to consent to the collection and handling of their personal information in accordance with that Policy.
2. Lawful and Fair Means
You must only collect or solicit personal information directly from the individual, except where it is unreasonable or impractical. Considerations that may be relevant in determining how it must be collected include:
• whether the individual would reasonably expect their personal information to be collected directly from them or from another source;
• the sensitivity of the personal information being collected;
• any privacy risk if the information is collected from another source; and
• whether the time and cost involved in collecting directly from the individual is excessive in the circumstances.
3. Collecting Directly from the Individual
When collecting personal information, you must take reasonable steps to notify the relevant person of specific information, including Ampol’s identity and contact details, the purpose of collection, Ampol’s usual disclosures of that kind of information and whether we are likely to disclose it overseas and if so, the likely locations.
Most of this information is contained in Ampol’s Privacy and Credit Reporting Policy, so in practice you should disclose to the relevant individuals the specific purpose of the collection and the specific information being collected if not obvious, and
then state words to the effect of:
“By providing your personal information to Ampol, you are consenting to Ampol handling it in accordance with its Privacy Policy, available at www.ampol.com.au/privacy-and-reporting-policy”
However, you will need to take additional steps if your collection or use scenario is not sufficiently covered by Ampol’s Privacy and Credit Reporting Policy.
4. Notification of Certain Matters
You can only collect personal information that is reasonably necessary for one or more of Ampol’s functions or activities, most of which are outlined in Ampol’s Privacy and Credit Reporting Policy, available on the Ampol website.
An example of circumstances where the collection of personal information is not ‘reasonably necessary’ for Ampol’s function or activity is where:
• individuals attending an Ampol site are asked to provide personal information for the purpose of visitor site induction and safety requirements, including their ethnic background, although this is not relevant for the purposes of safety management at the site; or
• a person entering a competition is asked to complete an application form that asks for their marital status, when this is not relevant to the applicant’s eligibility to enter the competition.
8
2. Collecting Personal Information
3. Personal Information Use and Retention
9
Exceptions: Personal information collected can be used for a secondary purpose where:• the person has expressly consented to
a secondary use or disclosure. For example, where Ampol discloses at the time of collecting personal information that “By providing your personal information to Ampol, you are consenting to Ampol using it for [secondary purpose]” and the relevant person provides the personal information; • the person would reasonably expect Ampol to
use or disclose their personal information for the secondary purpose, which must be related to the primary purpose.
For example, where personal information is collected for the primary purpose of signing a customer up to AmpolCard, the customer would expect it to be used for the secondary purpose of communicating AmpolCard-related information; or• the secondary use or disclosure is required by
law or a court or tribunal order. For example, personal information collected primarily for the purpose of an AmpolCard application and is then subpoenaed.
RetentionYou must return or destroy personal information once it is no longer needed:
A. for the primary purpose for which it was collected;
B. for some related secondary purpose; or
C. to be retained due to a specific legal requirement.
Example If a customer’s personal information is collected for the purpose of a particular marketing campaign, records of customers at the end of the campaign must be destroyed, unless they are still reasonably required for a related purpose, for example, accounting records or customer service records.
UsePersonal information must only be used and disclosed for the purpose for which it was collected (the ‘primary purpose’) or for a secondary purpose if an exception applies.
Example If Ampol collects an individual’s personal information for the purposes of recruitment for a role at Ampol, then it must not be used for marketing purposes, subject to some exceptions.
Please refer to the Data Destruction section on page 13 and the Data Management Policy IT-006 on The Tank for more information. Alternatively, you can reach out to the IT or legal teams to discuss.
4. Securing Personal InformationAmpol Personnel are required to take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. What constitutes ‘reasonable steps’ will depend on the circumstances.
10
• Do not leave a computer unlocked or unattended for extended periods.
• Never remove printed material containing personal information from the office.
• Only use personal information for the primary purpose for which it was collected (unless otherwise approved by the Business Data Owner).
1. When Using
• Personal information in digital form must be stored, as a minimum, in an encrypted and password-protected database (not your desktop), in accordance with Business Data Owner’s directions.
• Only store personal information on physical media (e.g. paper, USB) if it is protected from unauthorised access, for example, locked in cabinet or password protected.
2. When Storing
• Never place personal information on unauthorised file sharing sites, such as Dropbox or Jumpshare.
• Avoid sending personal information through email. If essential, WinZip and password protect the file, this includes when emailing internally.
• IT security requirements surrounding the secure transfer of personal information should be followed to prevent unauthorised access to the information. See OT-006 Data Management Policy available on The Tank for more information.
3. When Transferring
• Personal information from portable storage devices (hard drive or USB) must be hard deleted (and not stored in Recycle Bin) and you must ‘restore device defaults’ on your media device, to erase any hidden data. If you are unsure, call the Ampol IT department.
• Hard copy documents must be shredded and/or disposed of using the orange secure ‘shred lock’ bins located on each floor.
• To destroy devices holding personal information, securely drop off any items for destruction with Ampol IT vand seek confirmation that the destruction has occurred.
4. When Destroying
11
NOTE: This is not an exhaustive list and what is considered ‘reasonable steps’ will depend on the specific circumstances.
4. Securing Personal Information
1
12
The obligation to correct personal information can arise in two circumstances:
Ampol has an obligation to take reasonable steps to:
• ensure personal information it collects, uses and discloses is accurate, up-to-date and complete; and
• correct personal information held if satisfied that it is inaccurate.
5. Accuracy of Personal Information
If you become aware of any personal information that you believe is, or may be, incorrect please bring it to the attention of the relevant Business Data Owners and ensure it is correct.
1.
If the individual to whom the personal information relates requests that it is amended. If you receive such a request and are able to verify their identity, please follow the procedure outlined in Section 10 ‘Enquiries and Complaints Management’.
2.
What is reasonable to ensure the accuracy of personal information will depend on the circumstances but should consider:
• how sensitive the personal information is;
• what resources are available to the holder of the information;
• the negative consequences for the individual if incorrect; and
• what is practical, including time and cost involved.
6. Personal Information Destruction
Ampol must securely destroy personal information once it is no longer needed for the purpose for which it was collected (or some related authorised purpose).
13
1414
Methods for destruction for hardware or physical media containing personal information
For example, PC desktop, hard disks, laptops, other mobile devices (phones, tablets, cameras), servers, backup media (CD, DVD, tape) and USB stick or an external hard drive.
1. Ensure you have the Business Data Owner’s approval to destroy.
2. Request assistance from Ampol IT. They will ensure the deletion of personal information stored on hardware or physical media is undertaken using approved mechanisms, such as:
• Physical destruction of equipment, including disk shredding, melting or other method that renders the physical storage media unusable and unreadable;
• Cutting or crushing of optical media; or
• Secure vendor destruction.
3. Seek confirmation that it has been destroyed.
Methods for destruction of hard copy document containing personal information1. Ensure you have the Business Data Owner’s
approval if it is an original document (rather than a copy).
2. Shred the document and/or dispose of it using the orange secure ‘shred lock’ bins located on each floor. Please note that disposal through regular garbage or recycling does not constitute taking reasonable steps to destroy personal information.
Below are guidelines to follow when you destroy personal information.
6. Personal Information Destruction
7. De-identification of Personal Information
1. 2. 3.
1515
De-identification is a process by which information is stripped of features which would allow someone to identify the person the information relates to.
Re-identification of data
You must consider whether data is able to be re-identified, in which case it should still be treated with the same privacy and security controls as personal information.
Personal information is no longer needed for the primary purpose it was collected for, but Ampol wants to keep the data for a permitted secondary purpose, such as analytics.
Information is shared with a third party who is not authorised to access the personal information. For example, for code development or marketing purposes.
Information is shared internally but your colleagues are not authorised to access the personal information. For example, a data set is required by marketing to undertake trend analysis of buying habits.
You are required to de-identify personal information in the following circumstances:
8. Third Party Due Diligence
Ampol is accountable for performing appropriate due diligence of third parties who we give access to personal information collected or held by Ampol and must require the third party to also comply with the Australian Privacy Principles (APP).
16
17
No
Yes
Yes
1. Review the existing contract terms to ensure it is appropriate and ensure they agree to handle personal information in accordance with Australian privacy laws. The third party must also allow Ampol to audit their compliance with privacy obligations.
2. Ensure that we have consent (express or implied) of relevant individuals to disclose their personal information to the third party.
1. Ensure a contract that governs how personal information must be handled is in place (including audit rights) before personal information is disclosed.
2. Engage IT Cyber Security to assess the third-party data arrangement. They will conduct an assessment of such third parties, including the location and security of their systems that will be used to store and handle data.
3. Ensure that we have consent (express or implied) of relevant individuals to disclose their personal information to the third party.
Are there any privacy-related risks associated with the proposed
third-party engagement?
Ending a Third Party Arrangement
At the end of the third party arrangement, the person responsible for the relationship with the third party must ensure the personal information held by the third party is returned to Ampol, or require certification from the third party that they have securely destroyed or de-identified the personal information in its possession or control. Ampol Personnel must be able to show evidence that this has been done.
Prior to entering into a third-party arrangement, you must follow this process:
8. Third Party Due Diligence
Is there an existing contract and non-disclosure agreement in place
with this third party?
Please contact a member of the legal or procurement teams if you have any questions about third party due diligence or require assistance with ensuring a third party has returned or destroyed data.
Remember to ensure any disclosure to a third party is necessary for the primary purpose or a permitted secondary purpose (see section 3).
9. Cross Border Disclosure of Personal InformationGenerally, you should avoid transferring or disclosing personal information to an overseas entity. However, in circumstances where this is necessary, it is important to consider the following principles.
18
No
No
No
No
19
The Privacy Act does not apply and is not relevant to decision making.
Do not share it with the overseas entity.
Contact the Ampol IT about conducting third party due diligence in accordance with page 17.
Do not share any personal information until an appropriate agreement is in place.
Step 1: Is it Personal Information?
Step 2: Are we allowed to transfer it overseas? Personal information can only be shared cross-border, as with any situation, if it is in line with the primary purpose for which it was collected. Further, please check that the overseas location is listed in the Ampol Privacy and Credit Reporting Policy and the disclosure is within the reasons for which Ampol may disclose personal information overseas in the Policy.
Step 4: Are we allowed to transfer it overseas? Ampol must enter into an enforceable contractual arrangement with the overseas third party prior to disclosing personal information, which requires the recipient to handle personal information in accordance with the APPs. This should include a right to audit the recipient’s compliance with the APPs and their return or destruction of personal information on request, as well as an obligation for them to notify Ampol of any data breach.
Step 5: Are we allowed to transfer it overseas? Once the above steps have been complied with, personal information can be transferred to the overseas entity. The transfer must occur in a secure and encrypted format. The Ampol Personnel responsible for the relationship with the third party must continue to monitor their compliance with the terms of the agreement and the APPs, audit as necessary, and ensure that the personal information is returned to Ampol or destroyed appropriately at the end of the engagement.
9. Cross Border Disclosure of Personal Information
Yes
Yes
Yes
Yes
Step 3: Have we assessed the third party?Do not send personal information to an overseas recipient unless the Third Party Due Diligence procedure on page 17 has been followed and you have confirmation that the third party meets Ampol’s minimum security and privacy requirements. This is important because Ampol will be held accountable from both a legal and reputational perspective if the overseas recipient mishandles the information.
10. Enquiries and Complaints Management
A privacy complaint or enquiry may include:
20
1. Correction of personal nformation that Ampol holds about a customer
2. Requesting access to the customer’s personal nformation
3. General enquiries about how Ampol handles data e.g. questions re offshoring of data
4. Reporting a data breach or a breach of the APPs
5. Questions or enquiries from the Office of the Australian Information Commissioner.
21
• Customer requests to amend data received.
• Steps must be taken to verify the identity of the individual wanting to amend the data.
• A response should be sent to the individual within a reasonable time of receiving their request, informing them that action has been taken.
• Once verified, you must take reasonable steps to correct any incorrect personal information held by Ampol. This may involve contacting IT. Please discuss with your Privacy Champion or the legal team if you are unsure.
1. Request to correct Personal Information
• Access request received from customer, police or a third party.
• Do not provide personal information to anyone without first raising a request with the legal team.
2. Access request
• Customer complaint or enquiry received.
• Raise the request with your team’s Privacy Champion and decide whether you can respond directly.
• If you are unsure of how to respond, please reach out to the legal team for advice. The legal team will then assist with a response or escalate to the Privacy Compliance Officer.
• A response should be sent to individuals within a reasonable time of receiving their request informing them that action has been taken.
• Notification of data breach received.
• You must follow the Ampol Data Breach Response Plan.
3. Ampol complaint or enquiry management process
4. Reporting a data breach
10. Enquiries and Complaints Management
ampol.com.au