TT-Line Company Pty Ltd (“the Company”) is committed to complying with the Personal Information Protection Act 2004 (Tas) (“PIP Act”) and the Australian Privacy Principles (“APPs”) set out in the provisions of the Privacy Act 1988 (Cth) (“Privacy Act”).
In order for the Company to fulfil its obligations under the PIP Act and the Privacy Act, the Company expects all Management and Employees to read and abide by this policy, which sets out how the Company will manage and secure personal information. It also describes the types of personal information that the Company holds and for what purposes and how that personal information is collected, held, used and disclosed.
The Company is committed to developing a culture that respects the privacy of individuals, customers and Employees through ensuring the security of personal information about them. The Company will protect personal information from misuse, loss, unauthorised access, modification or disclosure.
Compliance with this policy will increase consumer confidence in the Company’s privacy procedures and build a better reputation for the Company.
This policy applies to Workers (employees & contractors) and includes:
a) the manner in which Workers are required to handle personal information of the Company’s customers for ferry and freight services; and
b) how the personal information of Employee will be handled.
Personal information about the Company’s customers includes information about individuals but not companies or other commercial entities.
3. Privacy Officer
The Company has appointed a Privacy Officer who is responsible for:
a) ensuring that this policy and privacy procedures are fully implemented and working effectively; and
b) promoting the Company’s policy to all Workers.
5. Purposes for collection of Personal Information
The Company collects, holds, uses and discloses personal information for the following purposes:
a) to conduct functions and activities as a passenger, vehicle and freight service and agent of travel insurance providers;
b) to personalise and tailor the Company’s information, services or products for customers;
c) to identify whom the Company is communicating with;
d) to inform customers of further information relating to the Company’s services or products, or to the Company’s website;
e) to keep track of website domains names from which individuals visit the Company’s website – the Company analyses this data for trends and statistics;
f) to facilitate customer transfer in the event of a medical emergency;
g) to assist customers or their financial institution to verify purchases;
h) for sales and marketing research purposes;
i) for marketing and promotional purposes;
j) to post photographs of customers on social media websites;
k) for administration purposes;
l) to comply with any applicable laws;
m) for emergency purposes; and
n) any other purpose for which the customer gives his or her consent.
6. The types of information that the Company collects and holds
6.1 General Information
The types of personal information that the Company collects and holds about a customer may include:
a) identification information including, a customer’s name, postal or email address, phone number or fax number;
b) gender information;
d) billing details;
e) payment details;
f) vehicle registration information; and
g) any other information that the Company considers to be reasonably necessary.
7. Collecting personal information
Generally, the Company does not need to collect any personal information when customers visit the Company’s website. Customers have the option to deal with the Company anonymously where it is lawful and practicable to do so. For example, customers can visit the Company’s website without telling the Company who they are or revealing other personal information.
7.1 Collecting personal information from other sources
The Company will, if it is reasonable or practicable to do so, collects personal information directly from customers. This may happen if customers give the Company personal information over the telephone, in person, through the Company’s website or when a customer fills out a form. Sometimes the Company collects personal information about customers from other sources where it is necessary to do so. This may happen where:
a) the customer has consented to the collection of the information from someone else;
b) the Company is required or authorised by law to collect the information from someone else; or
c) it is unreasonable or impracticable to collect the information from the customer personally.
Examples of other sources that the Company may collect personal information from include, but are not limited to:
a) travel agents;
b) sporting teams/clubs;
c) social clubs; and
d) event holders.
7.2 Unsolicited personal information
If the Company collects personal information about a customer that it did not ask for, the Company will check whether it could have collected that information itself. If the Company could have collected the information it will handle it in the same way it handles other information it collects from customers.
a) the Company could not have collected the personal information; and
b) the information is not contained in a Commonwealth record,
the Company will destroy the information or de-identify the information provided it is lawful and reasonable to do so.
7.3 General principles
If the Company needs to collect personal information, then the Company will operate by the following principles:
a) the Company will expressly ask the customer for that personal information. The customer may decline to provide the requested personal information however the Company may not be able to provide the customer with the requested services; and
b) if the customer agrees to provide that personal information, the Company will advise the customer how the Company intends to use that personal information.
8. Use and Disclosure of Personal Information
The Company may only use and disclose a customer’s personal information for the purposes it was collected unless:
a) the customer consents to the use or disclosure of the information for another purpose;
b) the access, use or disclosure is otherwise permitted under the Privacy Act and the PIP Act; or
c) the customer would reasonably expect the Company to use or disclose the information for another purpose (e.g. disclosing personal information to a travel agent for the purpose of procuring the customer’s travel insurance).
8.1 Disclosing personal information to third parties
Sometimes the Company may disclose personal information about customers to third parties. Examples of third parties that the Company may disclose a customer’s personal information to include, but are not limited to:
a) the Company’s nominated travel insurance provider;
b) marketing agencies and other marketing service providers of the Company;
c) research agencies conducting research on behalf of the Company;
d) emergency services;
e) Biosecurity Tasmania or any other applicable quarantine authority;
f) as required or authorised by law or a court/tribunal order; and
g) any other person where the customer has given his/her consent.
In limited circumstances the Company may disclose a customer’s photograph on social media websites.
Where personal information is disclosed, the Company will seek to ensure that the information is held, used or disclosed consistently with the Privacy Act (including the APPs), the PIP Act and any other applicable laws.
If a customer tells the Company that he/she does not wish to have personal information used for a particular purpose, the Company will not use that personal information for that purpose unless required by law or for law enforcement purposes. The Company will make customers aware that this may mean the Company is not able to provide the requested services to the customer.
The Company will co-operate with all law enforcement bodies in providing personal information when requested to do so.
9. Sales and Direct Marketing
The Company may use or disclose personal information for sales and direct marketing purposes.
If at any time a customer decides that he/she does not want to receive any more marketing material from the Company, the customer may:
a) contact the Privacy Officer in accordance with section 21 of this policy; or
b) opt-out of receiving any more marketing material via any opt-out mechanism contained in the Company’s marketing correspondence.
Customers must be told that they can opt out of receiving any more marketing or promotional literature.
All the Company’s marketing materials display a clearly visible and user-friendly opt-out option. The Company may infer that consent to receive marketing material has been given where this opt-out option is not chosen.
All personal information held on any sales and marketing databases will be permanently destroyed or made anonymous within 45 days of receipt of an opt-out notice or a request to be removed from the database.
A customer may request the Company to provide its source of the personal information. If it does so, the Company must, within a reasonable period after the request is made, (usually within 30 days) notify the customer of the source unless it is impracticable or unreasonable to do so.
10. Online Loyalty Program, Travel Club, and other electronic communication items
The Company’s online Loyalty, Travel Program and other electronic communication items will continue to work on an opt-in basis. The Company will not send any online marketing material that does not contain an opt-out option.
11. Cross-Border Disclosure of Personal Information
In some limited circumstances the Company may need to disclose personal information about a customer to recipients outside Australia, including to: the Company’s
a) overseas Protection and Indemnity Club located in the United Kingdom; and
b) electronic data storage provider currently located in the United States.
The Company may store a customer’s information in cloud or via other types of electronic data storage. As data storage can be accessed from various countries via an internet connection, it is not always practicable for the Company to know what country a customer’s personal information may be held in. As such, disclosures may sometimes occur in countries other than those listed above.
Before the Company discloses personal information about a customer to any overseas recipient, the Company will take reasonable steps to ensure that the overseas recipient complies with the APPs in relation to the information, unless one of the exemptions in the Privacy Act applies.
12. Law Enforcement
The PIP Act and Privacy Act are not intended to interfere with legal obligations to disclose information for law enforcement and regulatory purposes.
The Company has a procedure for using and disclosing personal information for the purpose of investigating and reporting suspected unlawful activity to the relevant authorities.
A written record of the disclosure is required, including the date of the disclosure, the personal information disclosed, the relevant law enforcement body and how the information was used, or to whom the information was disclosed.
13. Emergencies and Disasters
In the event of an emergency or where the Company deems it necessary, customers’ names and addresses will be provided to any authorities and/or agencies that assist in dealing with any such emergency or disaster.
By booking and travelling with the Company, customers are deemed to consent to the disclosure of this information to such authorities and/or agencies in such circumstances.
14. Quality of Personal Information
The Company must take reasonable steps to ensure that any personal information it collects, uses or discloses is accurate, complete, up-to-date and relevant to the Company’s functions or activities.
Workers are required to confirm accuracy of information at the time of collection. If at any time after the collection of personal information a Worker considers that the information is inaccurate, then that Worker should confirm the information either with the customer concerned or through other means to ensure the accuracy of information kept by the Company.
15. Security of Personal Information
The Company stores customer personal information in different ways, including in paper and electronic form and via third party data storage providers.
The Company treats all personal information as confidential. The Company will take all reasonable steps to ensure that personal information is protected from:
a) misuse, interference and loss; and
b) unauthorised access, modification or disclosure. Some of the ways the Company does this are by:
a) continuing to develop and monitor security measures in order to decrease the risk of unauthorised access to personal information;
b) continuing to engage information systems support to maintain computer and network security, including access control for authorised users, data integrity checks, network intrusion systems, host intrusion detection systems and expert monitoring;
c) providing a discrete environment for confidential discussions; and
d) protecting its file servers by access privileges and permissions.
In addition, the Company takes the following measures to ensure that personal information on its website is protected, including:
a) having electronic website security systems in place, including the use of secure hypertext transfer protocol, network intrusion protection and segregated virtual private networks; and
b) defining and controlling user access to ensure that access to personal information is only granted where the individual seeking access is authorised to do so.
Employees must confirm:
a) the identity of callers before giving personal information over the telephone, facsimile or email; and
b) facsimile numbers and email addresses before sending personal information.
If the Company no longer needs the personal information for any purpose for which it may be used or disclosed by the Company, the Company must take reasonable steps to destroy or permanently make anonymous the information, unless:
a) it is contained in a Commonwealth record; or
b) the Company is required by law, or a court/tribunal order, to retain the information.
Permanent anonymity means that the Company is not able to match the anonymous information with other records to re-establish the identity of individuals.
Permitted destruction of personal information must occur by a secure means. Paper based records are shredded or disposed of securely by an authorised disposal company. Electronic records are overwritten before being deleted.
16. Access to personal information
Customers have a legal right to access personal information the Company holds about them, unless an exception in the Privacy Act and the PIP Act applies.
Factors affecting a right to access include:
a) access would pose a serious threat to the life or health of any individual;
b) access would have an unreasonable impact on the privacy of others;
c) a frivolous or vexatious request;
d) the information relates to existing or anticipated legal proceedings between the Company and the individual, and would not be accessible by the process of discovery in those proceedings;
e) access would reveal the intentions of the Company in relation to negotiations with the individual in such a way as to prejudice those negotiations;
f) access would be unlawful;
g) denying access is required or authorised by or under any law or a court/tribunal order;
h) access would prejudice the taking of appropriate action in relation to unlawful activity or serious misconduct relating to the Company’s functions or activities;
i) access would be likely to prejudice a law enforcement related activity; or
j) access would reveal evaluative information generated within the Company in connection with a commercially sensitive decision-making process.
Customers can request an electronic copy of their personal information by contacting the Company’s Privacy Officer in accordance with section 21 of this policy.
Customers do not have to give a reason when asking for access to their personal information. A copy of information held on all databases as well as a copy of the reservation details should be sent to the customer on request via the Privacy Officer in accordance with section 21 of this policy.
The Company must respond to a request for access within a reasonable time (usually within 30 days), and may give access in the manner requested by the individual, if it is reasonable and practicable to do so. The Company may need to verify the customer’s identity before it gives the customer access to their personal information.
If the Company refuses to grant a customer access, then the Company will:
a) take reasonable steps to give the customer access in a way that meets the Company’s needs as well as the customers;
b) provide the customer with written reasons for the refusal provided it is reasonable to do so; and
c) provide the customer with the mechanisms available to complain about the refusal.
17. Correction of Personal Information
Customers may make a request to correct personal information held by the Company if it is incorrect, incomplete, out-of-date, irrelevant or misleading by contacting the Privacy Officer in accordance with section 21 of this policy.
If the Company holds personal information about an individual and the Company is made aware that the information may be incorrect, out-of-date, incomplete, irrelevant or misleading, the Company must take reasonable steps to correct that information, having regard to the purpose for which the information is held.
If the Company refuses to correct the personal information, then the Company will provide that person with:
a) written reasons for the refusal provided it is reasonable to do so; and
b) the mechanisms available to complain about the refusal.
The Company must respond to a correction request within a reasonable time (usually within 30 days). The Company may need to verify a customer’s identity before it corrects any personal information.
18. Sensitive Information
The Company does not usually collect sensitive information, which includes information about a person’s ethnic origin, political opinions, religious or philosophical beliefs or affiliations; membership of a profession or trade association, membership of a trade union, details of health, disability, sexual orientation or criminal record.
However, the Company does collect health information for the purposes of its accident/illness reports and as required or permitted by health and safety laws. Health information is regarded as sensitive and as such, is treated as highly confidential. Health information is only accessible to authorised persons for permitted purposes and is not entered on any reservations, sales or marketing databases.
If this information is collected the customer will be told of the purpose of collection by the relevant officer at the point of collection.
The Company must not collect sensitive information about a customer unless the customer consents or an exemption in the Privacy Act and the PIP Act applies. Such circumstances would usually only be in an emergency or when the person had lost consciousness and collection is necessary to prevent or lessen a serious and imminent threat to life, health or safety of any individual or to public health or safety.
19. Breach of Privacy
The Tasmanian Ombudsman and the OAIC have the power to investigate complaints made by individuals about the way organisations manage personal information or to investigate any act or practice that may be a breach of privacy, even if no complaint has been made.
All Employees must understand the obligations placed upon them by this policy. It is a condition of employment that the Company’s Representatives comply fully with this policy at all times.
Non-compliance with this policy is considered by the Company to be an extremely serious matter that may result in disciplinary action in accordance with Performance Counselling and Discipline Policy.
Serious breaches of this policy may also result in civil or criminal proceedings.
21. Queries or Concerns
If an Employee or a customer has any queries or concerns about the way the Company handles personal information after reading this policy, if an Employee or a customer becomes aware of a potential breach of privacy or if a customer wishes to make a complaint, please contact the Company’s Privacy Officer immediately, on the contact details set out below:
Telephone: (03) 64199000
Postal address: PO Box 168E East Devonport Tasmania 7310
If the Company’s Privacy Officer is unable to resolve the matter, it will be escalated (internally or externally) as appropriate to facilitate resolution.
If the customer is not happy with the outcome of the Privacy Officer’s investigation or the Company has not replied to the customer within a reasonable time, then the customer can raise his/her concern with the OAIC.
Complaints can be made to the OAIC in the following ways:
Telephone: 1300 363 992 Email: email@example.com
Mail: Office of the Australian Information Commissioner GPO Box 5218 Sydney NSW 2001
22. Reporting Breaches
Upon becoming aware of a breach of this Policy, Employees must immediately report the breach to their Manager or as otherwise required or permitted by any applicable law.
Auditors may report breaches of this Policy to the Board.
A breach of this Policy may result in disciplinary action in accordance with the Performance Counselling and Discipline Policy. Such disciplinary action may include (depending on the severity of the breach) reprimand, formal warning, demotion or termination of employment.
23. Interpretation of Policy
Questions relating to the interpretation or enforcement of this policy should be directed to an individual’s Manager.