Federal Register of Legislation - Australian Government

Primary content

Approvals as made
This Approval varies the Queensland Club Industry Privacy Code - Approval, under section 18BD of the Privacy Act 1988.
Administered by: Attorney-General's
Registered 29 Apr 2009
Tabling HistoryDate
Tabled HR12-May-2009
Tabled Senate12-May-2009
Date of repeal 17 Oct 2014
Repealed by Spent and Redundant Instruments Repeal Regulation 2014 (No. 2)

Adobe Systems

 

 

 

 

 

Approval to vary the Queensland Club Industry Privacy Code

Section 18BD of the Privacy Act 1988 (Cth)

 

 

I, Karen Curtis, Privacy Commissioner, pursuant to section 18BD(2) of the Privacy Act 1988, approve the variation to the Queensland Club Industry Privacy Code which is Schedule 1 of this instrument.

 

 

This approval shall take effect on 1 May 2009.

 

 

 

 

[signed]

 

Karen Curtis

Australian Privacy Commissioner  

22   April  2009

 


SCHEDULE 1

 

Picture1

55 Holland Street, Northgate, QLD 4013 

PO Box 93, Northgate, QLD 4013

Tel: (07) 3252 0770 Fax: (07) 3252 0971

Email: clubs@clubsqld.com.au 

Website: www.clubsqld.com.au

 

 
 

 

 

 

 

 

 

 

Queensland Club Industry

PRIVACY CODE

 

 

© Clubs Queensland 2001

 

 
 
Contents

 

1.                  Recitals ...........................................................................................................1

2.                  Legislative Requirements.................................................................................. 2

3.                  Definitions..................................................................................................... 3

4.                  Goals........................................................................................................... 3

5.                  Privacy Principles........................................................................................... 3

5.1  Collection of Personal Information

5.2  Use and Disclosure of Personal Information

5.3  Access, Correction and Openness of Personal Information

5.4  Security of Personal Information

5.5  Transborder Flow of Personal Information

6.                  Application of the Approved Privacy Code........................................................... 8

7.                  Breach of the Approved Privacy Code................................................................. 8

8.                  Internal Complaint Resolution Procedures............................................................ 8

9.                  Staff Training................................................................................................ 9

10.              Acceptance of and Release from the Approved Privacy Code................................. 10

11.              Implementation of the Approved Privacy Code.................................................... 10

12.              Administration of the Approved Privacy Code..................................................... 10

13.              Review of the Approved Privacy Code............................................................... 11

 

 

Schedule

1.        Approval of the Original Privacy Code

2.        Approval of the Privacy Code (Upon Review)

3.        Dictionary

4.        Privacy Notice

5.        In-House Privacy Policy

6.        Register of Complaints and Actions

7.        Register of Training

8.        Acceptance of the Privacy Code Form

9.        Release from Privacy Code Form


1.               Recitals

 

1.1              The Queensland Club Industry Privacy Code ("Approved Privacy Code (APC)") has been developed by Clubs Queensland, in consultation with relevant stakeholders, to enable and facilitate member clubs to comply with the provisions of the Privacy Act 1988 (Cth).

 

1.2              The APC replaces the National Privacy Principles (NPPs) with equivalent industry-specific privacy obligations regarding the collection, use, storage and disclosure of personal information of club members or patrons. It also provides procedures that member clubs must follow when collecting, using, storing and disclosing such information.

 

1.3              Member clubs understand that the APC is voluntary and they may or may not choose to be bound by it. If they choose to be bound by the APC, they will comply with the APC in lieu of the NPPs. If they choose not to be bound by the APC, they will be, by default, bound by the NPPs, unless they are exempt from the operation of the Privacy Act.

 

1.4             Member clubs also understand that they can seek to be released to be bound by the APC at any time after they accept it. To avoid any doubt, a member club will be released from complying with the APC upon the receipt by the Privacy Code Administrator of a completed and executed ‘Release from the Queensland Club industry Privacy Code’ form.

 

1.5             A member club that is bound by the APC will automatically cease to be bound by the APC if the member club ceases to be a financial member of Clubs Queensland. In this event, the NPPs will apply by default, unless the member club is exempt from the operation of the Privacy Act.

 

1.6              Clubs Queensland is the Privacy Code Administrator of the APC and it will maintain an up-to-date and publicly available register of member clubs bound by the APC, as well as meet other obligations pertaining to effective administration of the APC.

 

1.7              The original Privacy Code was approved by the Privacy Commissioner on 7 August 2002 and took effect on 23 August 2002 (SCHEDULE 1). As required by the Privacy Act, Clubs Queensland reviewed the original Privacy Code, in consultation with relevant stakeholders, in 2005. All comments were considered and, where appropriate, were incorporated in this version of the Privacy Code, which received approval on 22 April 2009 and took effect on 1 May 2009 (SCHEDULE 2).

 

1.8              The Privacy Commissioner may, at any stage, revoke the APC on his or her own initiative or on application by a member club that is bound by the APC. If the APC is revoked, it will cease to have effect or operation from the date of revocation. It is the responsibility of Clubs Queensland, as the Privacy Code Administrator, to advise member clubs, public and other interested parties of the revocation.

 

1.9              The APC is subject to the following limitations, exclusions and conditions:

1.9.1       Amendments to the NPPs or related provisions of the Privacy Act which have a direct bearing on this APC and enacted after the coming into effect of the APC will be treated as if they are included in this APC.

1.9.2       The APC does not cover acts or practices of employer organisations which are directly related to a current or former employment relationship between the employer and an individual, and are also directly related to an employee record held by the organisation relating to that individual. Such acts and practices are exempt from the NPPs.

1.9.3       The APC does not cover any acts or practices exempted by sections 7B(1), (2), (4), (5) and 7C of the Privacy Act. The acts and practices which are exempted by these sub-sections are:

(a)  individuals acting in a non-business capacity;

(b)  organisations acting under Commonwealth contract;

(c)  organisations acting in the course of journalism;

(d)  organisations acting under a State or Territory contract; and

(e)  political acts and practices.

 

1.9.4       None of the Privacy Principles in the APC are intended to derogate from Part VIA of the Privacy Act, which permits the collection, use and disclosure of personal information when an emergency declaration is in force in relation to emergencies and disasters in Australia or overseas.

 

1.9.5       The APC does not have its own complaints handling mechanism and all complaints are to be handled as set out in the Privacy Act. However, in most instances the Privacy Commissioner considers it appropriate for the complainant to deal initially with the relevant member club. In this regard, the APC outlines complaint facilitation procedures that member clubs are encouraged to follow to ensure a consistent, fair, visible, accessible, responsive and accountable approach to privacy complaint resolution. In all instances where a member or patron has made a complaint in respect of their privacy to a member club, that member club must use reasonable endeavours to ensure that it maintains principles of procedural fairness and uphold obligations of confidentiality as required under the Privacy Act.

 

 

2          Legislative Requirement

 

2.1              The reference document for the APC is the Privacy Act.

 

2.2              The Privacy Act defines privacy code to mean a written code regulating acts and practices that affect privacy, which must be approved by the Privacy Commissioner, hence "approved privacy code" (APC). The APC functions in lieu of the NPPs which are contained in the Privacy Act.

 

2.3              The Privacy Act requires the following organisations to comply with the NPPs or an APC:

2.3.1       businesses, including not-for-profit organisations such as charitable organisations, sports clubs and unions, with a turnover of more than $3 million;

2.3.2       Australian government contractors;

2.3.3       health service providers that hold health information (even if their turnover is less than $3 million);

2.3.4       organisations that carry on a business that collect or disclose personal information for a benefit, service, or advantage (even if their turnover is less than $3 million);

2.3.5       small business with a turnover of less than $3 million that choose to opt-in;

2.3.6       incorporated State Government business enterprises; and

2.3.7       any organisation that the regulations says is covered.

 

2.4              The Privacy Act defines annual turnover as follows: The annual turnover of a business for a financial year is the total of the following that is earned in the year in the course of the business:

2.4.1       the proceeds of sales of goods or services;

2.4.2       commission income;

2.4.3       repair and service income;

2.4.4       rent, leasing and hiring income;

2.4.5       government bounties and subsidies;

2.4.6       interest, royalties and dividends;

2.4.7       other operating income.

 

2.5              The Privacy Act requires applicable organisations to comply with the NPPs, as minimum privacy standards. The NPPs operate as default principles, unless replaced by a privacy code approved by the Privacy Commissioner. The privacy code must be drafted in accordance with the Privacy Act, the prescribed standards and other guidelines issued by the Privacy Commissioner. The privacy code must demonstrate having obligations at least the overall equivalent of all the obligations set out in the NPPs.

 

2.6              Organisations that join the privacy code, once it has been approved by the Privacy Commissioner, must comply with the privacy principles as set out in the APC rather than the NPPs as set out in the Privacy Act. The APC will have official status and the obligations under APC will be binding on them and enforceable by law.

 

2.7              The Privacy Act defines enforcement bodies to include both federal and state agencies such as the Australian Federal Police (AFP), Australian Crime Commission (ACC), Australian Securities and Investments Commission (ASIC), Queensland State Police (QSP) and the Criminal Justice Commission of Queensland (CJCQ).

 

 

3                  Definitions

 

SCHEDULE 3 provides definitions of some terms used in the APC. In the event of an inconsistency, the definitions provided in the Privacy Act, as amended from time to time, take precedence over the definitions used in the APC.

 

 

4                  Goals

 

4.1              The goals of the APC are to set industry-wide privacy standards by:

4.1.1       ensuring proactive compliance of the Privacy Act, including meeting or exceeding the standards stipulated by the NPPs;

4.1.2       creating a culture of confidence and security in the services provided by member clubs that involve collection, use, storage and disclosure of personal information;

4.1.3       demonstrating commitment to best practices regarding secure, proper and consistent handling of member’s or patron’s information; and 

4.1.4       establishing industry-specific procedures and guidelines to facilitate privacy complaints in instances where a member or patron may be required by the Privacy Commissioner to first contact the relevant member club before lodging a complaint with the Privacy Commissioner.

 

4.2              It is hoped that the industry-specific approach to privacy through the APC will make member clubs not just passive recipients of the Privacy Act but strengthen their capacity to handle privacy issues through an ownership and commitment to the APC, including in some cases going beyond the legislation to additional best practice measures.

 

 

5                  Privacy Principles

 

5.1      Collection of Personal Information

 

5.1.1       The member club will only collect (or otherwise gather, acquire or obtain) personal information from members or patrons that is necessary for it to meet or fulfil its activities or functions. If personal information is not provided by members or patrons, the member club may, in some instances, be unable to provide the activities or services requested by members or patrons.

 

5.1.2       The member club will use its best endeavours to ensure that the personal information is collected directly from the relevant members or patrons. If the member club decides to collect information about a member or patron from a third party, it will take reasonable steps to inform the member or patron (about whom the information is collected) of the matters listed in 5.1.5, except to the extent that making the member or patron aware of the matters would pose a serious threat to the life or health of any individual.

 

5.1.3       The member club will take reasonable steps to ensure that the personal information it collects is accurate, complete and up-to-date.

 

5.1.4       The member club will use lawful and fair means which are not unreasonably intrusive when collecting personal information.

 

5.1.5       The member club will provide the following details to members or patrons from whom the information is collected, prior to, or when, the personal information is collected or as soon as practicable after it is collected:

(a)  the proper trading name and contact details of the member club; and

(b)  the purpose or reason why the personal information is being collected by the member club, including any legislative requirements for the information to be collected; and

(c)  details of those individuals or organisations likely to receive the personal information; and

(d)  the way the member or patron giving the personal information can access, update and amend their personal information held by the member club; and

(e)  the major consequences that may result if the member or patron does not provide the personal information requested by the member club; and

(f)    the way the member or patron can notify or communicate to the member club if they do not wish to receive direct marketing communication.

 

5.1.6       The member club will include a statement setting out the details referred to in 5.1.5 as part of all new membership application forms. In line with the constitutional requirements of some member clubs, this statement may also include a statement that a potential member’s personal information will be publicly displayed at the club prior to consideration of a potential member’s application.

 

5.1.7       The member club will take special precautions regarding collection of sensitive information and will not collect sensitive information, unless the relevant member or patron has consented, or the information is required by law, or is necessary under special circumstances. The member club will collect sensitive information directly from the relevant member or patron and will permanently de-identify or destroy sensitive information once it is no longer required by the member club.

 

5.1.8       The member club will give an option to members or patrons to interact anonymously with the member club, where lawful and practicable, such as making the name and address of respondents optional in direct marketing surveys undertaken by the member club.

 

5.1.9       The member club will not adopt, use or disclose any identifiers that have been assigned by an Australian Government agency, such as Medicare or tax file number. The ABN of the member club is not an identifier under this Privacy Code.

 

5.1.10   The member club must not use or disclose an identifier assigned to an individual by an agency, or by an agent of an agency or a contracted service provider for a Commonwealth contract (acting in its capacity as contracted service provider for that contract) unless the use or disclosure is necessary for the member club to fulfil its obligations to the agency, or if one or more of conditions in 5.2.6 (c)-(g) apply to the use or disclosure.

 

5.2      Use and Disclosure of Personal Information

 

5.2.1       The member club will generally hold personal information about a member or patron, such as name, street, telephone number(s), date of birth, email address, occupation, or any other information provided through the membership application form, customer surveys, direct marketing communications or otherwise and will ensure that all information it uses or disclosures is accurate, complete and up-to-date.

 

5.2.2       If requested by the member or patron, the member club will notify relevant third parties to inform them that they have received inaccurate, incomplete or not up-to-date information about the member or patron.

 

5.2.3       The member club will keep a written record of all uses and disclosures of personal information of a member or patron.

 

5.2.4       The member club will not disclose personal information about a member or patron to any person, member club or organisation except in accordance with APC.

 

5.2.5       The member club will, subject to clause 5.2.6 and 5.2.7, only use or disclose the personal information for the primary purpose for which the information is collected. There can only be one primary purpose for a particular collection.

 

5.2.6       The member club will not use or disclose the personal information for a secondary purpose unless:

(a)      the secondary purpose is directly related to the primary purpose of collection and the member or patron would reasonably expect the member club to use or disclose the personal information for the secondary purpose; or

(b)      the member or patron has consented to the use or disclosure of the personal information; or

(c)      the member club reasonably believes that the use or disclosure of the personal information is necessary to lessen or prevent:

(i)  a serious and imminent threat to an individual’s life, health or safety; or

(ii)   a serious threat to public health or public safety; or

(d)      if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:

(i)         the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and

(ii)       the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA of the Privacy Act for the purposes of this subparagraph; and

(iii)      in the case of disclosure—the recipient of the genetic information is a genetic relative of the individual; or

(e)      the member club has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(f)        the use or disclosure is required or authorised by or under law; or

(g)      the member club reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i)    the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a prescribed law;

(ii)       the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii)      the protection of the public revenue;

(iv)     the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v)      the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of orders of a court or tribunal.

 

5.2.7       The member club will use personal information (other than sensitive information) for direct marketing as follows:

(a)      The member club will use personal information for its direct marketing if:

(i)         it is impracticable for the member club to seek the member’s or patron’s  consent before that particular use; and

(ii)       the member or patron has not made a request to the member club to not receive the direct marketing communication; and

(iii)      each direct marketing communication provides an option for the member or patron to not receive any further direct marketing communication and the member club does not charge the member or patron for giving effect to this request; and

(iv)     contact details of the member club (including electronic contact details) are included in the direct marketing communication.

(b)      A member or patron may at any time request the member club not to use the member’s or patron’s personal information for direct marketing. If such a request is made, the member club must comply with the request as soon as practicable.

(c)      The member club will retain and maintain accurate records in respect of any requests made by members or patrons to cease sending any direct marketing material.

 

5.2.8       The member club will adhere to the use and disclosure requirements under APC when using or disclosing information collected from a related body corporate or when disclosing information to a related body corporate.

 

5.3      Access, Correction and Openness of Personal Information

 

5.3.1       The member club will give access to personal information should the member or patron to whom the information relates requests the information in writing. The member club will endeavour to provide this access within 14 days. This access entitlement will be granted, provided that:

(a)          access, in the case of personal information other than health information, does not pose a serious and imminent threat to the life or health of any individual; or

(b)          access, in the case of health information, does not pose a serious threat to the life or health of any individual;

(c)          access does not unreasonably impact upon the privacy of other individuals; or

(d)          the request for access is not frivolous or vexatious; or

(e)          the information does not relate to existing or anticipated legal proceedings between the member club and the member or patron and the information would not be accessible by the process of discovery in those proceedings; or

(f)            access to the information does not reveal the intention of the member club in relation to negotiations with the member or patron in such a way as to prejudice those negotiations; or

(g)          access is not unlawful; or

(h)          denial of access of the information is authorised or required by or under law; or

(i)             providing access would not prejudice an investigation of possible unlawful activity; or

(j)            access does not prejudice the:

(i)         prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii)       enforcement of laws relating to the confiscation of proceeds of crime;
(iii)      protection of the public revenue;
(iv)     prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v)      preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders

by or on behalf of an enforcement body; or

(k)           an enforcement body performing a lawful security function does not ask the member club not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

 

5.3.2       If the member club is not required to provide the member or patron with access to the information because of 5.3.1, the member club must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

 

5.3.3       Where providing access would reveal evaluative information generated within the member club in connection with a commercially sensitive decision-making process, the member club may give the member or patron an explanation for the commercially sensitive decision rather than direct access to the information. 

 

5.3.4       The member club will not charge any fees for lodging a request for access to personal information but may charge a reasonable fee for providing access to personal information.

 

5.3.5       The member club will update the information as soon as reasonably practicable if informed by a member or patron that the information held by the club about the individual is inaccurate, incomplete or not up-to-date.

 

5.3.6       The member club will take reasonable steps to associate with the requested information a statement claiming that the information is inaccurate, incomplete or not up-to-date if the member or patron and the member club are unable to agree that the information is accurate, complete and up-to-date and the member or patron requests the club to provide the statement.

 

5.3.7       The member club will a provide reason for any denial of access or refusal to correct personal information.

 

5.3.8       The member club will put the notice in SCHEDULE 4 in a prominent location in the member club to inform members or patrons about its information management practices, including the type of information it holds, for what purpose, and how it collects, holds, uses and discloses personal information.  A member club will take reasonable steps to inform a person of these information management practices on request.

 

5.4      Security of Personal Information

 

5.4.1       The member club will take reasonable steps to safeguard the personal information it collects and holds by locating the personal information in a secure place in the club.

 

5.4.2       The member club will establish guidelines as to which staff members can access personal information and under what circumstances.

 

5.4.3       The member club will prevent unauthorised access, modification or disclosure and misuse or loss of personal information by putting in place appropriate measures.

 

5.4.4       The member club that has internet and email facilities will implement an email/internet policy regarding the transmission of personal information through the internet and by email. The member club will provide regular training and awareness sessions to ensure staff understand their privacy obligations in this regard.

 

5.4.5       The member club will take reasonable steps to destroy or permanently de-identify any personal information that is no longer needed.

 

5.4.6       The member club will take reasonable steps to instruct staff members not to discuss among themselves personal, health or other sensitive information of members or patrons unless it is necessary for the staff member to perform their duties in relation to the member or patron.

 

5.4.7       If a member club discloses personal information to a third party contractor for the purpose of performing a function on behalf of the member club, it will require the contractor, as a condition of the contractor’s engagement, to take reasonable steps to protect that information.

 

5.5      Transborder Flows of Information

 

5.5.1       The member club, subject to clause 5.5.2, will only transfer personal information of a member or patron to a recipient in a foreign country if:

(a)          the member or patron consents to the transfer; or

(b)          where the transfer is for the benefit of the member or patron and it is impracticable to obtain the consent of the member or patron to the transfer and if it were practicable to obtain such consent, the member or patron would be likely to give it;  or

(c)          the transfer is necessary for the performance of a contract between the member or patron and the organisation, or for the implementation of pre-contractual measures taken in response to the member’s or patron’s request; or

(d)          the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the member or patron between the organisation and a third party; or

(e)          the member club has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the APC.

 

5.5.2       The member club will not transfer information to a recipient in a foreign country in circumstances where the:

(a)          recipient of the information is in a jurisdiction not subject to a law substantially similar to the protection accorded under the NPPs in the Privacy Act; or

(b)          the member or patron about whom the information relates has not consented to the transfer of information; or

(c)          information may be used in ways which are inconsistent with the privacy principles in the APC.

 

5.5.3       The member club may, when in doubt, ask for a written assurance from the parties involved that the information will remain secure before transferring the information.

 

 

6              Application of the Approved Privacy Code

 

SCHEDULE 5 outlines a possible in-house policy that member clubs can use to meet their privacy obligations under the APC. Member clubs should note that the policy is not an exhaustive list but only outlines the most common examples of the application of the APC in the member club.

 

 

7              Breach of the Approved Privacy Code

 

A member club commits a breach if the member fails to adhere to a provision of the APC.

 

8              Internal Complaint Resolution Procedures

 

8.1             The complaint handling procedures established under the APC and the Privacy Act (and accompanying guidelines) will apply to the resolution of a privacy complaint made by a member or patron against a member club.

 

8.2             If a complaint is instigated or made by a member or patron whilst the member club is (or was) bound by the APC, the member club will be required to resolve the matter to the extent provided in the APC.

 

8.3             The APC relies on the Privacy Commissioner to deal with all unresolved privacy complaints. The member club is obliged to comply with any declaration made by the Privacy Commissioner and must not repeat or continue the relevant activity or conduct that was the cause of the complaint. In this regard, member clubs must provide all reasonable co-operation, as requested by the Privacy Commissioner.

 

8.4             The Privacy Act requires all complaints to be resolved at the local level as far as reasonably possible. As such, the complainant in most instances should complain about the alleged breach to the relevant member club (respondent) in the first instance.

 

8.5             In the event that a member club receives a privacy complaint, the member club will endeavour to respond to the complainant’s concerns as follows:

8.5.1       The member club will designate a staff member as the point of contact in the club regarding privacy issues.

8.5.2       The designated staff member will liaise with the complainant and identify and define the nature and cause of the complaint (and ask, if necessary, for the complaint to be put in writing).

8.5.3       The designated staff member will then inform the complainant of their rights under the APC and Privacy Act, and the timeframe (within 30 days) in which the club will be able to respond to the complaint. The designated staff member, for instance will inform the complainant that they may take their complaint directly to the Privacy Commissioner in the event that the complainant is not satisfied with the outcome after the initial approach and discussion with the member club.

8.5.4       The designated staff member will inform the complainant of the response, if any, by the member club, including the basis (legislation, APC, policies) on which the response was framed.

8.5.5       If the outcome of this liaison between the complainant and the member club is not to the satisfaction of the complainant, the designated staff member will advise the complainant that the complaint is escalated and should be handled in accordance with s.36 of the Privacy Act.

8.5.6       The designated staff member will record details of the complaint and action taken in the Register of Complaints and Actions in SCHEDULE 6.

 

8.6             The member club must ensure that all complaints are dealt with in a reasonably appropriate timeframe so that any decision (if any decision is required to be made) is made expeditiously and in a manner that does not compromise the integrity or quality of any such decision.

 

 

9                  Staff Training

 

9.1             Relevant staff will be provided with appropriate training so that they are aware of the contents, procedures and application of the APC, including referring all privacy complainants to the designated staff member who will be the point of contact for privacy issues in the member club.

 

9.2             The designated staff member who will be responsible for privacy issues will undergo further training so that he/she is well informed and better positioned to facilitate in instances where the complainant is required to first contact the club (respondent) before approaching the Privacy Commissioner.

 

9.3             The member club will keep a record of the training in the Register of Training in SCHEDULE 7.

 

 

10             Acceptance of and Release from the Approved Privacy Code

 

10.1         The APC is voluntary and the member club has a choice to either accept or not accept compliance with it. Where a member club does not accept the APC, the NPPs will apply as default privacy principles unless the member club is exempt from the operation of the Privacy Act.

 

10.2          If the member club decides to accept the APC, the member club will then indicate its formal acceptance by completing the Acceptance of the Queensland Club Industry Privacy Code form in SCHEDULE 8.

 

10.3          The member club can complete the Release from the Queensland Club Industry Privacy Code form in SCHEDULE 9 at any time after formally accepting the APC, if the member club decides to opt out of the APC. However, if a complaint is instigated or made by a member or patron whilst the member club is (or was) bound by the Privacy Code, the member club will be required to resolve the matter to the extent provided in the APC. To avoid any doubt, a member club will be released from complying with the APC upon the receipt by the Privacy Code Administrator of a completed and executed ‘Release from the Approved Privacy Code’ form.

 

10.4         The member club can re-join the APC at any time after the date referred to in 10.3, provided it meets the requirements set out in clause 10.2 and makes a written submission for re-subscription and receives written approval for re-subscription from the Privacy Code Administrator.

 

10.5         Member clubs must return the completed forms/documents referred to in 10.2, 10.3 and 10.4 to the Privacy Code Administrator (in person, by fax or post) to enable the Privacy Code Administrator to maintain accurate, complete and up-to-date electronic and paper records of the Privacy Code members, as required by the Privacy Commissioner.

 

10.6         Member clubs that cease to be financial members of Clubs Queensland will automatically cease to be bound by the APC.

 

 

11             Implementation of the Approved Privacy Code

 

11.1         Once a member club has accepted the APC, it will have all measures in place within one month of the date of the acceptance.

 

11.2         The member club will inform members or patrons about the operation of the APC and will prominently display the availability of the Privacy Code in a suitable location in the club.

 

11.3         The member club will undertake regular audits of the operation of the club privacy procedures to ensure that the procedures comply with the APC.

 

11.4         The member club will submit information on the operation of the APC to the Privacy Code Administrator, as requested, to enable the Privacy Code Administrator to fulfil its obligations under the APC and the Privacy Act.

 

 

 

 

 

12.    Administration of the Approved Privacy Code

 

12.1          Clubs Queensland will perform the role of the Privacy Code Administrator and will be responsible for the administration of the APC, including complying with the reporting and review requirements under the APC and Privacy Act. It will allocate sufficient resources for the administration and on-going monitoring of the APC.

 

12.2          The Privacy Code Administrator will liaise with member clubs in relation to the implementation and compliance with the APC. Member clubs will direct any questions or feedback in relation to the APC to the Privacy Code Administrator.

 

12.3          Each member club will nominate a staff member who will be responsible for the general administration of the APC at the member club. The designated staff member must report to the Privacy Code Administrator all information that is relevant to the operation of the APC at the member club.

 

12.4          The designated staff member of each member club must also advise the Privacy Code Administrator (in writing) of any systemic problems that they discover through their own compliance experiences. If any systemic problems are identified, then the Privacy Code Administrator will endeavour to address them appropriately and in accordance with the Privacy Act.

 

12.5          The Privacy Code Administrator will maintain an accurate, up-to-date easily accessible on-line record of members of the APC on its website, with a hypertext link to the Privacy Commissioner’s website.

 

12.6          If any at any stage the Privacy Commissioner revokes the APC (in accordance with its powers under Section 18BE of the Privacy Act), the Privacy Code Administrator will advise the member clubs, public and all other interested parties accordingly.

 

12.7          All member clubs and individuals are requested to contact Clubs Queensland to obtain any information they require about the Privacy Code Administrator.

 

 

13.    Review of the Approved Privacy Code

 

13.1          The Privacy Code Administrator will, in consultation with relevant stakeholders that include member clubs and other interested parties, review the APC at least every three years and is committed to allocating sufficient resources for the review process. The Privacy Code Administrator will provide the review report, with a response to the review report by the Privacy Code Administrator, to the Privacy Commissioner within 30 days of the review being finalised. The Privacy Code Administrator will make available a copy of the above review report to member clubs upon a written request.

 

13.2          The Privacy Code Administrator will make necessary changes and amendments to the APC from time to time, in consultation with member clubs, and will seek the approval of the changes and amendments from the Privacy Commissioner before incorporating the changes and amendments in the APC.

 

13.3          Where the Privacy Code Administrator proposes major changes and amendments to the APC, it will undertake adequate consultation with relevant stakeholders, including members clubs, and include a report on the result of the consultation process with the application for approval for the variation of the APC to the Privacy Commissioner. 

 

____________________


Schedule 1 – Approval of the Original Privacy Code

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule 2 – Approval of the Privacy Code (Upon Review)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule 3 - Dictionary

 

 

contractor means a party that has a contractual relationship with a member club to provide a service or product;

 

direct marketing means any approaches made or activities undertaken that promote, advertise or market products or services;

 

health information means:

(a)         information or an opinion about:

(i)            the health or a disability (at any time) of an individual; or

(ii)          an individual’s expressed wishes about the future provision of health services to him or her; or

(iii)         a health service provided, or to be provided, to an individual;

        that is also personal information; or

(b)         other personal information collected to provide, or in providing a health service; or

(c)         other personal information about an individual collected in connection with the donation, or intended donation, by the individual or his or her body parts, organs or body substances; or

(d)         genetic information about an individual in a form that is, or could be, predictive of the health of the individual or genetic relative of the individual.

 

health service means:

(a)    an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

(i)     to assess, record, maintain or improve the individual’s health; or

(ii)    to diagnose the individual’s illness or disability; or

(iii)   to treat the individual’s illness or disability or suspected illness or disability; or

(b)    the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

 

member means any individual who is an on-going financial member of a member club;

 

member club means a club that is an on-going financial member of Clubs Queensland;

 

patron means any member of the public who has contacted or been in contact with a member club;

 

personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

 

primary purpose means the sole, dominant or fundamental reason or purpose for collecting information;

 

Privacy Code Administrator means Clubs Queensland located at 55 Holland Street, Northgate Qld 4013. Telephone: (07) 3252 0770, Facsimile: (07) 3252 0971, Website www.clubsqld.com.au and Email clubs@clubsqld.com.au;

 

Privacy Commissioner means the Privacy Commissioner (Federal);

 

reciprocal club means a club that has a reciprocal arrangement with another club under Clubs Queensland Reciprocal Arrangement;

 

related body corporate means:

(a)      a holding company of another body corporate;

(b)      a subsidiary of another body corporate; or

(c)      a subsidiary of a holding company of another body corporate.

 

Sensitive information means:

(a)      information or an opinion about an individual’s

          (i)       racial or ethnic origin; or

          (ii)      political opinions; or

          (iii)     membership of a political association; or

          (iv)     religious beliefs or affiliations; or

          (v)      philosophical beliefs; or

          (vi)     membership of a professional or trade association; or

          (vii)    membership of a trade union; or

          (viii)    sexual preferences or practices; or

          (ix)     criminal record;

          that is also personal information; or

(b)              health information about an individual; or

(c)              genetic information about an individual that is not otherwise health information.

 

secondary purpose means any reason or purpose other than a primary purpose;

         

special circumstances means only those circumstances associated with preventing or lessening a serious and imminent threat to the life or health of an individual where the individual to whom the information relates is incapable or unable (either by law, a physical limitation or otherwise) to provide consent to the collection of information.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Schedule 4 – Privacy Notice

Text Box: CLUB PRIVACY CODE


The ____________________________________ Club is committed to the Queensland Club Industry Privacy Code that stipulates privacy obligations of the club in relation to its members and patrons. 

Some key elements of the Approved Privacy Code are:

1.	The club will collect personal information that is necessary for the club to meet or fulfill its activities and functions and is also required by law. The information can include the name, street, telephone number(s), date of birth, email address, occupation etc. relating to membership applications at the club and other information collected as the result of accessing the facilities and services provided by the club such as player loyalty systems. 

2.	The club will use lawful and fair means, that are not intrusive, to collect personal information. Where lawful and practical, the club will provide members and patrons with a choice of interacting anonymously with the club. 

3.	The club will use personal information in ways that are consistent with the Approved Privacy Code including where practicable seeking the consent of the member and patron about whom the information relates before using the personal information.  

4.	The club will provide opportunities to members and patrons to access the information held about them by the club to the extent provided by the Approved Privacy Code and will ascertain and correct the information if advised in writing that the information is not accurate, complete or up-to-date. 

5.	The club has procedures in place to facilitate privacy complaints and encourages the member or patron (complainant) to first contact the club (respondent) before approaching the Privacy Commissioner. If this facilitation is not to the satisfaction of the member or patron, the club will advise the member or patron to refer the complaint to the Privacy Commissioner. 

A COPY OF THE QUEENSLAND CLUB INDUSTRY PRIVACY CODE IS AVAILABLE ON REQUEST FROM THE PRIVACY CODE ADMINISTRATOR.

PLEASE ASK ONE OF OUR STAFF FOR MORE INFORMATION.
Schedule 5 – In-House Privacy Policy

 

Text Box: CLUB PRIVACY POLICY

The _____________________________ Club is committed to the Queensland Club Industry Privacy Code and will use it to address all privacy issues of members or patrons:

Some ways in which the club will implement the privacy practices are:
•	only collect personal information that is necessary for the club to fulfill its activities and functions or that is required by law;
•	tell members and patrons why the club is collecting the personal information, how the club will use and disclose the information and how they can access the collected information as well as other details required under the Approved Privacy Code;
•	use and disclose personal information for a secondary purpose or for direct marketing in accordance with the Approved Privacy Code;
•	give members or patrons an option of interacting anonymously with the club, where lawful and practicable;
•	use fair and lawful means to collect personal information;
•	ensure that the personal information held by the club is accurate, complete and up-to-date;
•	ascertain and correct any personal information that is not accurate, complete and up-to-date upon member’s or patron’s request;
•	take reasonable steps to protect members’ and patrons’ personal information held by the club by locating the information in a secure place in the club;
•	permanently destroy or de-identify all information that the club will not need in the future;
•	prevent unauthorized access, modification, misuse or loss of personal information by putting in place policies and procedures that explain which staff members can access the information and under what circumstances;
•	designate a staff member to facilitate privacy issues at the club;
•	not use Commonwealth Government identifiers, unless allowed by the Approved Privacy Code;
•	not transfer information overseas unless specific conditions outlined in the Approved Privacy Code are met; and
•	place signage in the club to make members and patrons aware of the privacy obligations of the club, including the privacy complaint facilitation mechanism in place at the club. 

A COPY OF THE QUEENSLAND CLUB INDUSTRY PRIVACY CODE IS AVAILABLE ON REQUEST FROM THE PRIVACY CODE ADMINISTRATOR. 

PLEASE ASK ONE OF OUR STAFF FOR MORE INFORMATION.
Schedule 6 – Register of Complaints and Actions

 

Text Box: REGISTER OF COMPLAINTS AND ACTIONS

Date of Complaint:		___/___/___
Time of Complaint: 	____:_____

Description of Complaint

1. Who was involved in the complaint?
_________________________________________________________________________________________________________________________________________________________________________________________________________________________

2. What happened to cause a complaint to be lodged?
________________________________________________________________________________________________________________________________________________________________________________________________________________________

3. Who reported the complaint?  ____________________________________________

4. What actions were taken by club in response to the complaint?
________________________________________________________________________________________________________________________________________________________________________________________________________________________

5. Was any follow-up undertaken by the club?
_________________________________________________________________________________________________________________________________________________________________________________________________________________________

7. What was the final outcome?
_________________________________________________________________________________________________________________________________________________________________________________________________________________________



______________________			____________________________
Signature of Complainant			Signature of Club Manager/Privacy Officer


____/____/____						____/____/____
Date								Date

 

 

 

 

 

 

 

 

 

Schedule 7 – Register of Training

 

 

REGISTER OF TRAINING

Staff Details Name/ ID

Read and signed the following documents

Other Privacy Training Undertaken (Date, Course Title, Certification etc)

Queensland Club Industry Privacy Code

In-house Procedures (eg: Privacy Complaint Resolution Procedures etc)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule 8 – Acceptance of the Privacy Code Form

Text Box: ACCEPTANCE OF THE QUEENSLAND CLUB INDUSTRY PRIVACY CODE

I, ______________________________ (Name), who is the authorised representative of the _________________________ Club (Name of Club) hereby accept the Approved Queensland Club Industry Privacy Code.

I understand that:

•	acceptance of the Approved Privacy Code is a voluntary act on the part of the club; and 
•	involves a commitment by the club management not to act or engage in a practice that would beach the Approved Privacy Code; and
•	the club can seek release from the Approved Privacy Code at any time after this date by following the procedures outlined in the Code; and
•	the club will automatically cease to be bound by the Approved Privacy Code if and when the club ceases to be a financial member of Clubs Queensland.

From this date, the Approved Privacy Code is binding on the club and the obligations as set out in the Code can be enforced by law. 

Name of Club: _____________________________________________

Authorized Representative:

Signed _____________________________
Name: ______________________________________________
Date: ___/___/___

Witness (who is not an officer of the club)

Signed ________________________________ 
Name: _____________________________________________
Address: ___________________________________________________
___________________________________________________________
Date: ___/___/___


Please return to Clubs Queensland (Attention: Queensland Club Industry Privacy Code Administrator)
Schedule 9 – Release from the Privacy Code Form

Text Box: RELEASE FROM THE QUEENSLAND CLUB INDUSTRY PRIVACY CODE


I, ______________________________ (Name), who is the authorized representative of the _________________________ Club (Name of Club) hereby request that the Club be released to be bound by the Approved Queensland Club Industry Privacy Code.

I understand that the release will be effective upon the receipt of this form by the Privacy Code Administrator. 

Name of Club: _____________________________________________

Authorized Representative:

Signed _____________________________
Name: ______________________________________________
Date: ___/___/___

Witness (who is not an officer of the club)

Signed ________________________________ 
Name: _____________________________________________
Address: _________________________________________________________
________________________________________________________________
Date: ___/___/___


Please return to Clubs Queensland (Attention: Queensland Club Industry Privacy Code Administrator)


NOTE
The club may re-subscribe to the Approved Privacy Code at any time after this date, provided it meets all conditions set out in the Code for voluntarily accepting the Code and also makes a written submission for re-subscription and receives written approval from Clubs Queensland. 

Please note that if a complaint is instigated or made by a member or patron whilst the member club is (or was) bound by the Approved Privacy Code, the member club will be required to resolve the matter to the extent provided in the Code.