Queensland Club Industry

PRIVACY CODE

© Clubs Queensland 2001

All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without prior written permission from Clubs Queensland. In the event of publication, statutory copyright is claimed.

Contents

1.               Recitals......................................................................1
2.               Legislative Requirements.......................................................2
3.               Definitions....................................................................4
4.               Rationale.....................................................................5
5.               Goals 5
6.               Privacy Principles and Scenarios................................................5

Privacy Principle 1 - Collection and Quality of Information

Privacy Principle 2 - Use and Disclosure of Information

Privacy Principle 3 - Access, Correction and Openness of Information

Privacy Principle 4 - Security of Information

Privacy Principle 5 - Transborder Flow of Information

7.                  Application of the Privacy Code...............................................13

(a)   General Club Administration and Operation

(b)   Information Collected Under Other Legislation Applicable to Clubs

(c)   Reciprocal Members

(d)   Contractors

8.                  Breach of the Privacy Code..................................................15

9.                  Complaint Facilitation Procedures.............................................16

10.             Staff Training.............................................................17

11.             Acceptance of and Release from the Privacy Code.............................17

12.             Implementation of the Privacy Code..........................................18

13.             Administration of the Privacy Code...........................................18

14.             Review of the Privacy Code.................................................19

Forms and Signage

A.  Approval Letter from the Privacy Commissioner

B.      Summary of the NPPs

C.     Club Privacy Code

D.     Club Privacy Practices

E.      Register of Complaints and Actions

F.      Register of Training

G.     Acceptance of the Queensland Club Industry Privacy Code

H.    Release from the Queensland Club Industry Privacy Code

1.1             Clubs Queensland, the peak Industry Association and Union of Employers of all Registered and Licensed Clubs in Queensland, has developed the Queensland Club Industry Privacy Code (“Privacy Code”), in consultation with (amongst others) the public and its member clubs, to enable and facilitate member clubs to implement the provisions of the Privacy Act 1988 (Cth) (incorporating the Privacy Amendment (Private Sector) Act 2000) (“Privacy Act”). Accordingly, Clubs Queensland is the Privacy Code Administrator for the Queensland Club Industry Privacy Code.

1.2             The Privacy Code outlines the obligations of member clubs under the Privacy Act regarding the collection, use, storage and disclosure of personal information of club members and patrons and also provides procedures member clubs must follow when collecting, using, storing and disclosing such information. Where possible, the Privacy Code provides general examples, scenarios, forms and appropriate wordings for signage to assist member clubs to meet their privacy obligations.

1.3             The Privacy Code does not include its own complaints handling mechanism and all complaints are to be handled as set out in the Privacy Act. However, in most instances the  Privacy Commissioner considers it appropriate for the complainant to deal initially with the relevant member club (respondent).  The Privacy Code outlines various guidelines that member clubs are encouraged to follow to ensure a consistent, fair, visible, accessible, responsive and accountable approach to privacy. In all instances where a member or patron has made a complaint in respect of their privacy to a member club, that member club must use all reasonable endeavours to ensure that it maintains principles of procedural fairness and uphold obligations of confidentiality as required under the Privacy Act.

1.4             Member clubs understand that the Privacy Code is voluntary and they may or may not choose to be bound by it. If they choose to be bound by the Privacy Code, their obligations outlined in the Privacy Code can be enforced by law. Member clubs also understand that they can seek to be released to be bound by the Privacy Code at any time after they accept the Privacy Code. To avoid any doubt, a member club will (in addition to other instances expressly provided for in the Privacy Code) be released from the Privacy Code upon the receipt by the Privacy Code Administrator of a completed and executed ‘Release from the Privacy Code’ form (Appendix H). Member clubs that do not accept the Privacy Code will be, by default, bound by the National Privacy Principles (NPPs) under the Privacy Act. Member clubs that cease to be financial members of Clubs Queensland will automatically cease to be bound by the Privacy Code.

1.5             As required by the consultation provisions under the Privacy Act, Clubs Queensland provided a draft Privacy Code to members of the public, consumer groups and other relevant stakeholders, including member clubs, which in turn made copies of the draft Privacy Code available to their members, patrons and other interested parties upon request, for comments and feedback. The consultation period was for approximately 4 months to allow an adequate and real opportunity for the public and stakeholders to comment on the draft version of the Privacy Code. At the conclusion of the consultation period, all comments were considered and, where appropriate, the comments and feedback have been incorporated in the final Privacy Code.

1.6             Clubs Queensland then submitted the Privacy Code to the Privacy Commissioner and received approval on [Insert Date]. The Privacy Commissioner’s approval is included in Appendix A. Accordingly, the Privacy Code is effective from [insert approval date]. The approval by the Privacy Commissioner demonstrates that the Privacy Code meets the minimum privacy standards as stipulated in the Privacy Act.  Any changes to the Privacy Code after the date it has been approved must be endorsed by the Privacy Commissioner.

1.7             The Privacy Commissioner may, at any stage, revoke the Privacy Code, in which event, the Privacy Code will cease to have any effect or operation from the date of revocation.  It is the responsibility of Clubs Queensland, as the Privacy Code Administrator, to advise member clubs, public and other interested parties of the revocation.

2.1             The reference document for the Privacy Code is the Privacy Act.

2.2             The Privacy Act came into effect on 21 December 2001 but gives an additional 12 months, until December 2002, to some organisations with an annual turnover of $3 million or less to comply. 

The Privacy Act defines organisations as follows:

• businesses, including not-for-profit organisations such as charitable organisations, sports clubs and unions, with a turnover of more than $3 million;
• federal government contractors;
• health service providers that hold health information (even if their turnover is less than $3 million;
• organisations that carry on a business that collects or discloses personal information for a benefit, service, or advantage (even if their turnover is less than $3 million);
• small business with a turnover of less than $3 million that choose to opt-in;
• incorporated State Government business enterprises; and
• any organisation that regulations says is covered.

The Privacy Act defines annual turnover as follows:

The annual turnover of a business for a financial year is the total of the following that is earned in the year in the course of the business:

(a)                the proceeds of sales of goods and/or services;

(b)                commission income;

(c)                 repair and service income;

(d)                rent, leasing and hiring income;

(e)                government bounties and subsidies;

(f)                  interests, royalties and dividends;

(g)                other operating income.

2.3             The Privacy Act establishes minimum requirements (known as the National Privacy Principles “NPPs” – Appendix B) in relation to how private organisations should collect, use, keep secure and disclose personal, health and sensitive information that can be recorded in some form (including an electronic record).  Additional privacy requirements apply to the public sector, known as the Information Privacy Principles that are not applicable to Clubs Queensland or its member clubs.

The Privacy Act defines personal, health and sensitive information as follows:

• personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
• health information means:

(a)                information or an opinion about:

(i)                  the health or a disability (at any time) of an individual; or

(ii)                 an individual’s expressed wishes about the future provision of health services to him or her; or

(iii)               a health service provided, or to be provided, to an individual;

 that is also personal information; or

(b)                other personal information collected to provide, or in providing a health service; or

(c)                 other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs of body substances.

• sensitive information means:

(a) information or an opinion about an individual’s

 (i) racial or ethnic origin; or

 (ii) political opinions; or

 (iii) membership of a political association; or

 (iv) religious beliefs or affiliations; or

 (v) philosophical beliefs; or

 (vi) membership of a professional or trade association; or

 (vii) membership of a trade union; or

 (viii) sexual preferences or practices; or

 (ix) criminal record;

 that is also personal information; or

(b) health information about an individual.

2.4             The Privacy Act requires affected organisations to comply with the NPPs, as minimum privacy standards. The NPPs operate as default principles, unless replaced by an industry Privacy Code approved by the Privacy Commissioner, which must be drafted in accordance with the Privacy Act, the prescribed standards and other guidelines issued by the Privacy Commissioner, including a demonstration of the Privacy Code as having obligations at least equivalent to the NPPs.

2.5             The Privacy Code, once approved by the Privacy Commissioner will mean that member clubs (who agree to be bound by the Privacy Code) must comply with the Privacy Principles as set out in the Privacy Code rather than the NPPs set out in the Privacy Act. The Privacy Code will have official status and the obligations under the Privacy Code will be  binding on member clubs and enforceable by law.

3.1             “contractor” means a party that has a contractual relationship with a member club to provide a service or product;

3.2             “cookie” means a short file that gets stored in an internet browser when an individual accesses information on a site and may record information such as the type of information accessed and the searches performed;

3.3             “direct marketing” means any approaches made or activities undertaken that promote, advertise or market products or services;

3.4             “Enforcement Body” means any agency, body, authority, police force or service, of the Commonwealth, a State or Territory which is (among other things) responsible for administering, or performing a function under, a law that:

(a) imposes a penalty or sanction; or

(b) relates to conducting criminal investigations or inquiries, or the protection of               the public revenue;

3.5             “health information” has the meaning set out in Clause 2.3 of this Privacy Code;

3.6             “member” means any individual who is an on-going financial member of a member club;

3.7             “member club” means a club that is an on-going financial member of Clubs Queensland;

3.8             “patron” means any member of the public who has contacted or been in contact with a member club;

3.9             “personal information” has the meaning as set out in Clause 2.3. of this Privacy Code;

3.10         “primary purpose” means the sole, dominant or fundamental reason or purpose for collecting information;

3.11         “Privacy Code” means this Privacy Code and any annexure or appendix to it;

3.12         “Privacy Code Administrator” means Clubs Queensland at 3rd Floor, South Tower, Terrace Office Park, 527 Gregory Terrace, Bowen Hills, Fortitude Valley Queensland 4006, (telephone (07) 3252 0770, facsimile (07) 3252 0971, website (www.clubsqld.com.au) or email (mukesh@clubsqld.com.au));

3.13         “Privacy Commissioner” means the Federal Privacy Commissioner;

3.14         “reciprocal club” means a club that has a reciprocal arrangement with another club under Clubs Queensland Reciprocal Arrangement;

3.15         “related body corporate” means:

(a) a holding company of another body corporate;

(b) a subsidiary of another body corporate; or

(c) a subsidiary of a holding company of another body corporate.

3.16         “sensitive information” has the meaning set out in Cause 2.3 of this Privacy Code;

3.17         “secondary purpose” means any reason or purpose other than a primary purpose; and

3.18         “special circumstances” means only those circumstances associated with preventing a threat to the life of an individual or reducing possible harm or injury to an individual where the individual to whom the information relates is incapable or unable (either by law, a physical limitation or otherwise) to provide consent to the collection of information.

4.1              Although the NPPs under the Privacy Act outline the various privacy obligations and rights of individuals and organisations, Clubs Queensland and member clubs have taken a positive step in developing the Privacy Code (and its own Privacy Principles (see: Section 6) to send a positive message to the community that member clubs take privacy issues of their members and patrons seriously.

4.2              The Privacy Code demonstrates that member clubs are not just passive recipients of the Privacy Act but have gone (in some instances) beyond the Privacy Act by putting in place additional measures through this Privacy Code to protect the privacy of their members and patrons.

4.3              The fact that the Privacy Code is industry-specific puts member clubs in a better position to handle privacy issues through an ownership and commitment to the Privacy Code.

5.1             The goals of the Privacy Code are to set industry-wide standards by:

(a)                   ensuring compliance of the Privacy Act, including meeting or exceeding the standards stipulated by the NPPs; and

(b)                   creating a culture of confidence and security in the services provided by member clubs that involve collection, use, storage and disclosure of personal information; and

(c)                   demonstrating commitment to best practices regarding secure, proper and consistent handling of member’s and patron’s information; and 

(d)                   establishing industry-specific procedures and guidelines to facilitate privacy complaints in instances where a member or patron maybe required by the Privacy Commissioner to first contact the relevant member club before lodging a complaint with the Privacy Commissioner.

6.1 Privacy Principle 1 - Collection and Quality of Information

(a)               The member club will only collect (or otherwise gather, acquire or obtain) personal information from members and/or patrons that is necessary for it to meet or fulfil its activities and functions. If personal information is not provided by members and/or patrons  in some instances, various functions of the member club will not be able to be performed (for example, processing of membership applications).

(b)               The member club will use its best endeavours to ensure that the personal information is collected directly from the relevant members and/or patrons. If the member club decides to collect information about a member or patron from a third party (eg: parents, friends etc), it will take reasonable steps to inform the member or patron (about whom the information is collected) of the matters listed in Privacy Principle 1(e).

(c)               The member club will take reasonable steps to ensure that the personal information it collects is accurate, complete and up-to-date.

(d)               When collecting personal information, the member club will use lawful and fair means, which are not unreasonably intrusive.

(e)               The member club will provide the following details to members and/or patrons from whom the information is collected, when the information is collected or as soon as practicable after it is collected:

• the proper trading name and contact details of the member club; and
• the purpose/reason(s) why the information is being collected by the member club, including any legislative requirements for the information to be collected (eg: to process application for club membership etc); and
• details of  those individuals or organisations likely to receive the information; and
• the way the member or patron giving the information can access, update and amend their personal information held by the member club; and
• the major consequences (eg: denial of club membership, access to facilities, etc.) that may result if the member or patron does not give the information requested by the member club; and
• the way the member or patron can notify or communicate to the member club if they do not wish to receive direct marketing communication.

(f)                 A statement, setting out those details referred to in Privacy Principle 1 (e) must be included as part of all new membership application forms. Where applicable, the membership application form must also include a statement that “your personal information (name and address) will be publicly displayed (for a period of no more than 30 days) at the club prior to any acceptance of you as a member”. As a general rule under the constitution of various member clubs, an individual’s name and address is required to be publicly displayed at the club (for a period of generally no more than 30 days), prior to any membership application being approved.

(g)               The member club will take special precautions regarding collection of sensitive information and will not collect sensitive information, unless the relevant member or patron has consented, or the information is required by law, or is necessary under special circumstances. The member club will collect sensitive information directly from the relevant member or patron and will de-identify or destroy sensitive information once it is no longer required by the member club.

(h)               The member club will give an option to members and patrons to interact anonymously with the member club, where lawful and practicable, such as (amongst other things) making the name and address of respondents optional in direct marketing surveys undertaken by the member club.

(i)                 The member club will not adopt, use or disclose any identifiers that have been assigned by a Commonwealth government agency, such as a drivers licence, medicare or tax file number etc. The ABN of the member club is not an identifier under this Privacy Code.

(j)                 The member club must not must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contract service provider (for a Commonwealth contract acting in its capacity as contracted service provider for that contract) unless the use or disclosure is necessary for the member club to fulfil its obligations to the agency.

Scenario

The following scenario explains a practical application of Privacy Principle 1. The scenario is not definitive and member clubs should take into consideration their own circumstances when dealing with privacy issues at their venues.

The Greengrass Club recently conducted a market survey to gauge the satisfaction levels of its members and patrons regarding the use of their newly opened dining area. In the questionnaire that it sent out to members and patrons, the club included questions such as: How many times do you dine at the club in a given week, what type of food do you usually order and why you liked dining at the club? Some members and patrons complained that, while they had no problems responding to a majority of the questions, they thought that some questions were too intrusive and mostly irrelevant. Two examples they cited were: What type of food do you eat at home and why you or other members of your family would or would not eat certain foods?

The Greengrass Club was at fault in the design of the questionnaire because it included questions that sought information which did not relate to the operation of the dining area in the club. These questions were also very personal and intrusive in nature and encouraged the collection of information from persons without their consent. The club should only include questions that relate directly to the operation of the dining area in the club and should also provide members and patrons the option of responding anonymously. In this instance, the responses should also be collected directly from members and patrons because they are the ones using the dining facility at the club.

6.2 Privacy Principle 2 - Use and Disclosure of Information

(a)           The member club will generally hold information about a member or patron, such as name, street, telephone number(s), date of birth, email address, occupation, or any other information provided through the membership application form, customer surveys or direct marketing communications and will ensure that all information it uses or disclosures is accurate, complete and up-to-date.

(b)           The member club will keep a written record of all use and disclosure of personal information of members and/or patrons.

(c)           The member club will not disclose personal information about members and/or patrons to any person or organisations except in the ordinary operation of its business.

(d)           Subject to Privacy Principle 2(e), the member club will only use or disclose the personal  information for the primary purpose for which the information is collected (such as, providing its services, or  to process an application for club membership). There can only be one primary purpose for a particular transaction. 

(e)           The member club will not use or disclose the personal information for a secondary purpose unless:

• the secondary purpose is directly related to the primary purpose of collection and the member or patron would reasonably expect the member club to use or disclose the information for the secondary purpose; or
• the member or patron has consented to the use or disclosure of the information; or
• it reasonably believes that the use or disclosure is necessary to lessen or prevent:

(i) a serious and imminent threat to an individual’s life, health or safety;               or

(ii) a serious threat to public health or public safety; or

• the use or disclosure is required or authorised by or under law; or
• it reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an Enforcement Body:

 (i) the prevention, detection, investigation, prosecution or punishment of                             criminal offences or breaches of any law;

 (ii) the enforcement of laws relating to the confiscation of the proceeds                              of crime;

 (iii) the protection of the public revenue;

 (iv) the prevention, detection, investigation or remedying of seriously                              improper conduct or prescribe conduct; or

              (v) the preparation for, or conduct of, proceedings before any court or  tribunal, or implementation of orders of a court or tribunal.

(f)             The member club will only use personal information (other than sensitive information) for its own direct marketing if:

• it is impracticable for the member club to seek the member’s or patron’s  consent before that particular use; and
• the member or patron has not made a request to the member club to not receive the direct marketing communication; and
• each direct marketing communication provides an option for the member or patron to not receive any further direct marketing communication and the member club does not charge the member or patron for giving effect to this clause; and
• contact details of the member club (including an electronic contact details) are included in the direct marketing communication.

(g)               The member club will also adhere to the use and disclosure requirements under this Privacy Code when using or disclosing information collected from a related body corporate or when disclosing information to a related body corporate.

(h)               If a member club, as a secondary purpose, has collected certain personal information which may assist it with investigating or reporting (to relevant persons or authorities) suspected unlawful activity, then the member club may use or disclose the personal information for the secondary purpose provided that the member club has reasonable grounds to suspect that an unlawful activity has been, is being or may be perpetrated.

(i)                 The member club will retain and maintain accurate records in respect of any requests made by members and/or patrons to cease sending any direct marketing  material.

Scenario

The following scenario explains a practical application of Privacy Principle 2. The scenario is not definitive and member clubs should take into consideration their own circumstances when dealing with privacy issues at their venues.

After a successful refurbishment program, the Redhat Club appointed a telecommunication company as its preferred supplier for telecommunication services. The telecommunication company already knew many members and patrons of the club and requested the Redhat Club to provide contact details of its new members to the company so that the company could better serve the club. The Redhat Club agreed to provide details of only their new members who had indicated by their express consent in the club membership form that they wished to receive promotional offers from time to time. The Redhat Club also attached the conditions that all advertising and promotions by the telecommunication company include an option for members to not receive any further advertising and promotions and that the company does not charge the members for receiving the promotions. Later, the Redhat Club informed new members in the club newsletter about the release of their details and that they ”may receive special discounts from the telecommunication company”. 

The Redhat Club used personal information of its new members for the secondary purpose of direct marketing. The obvious benefits to the club were creating an incentive to attract more members by linking the promotional offers of the club’s preferred telecommunication supplier to club membership and also to foster a better business relation with the company. The club was right in only releasing details of new members who had indicated in their club membership form that they wished to receive promotional offers and attaching the above conditions. Admittedly, it would have been very difficult for the club to individually inform new members of the release of their personal details so the club used the club newsletter.

6.3 Privacy Principle 3 - Access, Correction and Openness of Information

(a)               The member club will give access  to personal information should the member or patron to whom the information relates request the information in writing. The member club will endeavour to provide this access within 14 days.  This access entitlement will be granted, provided that:

• it does not pose a serious or imminent threat to the life or health of any individual; or
• it does not unreasonably impact upon the privacy of other individuals (for example, the information in question is directly related to the member or patron making the access request); or
• the request is not frivolous or vexatious; or
• the information does not relate to existing or anticipated legal proceedings between the member club and the member or patron and the information would not be accessible by the process of discovery in those proceedings; or
• access to the information does not reveal the intention of the member club in relation to negotiation with the member or patron in such a way as to prejudice those negotiations; or
• it is not unlawful; or
• denial of access of the information is authorized or required by law; or

•                 it does not:

(i) prejudice the prevention, detection, investigation, prosecution or punishment of criminal offices or breaches of any law;

(ii) prejudice the enforcement of laws relating to the confiscation of proceeds of crime;

(iii) prejudice the protection of the public revenue;

(iv) prejudice the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

(v) prejudice the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders; or

(vi) damage the national security arrangements;

of or by an Enforcement Body.

(b)               Where access to personal information would reveal evaluative information generated within the member club in connection with a commercially sensitive decision-making process, the member club will not provide direct access but will give an explanation for the decision not to allow access to that information.

(c)               Where appropriate, the member club may facilitate mutually agreed intermediaries from both parties (member club and member or patron) in regard to information that cannot be made available to the member or patron.

(d)               The member club will not charge any fees for lodging a request for access to personal information but may charge a reasonable fee for providing access to personal information.

(e)               If a member or patron informs the member club in writing that the information held by the club about himself or herself is not accurate, complete or up-to-date, the member club will (if the assertion by the member or patron is correct)  endeavour to update the information as soon as reasonably practical.

(f)                 The member club will take reasonable steps to include with the requested information a statement claiming that the information is not accurate, complete or up-to-date if the member or patron and the member club are unable to agree that the information is accurate, complete and up-to-date and the member or patron requests the club to provide the statement.

(g)               The member club will a provide reason for any denial of access or refusal to correct personal information.

(h)               The member club will put the signage in Appendix C in a prominent location in the member club to inform members and patrons about its information management practices, including the type of information it holds, for what purpose, and how it collects, holds, uses and disclosures information.

Scenario

The following scenario explains a practical application of Privacy Principle 3. The scenario is not definitive and member clubs should take into consideration their own circumstances when dealing with privacy issues at their venues.

John had been a regular member of the Yellow Hill Club for many years. As a result, he was well known to the club staff and management. He decided to use his contacts at the club to help the local gambling support group better target people who may have a problem with gambling in the area. John asked the club to release relevant details, including the number of people regularly playing the pokies at the club and contact details of those seeking self-exclusion from the club.

Individuals can only access their own personal information and not the personal information of others.  Accordingly, the Yellow Club declined to release the information, citing that it would unreasonably impact on the privacy of its members and patrons. Also the information was commercially-sensitive and the release would commercially disadvantage the club, as the area had three hotels competing in the same market as the club. However, to meet its privacy obligations, the club arranged a meeting with John and the local support group and provided them with general statistical information.

On a separate occasion, John received a letter from the Yellow Hill Club requesting renewal of his membership.  He noticed that his phone number was incorrect and wondered what other information held by the club was also incorrect.  He contacted the Club Manager and requested access to his personal information held by the club.  After completing the relevant form, John was provided with his personal information held by the club.  He noticed that his phone number, e-mail address and date of birth were all incorrect.  John requested that these details be corrected.  Once the Club Manager had verified the new details, John’s record was updated. 

6.4 Privacy Principle 4 - Security of Information

(a)               The member club will take reasonable steps to safeguard the information it collects and holds by locating the information in a secure place in the club (eg: a lockable filing cabinet in the Club Manager’s office etc.).

(b)               The member club will establish clear guidelines as to which staff members can access personal information and under what circumstances (eg: when the Club Manager is on annual/sick leave).

(c)               The member club will prevent unauthorised access, modification or disclosure and misuse or loss of personal information by putting in place appropriate measures, such as, installing lock and key, designating some areas as “For Staff Only” etc. In the case of computer records, the member club will put in place appropriate protection mechanisms such as use of a password, virus protection software and firewall.

(d)               In respect of those member clubs that have internet and email facilities, the member club will implement an email/internet policy/statement regarding the transmission of personal information through the internet and by email. The member club will provide regular training and education sessions to ensure staff understand their privacy obligations relating to the use of the email and internet facilities provided by the member club.

(e)               The member club will take reasonable steps to destroy or de-identify any information that is no longer needed (such as, shredding or pulping paper records, and deleting or erasing information stored electronically).

(f)                 The member club, as far as practicable, will not permit staff members to discuss personal, health and sensitive information of members and patrons in front of other members and patrons or members of the community.

Scenario

The following scenario explains a practical application of Privacy Principle 4. The scenario is not definitive and member clubs should take into consideration their own circumstances when dealing with privacy issues at their venues.

The Blissvale Club, being a small club with only a few staff, welcomed all offers of assistance when it organised major functions at the club. The Club Manager would ask the volunteers to help in various ways, including taking turns to telephone members and patrons to confirm their attendance at the functions at the club. After receiving three separate calls, only one of which related to the functions at the club, Alice, who was a regular member of the club, lodged a complaint with the Club Manager that her personal information was being passed around. She explained that of the three calls she received, two were unrelated to the functions at the club. In fact, both were attempts to sell her some products that she had not solicited.

The Blissvale Club had clearly failed to take reasonable steps to safeguard the personal information of its members and patrons by allowing access to the information to unauthorised persons, in this case volunteers, working at the club. In addition, the volunteers misused the information by passing it to third parties. The Blissvale Club should locate the information in a secure place in the club and also establish clear guidelines and a privacy policy as to who can access personal information. The club should also take reasonable steps to prevent any misuse of the information, as it happened in this case.

6.5 Privacy Principle 5 - Transborder Flows of Information

(a)             Subject to clause 6.5(b), the member club will only transfer personal information of a member or patron to a recipient in a foreign country if:

• the member or patron  consents to the transfer; or
• where the transfer is for the benefit of the member or patron and it is impracticable to obtain the consent of the member or patron  to the transfer and if it were practicable to obtain such consent, the member or patron would be likely to give it;  or
• the transfer is necessary for the conclusion or performance of a contract between the member or patron and the organisation, or for the implementation of pre-contractual measures taken in response to the member’s or patron’s request, or
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the member or patron between the organisation and a third party.

(b)         The member club will not transfer information to a recipient in a foreign country in circumstances where the:

• recipient of the information is in a jurisdiction that does not have adequate protection similar to the protection accorded under the Privacy Code and Privacy Act; or
• the member or patron  about whom the information relates has not consented to the transfer of information; or
• information may be used in ways which are inconsistent with the Privacy Code.

(c)              In some instances, the member club may ask for a written assurance from the parties involved that the information will remain secure before transferring the information.

Scenario

The following scenario explains a practical application of Privacy Principle 5. The scenario is not definitive and member clubs should take into consideration their own circumstances when dealing with privacy issues at their venues.

The Long Road Club, situated in Brisbane, received a request from a hotel in Germany for contact details of its members so that it may offer discounts to those members travelling to Germany.  Although the club was satisfied that the hotel adhered to the stringent privacy obligations imposed on organisations within the European Community, it was not satisfied that its members would consent to the disclosure of their personal details. The club also felt the disclosure would be inconsistent with its privacy statement.

Rather than disclose the information, the Long Road Club requested the hotel to send its brochures and any discount offers to the club. The Long Road Club then displayed the brochures and offers in the club for the information of its members and patrons.  Members and patrons could then contact the hotel personally for further information.  The Long Road Club also mentioned the offer in its newsletter.

7.1 General Administration and Operation

(a)               Membership Application Form

eg: The member club should, in addition to providing its proper trading name and contact details, include a privacy statement explaining why the personal information is being collected, details of individuals and organisations likely to receive the information, how the member or patron can access, update and amend the personal information held by the club, any consequences that may result if the requested information is not provided by the member or patron and how the member or patron can request the member club to cease sending direct marketing materials to them.

(b)               Membership Database

eg: The member club should keep accurate, complete and up-to-date records and also ensure that both physical and electronic databases are secure.

(c)               Members’/Reciprocal Members’ and Visitors’/Guests’ Sign-in Registers

eg: For Members’/Reciprocal and Visitors’/Guests’ Sign-in Registers (“Registers”) that were printed prior to 21 December 2001 and do not facilitate the prevention of unauthorised access to the Registers, member clubs will ensure that:

• Registers are placed in appropriate locations to prevent them from being stolen; and
• an appropriate sign is displayed within close proximity of the Registers, notifying patrons, visitors and members that they are to complete and sign the Sign‑in Register (as required under the Liquor Act (Qld) 1992) and that their personal information (name, address and membership number) recorded in the Sign-in Register may be able to be seen by other members of the public who read or sign the Sign-in Register.

In respect of the Visitors’/Guests’ Sign in Register (“Visitor Register”) and to assist member clubs with new obligations under this Privacy Code in respect of direct marketing, member clubs must include on each of the tear off slips of the Visitor Register a statement such as “Please tick here (insert box) if you do not wish to receive any direct marketing materials”.  

(d)           Internet and E-mail

eg: The member club should circulate an appropriate email/internet policy/statement outlining (among other things) how email correspondence is to be internally and externally handled, and other internet usage restrictions to be imposed upon staff.

(e)           Club Website

eg:  If the member club uses cookies, web bugs or other means in respect of their website, they need to advise the public accordingly, and may include in a relevant policy the following statement: “This website uses cookies. A cookie can record your name and address and other personal details such as your credit card number. You can turn off cookies in your browser. However, this may result in some parts of the website not being accessible to you.”

(f)             Loyalty Programs

eg: The member club should inform members and patrons that their personal information may be used by loyalty programs operated by the member club and can include a statement in its promotional brochures as follows: “The club will not send you direct marketing materials, if you have indicated that you do not wish to receive them.”

(g)           Advertising and Promotions

eg: The member club should not associate members’ or patrons’ names with prize winnings.  When contacted by members and/or patrons (either by email, post, telephone or otherwise) to request the member club to cease sending further direct marketing material, the member club must ensure that no further direct marketing material is sent, unless otherwise notified.

(h)           Correspondence

eg: The member club should put in place procedures that ensure all letters, emails or other correspondence are only able to be accessed by the intended recipients.  This means that only those to whom correspondence is addressed should have access to the information, unless another person has the appropriate authority to access the information.

(i)         Exclusions

The member club should follow the procedures in relation to self-exclusion and exclusions requested by a third party as set out in the Queensland Responsible Gambling Resource Manual to assure members’/patrons’ information remain confidential.

(j)             Video Surveillance

eg: The member club should ensure that access, storage and security of video tapes are by authorised staff only. In instances where the member club maintains video surveillance, in accordance with relevant industry legislation (such as, the Liquor Act (Qld) 1992), appropriate signage notifying the public that they are under surveillance will be displayed.

7.2 Information Collected Under Other Legislation Applicable to Clubs

(a)           Gaming Machine Act (Qld) 1991

eg: The member club should ensure that all personal information relating to the Self-exclusion Deed remains confidential.

(b)           Liquor Act (Qld) 1992

eg: The member club should ensure that personal information requested by staff when checking proof of age remains confidential.

(c)           Keno Act (Qld) 1996

eg: The member club should ensure that personal information requested by staff when checking proof of age remains confidential.

(d)           TAB Act (Qld) 1999

eg: The member club should ensure that personal information requested by staff when checking proof of age remains confidential.

(e)           Workplace Health and Safety Act (Qld) 1995

eg: The member club should ensure that records held by the designated Workplace Health and Safety Officer remain confidential.

(f)             Anti-Discrimination (Qld) Act 1991

eg: The member club should ensure that records held by the designated Officer remain confidential.

7.3  Reciprocal Members

The member club will treat the privacy concerns of reciprocal club members in the same way as it would deal with the privacy concerns of its members.

7.4  Contractors

In respect of contractors, the member club will make the contractor aware of the privacy principles in the club’s advertisement for provision of contractual services and also during the negotiation process. Where there is a dispute in respect of whether the contractor is bound by obligations under this Privacy Code or another code, the matter will be dealt with in accordance with the Privacy Act.

7.5             Appendix D outlines some best practices that member clubs will adhere to when dealing with the above issues. Member clubs should note that the above is not an exhaustive list but only the most common examples of the application of the Privacy Code. 

8.1             The following constitutes a breach of the Privacy Code:

(a)              The member club does not fully comply with its obligations under the Privacy Code.

(b)              The member club acts or engages or repeats a practice that is contrary to or inconsistent with the Privacy Code.

(c)               The member club fails to respond to a complaint by a member or patron.

(d)              The member club fails to act on a directive by the Privacy Commissioner or the Privacy Code Administrator.

(e)              The member club fails to rectify any action or practice that is contrary to or inconsistent with the Privacy Code.

9.1             The Privacy Code relies on the Privacy Commissioner to deal with all unresolved privacy related complaints. Accordingly, the complaint handling procedures established under the Privacy Code and the Privacy Act (and accompanying guidelines) will apply to the resolution of a privacy complaint made against a member club under the Privacy Code. To avoid any doubt, member clubs must not deal with any privacy complaint other than in accordance with the Privacy Act. If a complaint is instigated or made by a member or patron whilst the member club is (or was) bound by the Privacy Code, the member club will be required to resolve the matter to the extent provided in the Privacy Code.

9.2             However, as the Privacy Act requires a complainant in most instances to complain about the alleged breach to the relevant member club (respondent) in the first instance, the member club will in these cases endeavour to respond to the complainant’s concerns as follows:

(a)              The member club will designate a staff member as the point of contact in the club regarding privacy issues.

(b)              The designated staff member will liaise with the complainant and identify and define the nature and cause of the complaint (and ask, if necessary, for the complaint to be put in writing).

(c)               The designated staff member will then inform the complainant of their rights under the Privacy Code and Privacy Act, and the timeframe (within 30 days) in which the club will be able to respond to the complaint. For example, the designated staff member will inform the complainant that they may take their complaint directly to the Privacy Commissioner in the event that the complainant is not satisfied with the outcome after the initial approach and discussion with the member club.

(d)              The designated staff member will inform the complainant of the response, if any, by the member club, including the basis (legislation, Privacy Code, policies) on which the response was framed.

(e)              If the outcome of this liaison between the complainant and the member club is not to the satisfaction of the complainant, the designated staff member will advise the complainant that the complaint is escalated and should be handled in accordance with the procedures under the Privacy Act (see: Section 36 of the Privacy Act).

9.3             The designated staff member will record details of the complaint and action taken in the Register of Complaints and Actions in Appendix E.

9.4             The member club is obliged to comply with any declaration made by the Privacy Commissioner (for example, if the Privacy Commissioner declares that a certain activity of a member club is contrary to the Privacy Code and/or Privacy Act (see: Sections 52, 55(2) and 55A of the Privacy Act), that member club must not repeat or continue the relevant activity or conduct). In this regard, member clubs must provide all reasonable co-operation as requested by the Privacy Commissioner.

9.5             The member club must ensure that each of the above steps are undertaken within a reasonably appropriate timeframe so that any decision (if any decision is required to be made) is made expeditiously and in a manner that does not compromise the integrity or quality of any such decision.

10.1        All staff will be provided with appropriate training regarding the Privacy Code so that they are aware of the content, procedures and application of the Privacy Code, including referring all privacy complainants to the designated staff member who would be the point of contact for privacy issues in the member club.

10.2        In addition, the designated staff member who will be responsible for privacy issues will undergo further training so that he/she is well informed and better positioned to facilitate in instances where the complainant is required to first contact the club (respondent) before approaching the Privacy Commissioner.

10.3        The member club will keep a record of all training in the Register of Training in Appendix F.

11.1        The Privacy Code is voluntary and the member club has a choice to either accept or not accept compliance with the Privacy Code.  

11.2        If the member club decides to accept the Privacy Code, the member club will then indicate its formal acceptance by completing the Acceptance of the Queensland Club Industry Privacy Code form in Appendix G.

11.3        The member club can complete the Release from the Queensland Club Industry Privacy Code form in Appendix H at any time after formally accepting the Privacy Code, if the member club decides to opt out of the Privacy Code. However, if a complaint is instigated or made by a member or patron whilst the member club is (or was) bound by the Privacy Code, the member club will be required to resolve the matter to the extent provided in the Privacy Code.

11.4        The member club can re-subscribe to the Privacy Code at any time after the date referred to in clause 11.3, provided it meets the requirements set out in clause 11.2 and makes a written application for re-subscription and receives written approval for re-subscription from the Code Administrator.

11.5        Member clubs must return the completed forms/documents referred to in clauses 11.2, 11.3 and 11.4 to the Privacy Code Administrator (in person, by fax or post) to enable the Privacy Code Administrator to maintain accurate, complete and up-to-date electronic and paper records of the Privacy Code members, as required by the Privacy Commissioner.

11.6        Member clubs that cease to be financial members of Clubs Queensland will automatically cease to be bound by the Privacy Code.

11.7        Where a member club does not accept the Privacy Code, the NPPs will apply unless the member club is exempt from the operation of the Privacy Act

12.1        Once the member club has accepted the Privacy Code, it will have all measures in place within one month of the date of the acceptance.

12.2        The member club will inform members and patrons about the various aspects of the Privacy Code and will prominently display the availability of the Privacy Code in a suitable location in the club.

12.3        The member club will undertake regular audits of the operation of the club privacy procedures to ensure that the procedures fully comply with the Privacy Code.

12.4        The member club will lodge a report with the Privacy Commissioner on the operation of the Privacy Code and other matters as specified by the Privacy Commissioner within two months after the end of the financial year of the club. Specifically, this report will outline the number and nature of privacy complaints made against the member club and the amount of time spent dealing with privacy complaints.  The report will be in an electronic form using the template issued by the Privacy Commissioner.

13.1        Clubs Queensland will adopt the role of the Privacy Code Administrator and will be responsible for the administration of the Privacy Code. It will allocate sufficient resources for the administration and continuity of the Privacy Code.

13.2        The Privacy Code Administrator will liase with member clubs in relation to the implementation and compliance with the Privacy Code. Member clubs will direct any questions or feedback in relation to the Privacy Code to the Privacy Code Administrator. 

13.3        The Privacy Code Administrator will be responsible for (amongst other things) complying with the reporting and review requirements under the Privacy Code and Privacy Act.

13.4        Each individual club will nominate a staff member who (amongst other things) will be responsible for the general administration of the Privacy Code at club level. The designated staff member, in addition to facilitating complaints as discussed above, must (amongst other things) report to the Privacy Code Administrator the number and nature of all complaints received and the amount of time spent dealing with each complaint.

13.5        The nominated staff member of each member club must also advise the Privacy Code Administrator (in writing) of any systemic problems that they discover through their own complaint experiences. If any systemic problems are identified, then the Privacy Code Administrator will endeavour to address them appropriately and in accordance with the Privacy Act.

13.6        The Privacy Code Administrator will also maintain an accurate, up to date easily accessible on-line record of Privacy Code members on its website, with a hypertext link to the Privacy Commissioner’s website.

13.7        If any at any stage the Privacy Commissioner revokes the Privacy Code (in accordance with its powers under Section 18BE of the Privacy Act), the Privacy Code Administrator will advise the member clubs, public and all other interested parties accordingly.

13.8        All member clubs and individuals are requested to contact Clubs Queensland to obtain any information they require about the Privacy Code Administrator.

14.1        As the Privacy Code Administrator, Clubs Queensland will, in consultation with the public, its member clubs and other interested parties, review the Privacy Code at least every three years and is committed to allocating sufficient resources for the review process.  The Privacy Code Administrator will provide the review report, with a response to the review report by the Privacy Code Administrator, to the Privacy Commissioner within 30 days of the review being finalised. The Privacy Code Administrator will make available a copy of the above review report to member clubs upon a written request.

14.2        The Privacy Code Administrator will make necessary changes and amendments to the Privacy Code from time to time, in consultation with its member clubs, and will seek the approval of the changes and amendments from the Privacy Commissioner before incorporating the changes and amendments in the Privacy Code.

14.3        Where the Privacy Code Administrator proposes major changes and amendments to the Privacy Code, it will (among other things) undertake adequate consultation with the public, its members clubs and other interested parties and include a report on the result of the consultation process with the application for approval for the variation of the Privacy Code to the Privacy Commissioner. 

____________________

Appendix A

[Insert Approval Letter from the Privacy Commissioner]

Appendix B

SUMMARY OF NPPs

Member clubs should note that this following summary of the NPPs (and any reference to the NPPs) is for information purposes only and member clubs and their members and/or patrons should refer to and comply with the Privacy Code’s Privacy Principles (as set out in Section 6 of this Privacy Code)

Appendix C

Appendix D

Appendix E

Appendix E

Appendix F

Appendix G

Appendix H