TABLE OF CONTENTS
PRIVACY POLICY OVERVIEW
Last updated: June 2023
The Building Industry Credit Bureau (“we,” “us,” “our”) provides information, commercial credit risk, and control services to help our members and subscribers make informed decisions about their customers. We are committed to protecting the privacy of individuals. This Privacy Policy describes how we collect, hold, use, and disclose your information and explains the choices that you have regarding how we use your personal information.
By submitting your personal information to us, or by using our services, you acknowledge and consent to us using your personal information in accordance with this Privacy Policy.
This Privacy Policy is intended to enhance the transparency of our operations as a commercial credit bureau, to notify you of your rights and our obligations and sets out how we comply with our obligations under the Privacy Act 1988 (Cth)(“Act”) and the Australian Privacy Principles (“APP”).
Acknowledgement
We acknowledge that we must take reasonable steps when handling personal information.
Whilst we cannot warrant that this Privacy Policy will be followed in every instance, we will endeavour to follow this Privacy Policy. Similarly, whilst we cannot warrant that loss, misuse or alteration of information will never occur, we will take all reasonable steps to prevent these things from occurring.
We have taken reasonable steps to endeavour to comply with the APP and the Act, some examples are noted below.
- Implementation of this Privacy Policy.
- Staff training and education.
- Clear and transparent procedures regarding the handling of complaints and disclosure of information.
If you require a hardcopy of this Privacy Policy, please contact our Privacy Officer on the details below and we will provide you with a copy.
The kinds of personal information which we will collect and hold
Personal Data
Collection
The personal information we collect is the information that is reasonably necessary for our purposes of operating a commercial credit bureau.
Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Some examples of the personal information we might collect include (but are not limited to):
- your full name;
- your contact details (such as telephone numbers, addresses (residential and business), and email addresses etc.);
- your age or date of birth;
- your occupation and employer’s details;
- personal identification documentation (including government related identifiers);
- information in relation to accounts you have defaulted on;
- information relating to debts or obligations you have failed to pay;
- information about commercial credit providers with whom you have credit relationship.
We generally do not have a need to collect sensitive information so we will not generally collect this information.
Identification
You may choose to interact with us using a pseudonym and/or not identify yourself.
In circumstances where we are required to do so, or are authorised by law, a court or tribunal to ask for your identification, we will request your personal information.
Further, it is likely that it will be impractical for us to interact with you without some form of identification, and therefore we will request identification details from you at the beginning of any dealing.
If you do not consent to the collection of your personal information, in accordance with this Privacy Policy, we may not be able to assist you with the provision of certain services.
How we will collect and hold your personal information
Generally, we collect personal information from third parties and publicly available sources, including:
- our members and subscribers;
- Law courts;
- credit providers, financial institutions, and access seekers;
- Australian Securities and Investments Commission; and
- other third-party information providers such as Credit Reporting Bodies and Alares Systems Pty Ltd.
We only collect and hold personal information by lawful and fair means.
There are several ways we may collect your personal information, including when you:
- visit, or submit information through, our website;
- apply with us for a position of employment or as a contractor;
- deal with us face-to-face, in writing (by letter, facsimile, or email), or by telephone;
- participate in any of our events, promotions, or surveys, or subscribe to any of our publications; or
- submit an application for membership, create an account for the use of our services or make any request for services from us.
This will likely occur in instances where:
- you have consented to this collection (which may be via our privacy statement, our member’s privacy statement and/or application form); or
- you would reasonably expect us to collect your personal information in this way and it is necessary for us to collect this information for a specific purpose (such as investigation of a complaint).
We will take steps to hold personal information in a manner which is secure and protected from unauthorised access.
Your personal information may be held in either a physical form or in electronic form on our IT system.
Where stored in electronic form on our IT system, we will take steps to protect the information against modification, disclosure, or misuse by including such things as physical restrictions, password protections, internal and external firewalls, and anti-virus software.
We will also endeavour to ensure that our service providers have protection for electronic IT systems and other necessary restrictions.
We will endeavour to ensure our staff are trained with respect to the security of the personal information we hold, and we will restrict any access where necessary.
While we retain personal information for as long as necessary in relation to the purposes for which it is collected, we will endeavour to destroy and de-identify the personal information once it is no longer required, except as required for business record purposes.
In the event we hold personal information that is unsolicited, and we were not permitted to collect it, the personal information will be destroyed as soon as practicable.
The purposes for which we collect, hold, use and disclose personal information
We will endeavour to only collect, hold, use and disclose personal information which is relevant to our operation as a commercial credit bureau.
Our purpose for collecting or holding personal information about you is so that it may be used directly for providing information, commercial credit risk and control services to our members and subscribers. We may provide this information to:
- our members and subscribers;
- commercial and trade credit providers;
- insurers;
- organisations conducting a risk assessment on an organisation of which you are a director, owner, partner, shareholder or employee.
We may also collect personal information (including sensitive information) for both the primary purposes specified herein and purposes other than the primary purposes, including the purpose of direct marketing, sales, and administration.
There may be other circumstances where we are required or authorised by law to disclose your personal information to someone, for example to an Ombudsman, tribunal, court, law enforcement agency or government department.
Cookies and the collection of personal information via our website
When you visit our website, we may collect information about the session between your computer and our website using cookies.
Cookies are text files which are stored on your computer or mobile device (by your web browser) that record specific information, such as which pages you visit, the information you have searched for, or the device you are using to access our website.
We use cookies for the purposes of managing and improving our website, improving our business processes, and gathering demographic information about the persons who visit our website, among other things.
Third parties may store cookies on our website, including, by way of example, the following entities.
- Google Analytics (provided by Google Inc.) to enable us:
(a) to perform statistical analyses of e.g., number of visitors, information on gender, age, location, interests, and the like to learn about our visitors; and
(b) to improve the website friendliness and usability (e.g., on the basis of website traffic measurements). - LinkedIn (provided by LinkedIn Corp.) to enable the “follow” and “share” features of LinkedIn (only when you are logged in to LinkedIn when visiting our website and only when clicking the LinkedIn button).
You may elect to disable or turn off cookies in your web browser, however, this may impact upon the services we are able to offer you on our website and may impact upon your ability to access certain features of our website.
Our server will also automatically record your Internet Protocol address (IP address).
An IP address is a numerical designation assigned to each device connected to a computer network by your internet service provider. While IP addresses can be used to identify the general physical location of a computer, they are otherwise anonymous, and we will not use your IP address to identify you.
Hiring and recruitment
If you apply for a position with us, we may also collect information about your experience, character, qualifications, and screening checks (including background, health, references, directorship, financial probity, identity, eligibility to work, vocational suitability, and criminal record checks). Sensitive information will only be collected with your consent.
We collect, use, and disclose your personal information to assess your application, conduct screening checks and consider and contact you about positions available. Your personal information may be exchanged with academic institutions, recruiters, screening check providers, health service providers, professional and trade associations, law enforcement agencies, referees, and your current and previous employers.
We may not be able to further consider you for positions with us without your personal information.
Direct Marketing
We will take steps not to disclose personal information for direct marketing purposes unless you have provided your consent to do so.
In any event you will be provided with an opt out option with respect to direct marketing, should you wish to be excluded from direct marketing.
If you do not elect to ‘opt out’ to receiving direct marketing material from us, you consent to us using personal information (other than sensitive information) provided to us for direct marketing purposes.
We may however use sensitive information for direct marketing purposes if you provide your consent to do so.
You may at any point in time, request to no longer receive direct marketing material from us by opting out.
We will record this information on our opt out register.
Direct Marketing and Third Parties
We may also from time to time, if we have received your consent, provide your personal information to a third party for the purposes of direct marketing.
You may at any time request the source of the personal information that has been disclosed
How you may access your personal information
You are entitled to access your personal information held in our possession.
We will endeavour to respond to your request for personal information within a reasonable time period or as soon as practicable in a manner as requested by you. We will normally respond within thirty (30) days.
You can make a request for access by sending an email or letter addressed to our Privacy Officer, the details of which are as follows.
The Privacy Officer
Building Industry Credit Bureau
PO Box 2157
FORTITUDE VALLEY QLD 4006
Facsimile: 07 3854 1669
Email: bicb@bicb.com.au
With any request that is made we will need to authenticate your identity to ensure the correct person is requesting the information.
We will not charge you for making the request, however, if reasonable we may charge you with the costs associated with your request.
You will only be granted access to your personal information where we are permitted or required by law to grant access. We are unable to provide you with access that is unlawful.
In some cases, we will refuse access to the information you have requested. If we refuse access to the information, written notice will be provided to you setting out:
- the reasons for the refusal (except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so);
- the mechanisms available to complain about the refusal; and
- any other matter prescribed by the regulations.
Correction
Should we hold personal information, and it is inaccurate, out of date, incomplete, irrelevant, or misleading, or incorrect you have the right to make us aware of this fact and request that it be corrected.
If you would like to make a request to correct your information, please contact our Privacy Officer.
In assessing your request, we need to be satisfied that the information is inaccurate, out of date, incomplete, irrelevant, or misleading. We will then take all reasonable steps to ensure that it is accurate, up-to-date, complete, and not misleading.
It is our normal policy to resolve any correction requests within thirty (30) days. If we require further time, we will notify you in writing and seek your consent.
Should we refuse to correct your personal information written notice will be provided to you setting out:
- the reasons for the refusal (except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so);
- the mechanisms available to complain about the refusal; and
- any other matter prescribed by the regulations.
We will endeavour to notify any relevant third parties of the correct personal information where necessary and required.
Notifiable Data Breaches
A Notifiable Data Breach is an event where access to your personal data has been gained and there is a risk of serious harm, or it is suspected that there is a serious risk to you.
In the event of a Notifiable Data Breach, we will notify you. Examples of Notifiable Data Beaches include:
- loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information;
- unauthorised access to personal information by an employee; and
- inadvertent disclosure of personal information due to ‘human error’ (e.g. an email sent to the wrong person).
Complaints
If you wish to make a complaint about a failure of us to comply with our obligations in relation to the Act or the APP please raise this with our Privacy Officer.
We will provide you with a receipt of acknowledgment as soon as practicable.
We will then endeavour to respond to your complaint and attempt to resolve the issues within thirty (30) days.
In dealing with your complaint, we may need to consult another credit provider or third party.
If you are not satisfied with the process of making a complaint to our Privacy Officer, you may make a complaint to the Information Commissioner, the details of which are below.
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Email: enquiries@oaic.gov.au
Telephone: 1300 363 992
Facsimile: (02) 9284 9666
The Information Commissioner can decline to investigate a complaint on several grounds including, among other things, where the complaint wasn’t made at first to us.
For more information about privacy in general, you can visit the Australian Information Commissioner’s website: https://www.oaic.gov.au/.
Disclosure to overseas recipients
We may choose to, if permitted by law, share and/or disclose your personal information with recipients outside of Australia.
We are required to notify you with a list of any countries which personal information may be transmitted to or disclosed where it is practical for us to do so.
We currently do not share or disclose personal information overseas.
If you have any queries regarding this Privacy Policy or wish to find out more regarding any of our other policies, please contact our Privacy Officer on the details listed above.
Changes to this Privacy Policy
We will update this Privacy Policy from time to time. We therefore recommend that you read it each time you visit our website. If you do not agree with this Privacy Policy at any time, please do not continue to use our website. If you do continue to use our website, you are deemed to have accepted the terms of this Privacy Policy as they appear at the time of use.