1. Applicability
Astral Consulting Services Pty Ltd (Astral) is a strategic consulting company that focuses on the delivery of professional services relating to information management and associated business processes. Astral is registered in and subject to the law of Victoria, Australia.
Astral (We, Our, Us) is obliged to comply with the Australian Privacy Act 1988 that regulates the handling of personal information. Our Privacy Policy (Policy) is published on Our website in compliance with legal requirements and for the benefit of anyone interested.
2. Personal Information, Privacy and Employee Records
Our Privacy Policy concerns information or an opinion about an identified individual or an individual that is reasonably identifiable. We make no distinction between employee records and other sources of personal information. Nor do we discriminate between different forms of personal information (electronic records, paper records, voice files, etc.), nor between whether the information or opinions are true or not.
All personal information that We collect, hold (where We have possession or control of a record), use, and disclose (where the information is outside of Our possession or control) is treated with the same respect.
For the purpose of this Policy ‘privacy’ and ‘personal information’ have the same meaning.
3. Scope and Purpose of Collection
This scope of this Policy extends to all personal information that We collect, hold, use, and disclose in the course of providing the Astral service and in complying with law and managing risk.
In providing the service Our business activities include our client relationships, internal operations (management, employees, temporary staff, contractors), and external operations (third parties such as business partners and service providers).
The scope of this Policy extends to our external client-facing activities such as Our online presence at www.astral.com.au and to the personal information that is collected through Our Website and the use of email for general communications and marketing purposes.
This Policy does not extend to third party websites or to social media accessed via links on Our Website or email communications. Use of third party links and social media will be governed by the privacy policies and terms of use of the relevant service providers.
4. About this Privacy Policy
This Policy is written in simple language so that it is easy to understand. If something is not clear, We invite individuals to contact Us so that We can provide assistance. Our contact details are provided in section 10 below. They will also be provided every time that We make contact with an individual.
This Policy outlines the current personal information handling practices of Astral. We will update this Policy when Our information handling practices change and We will publish updates on Our Website and through Our email lists.
Whilst We publish Our Privacy Policy on Our Website so that it is easily accessible, We also make copies available on request in paper format. In most circumstances, We do not charge a fee for providing a copy of the Policy. If however a request is made for a copy in some other format (foreign language requirements or those linked to disabilities such as sight or hearing impairment), special arrangements may need to be made and a charge may apply.
5. Consent
In all cases where consent is required, whether it be express consent (verbal, in writing, click-wrap tick box) or implied consent (browse-wrap without a tick-box and other behaviour which indicates consent through continued use), it must be voluntary, current, specific and based upon adequate information about the circumstances and choices available to an individual. Naturally, the individual must have the capacity to understand, to give (for example be 18 years or older), and communicate consent. Individuals who are not sure about giving consent are encouraged to contact Us. See section 10 for contact details.
6. The Australian Privacy Principles Governing the Handling of Personal Information
Astral is committed to making every reasonable effort to manage personal information in an open and transparent way.
6.1 Open and Transparent Management of Personal Information
To support this commitment, We have implemented practices, procedures, and systems to align Our handling of personal information with principles that have been derived from Australian privacy law, international standards, and best practices.
These practices, procedures, and systems are intended to regulate Our internal and external business operations through the use of administrative, technical, and physical controls. The legal notices published on Our Website are examples of Our administrative controls. Technical and physical controls are generally not made publically available for security reasons.
This Policy, together with Our Website Terms of Use and Email Legal notice, set out how We provide for open and transparent management of personal information, and give individuals the ability to make informed choices about the Astral service and communications with Us.
6.2 Anonymity and Pseudonymity
An individual can choose to remain anonymous (they cannot be identified and We do not collect personal information), or choose to use a pseudonym (they can use a name, term, or description that is different from their own) when dealing with Us.
Circumstances, where We give individuals the option to remain anonymous or to use a pseudonym, include, for example, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified.
Examples of circumstances where We Will need to know the identity of the person that We are dealing with related to the provision of the Astral service, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction and where cost becomes excessive or impractical without knowing the identity of an individual.
6.3 Collection of Solicited Personal Information
We are committed to collecting personal information by lawful and fair means and wherever possible only collecting it directly from the individual concerned.
We collect personal information from individuals where the information is reasonably necessary for one or more of the Astral functions, activities, and legal obligations relating to the service We provide.
In providing the service to individuals and to organisations, it is generally not necessary to collect sensitive personal information.
For internal human resourcing, We do collect sensitive personal information, such as religious beliefs, trade union memberships, and health information when it is required for employment reasons, or by law. We may solicit or request personal information from a third party such as an employment agency or referees in the context of employment.
In most instances where We collect personal information, We only do so after a direct request to, and with the consent of the individual to whom the information relates. In exceptional circumstances and for human resourcing, or when authorised or required by law, We may collect personal information from some source other than the individual themselves.
In circumstances where We provide the Astral service to an organisation, We may solicit personal information from the organization about an individual, but We still require the consent of each individual before their personal information is shared with Us.
6.4 Dealing with Unsolicited Personal Information
Personal information is sometimes provided to Us in circumstances where We have not requested it. In these circumstances, where the information is unsolicited, We will examine whether it could have been collected under the Policy outlined in section 6.3 above. We will then apply Our minds and decide whether this unsolicited information should be retained, de-identified, or destroyed. Having made that decision, We will implement the decision within a reasonable time.
We do not actively seek to collect unsolicited information.
6.5 Notification of the Collection of Personal Information
This Policy, other legal notices published on Our website, and Our internal practices, procedures, and systems (administrative controls) are Our way to ensure that individuals know about the personal information that Astral collects.
We are committed to making all reasonable efforts to inform individuals about the personal information We collect before We collect it, for example by making this Policy and Our other Legal Notices available. We will also inform individuals about collection at the time We collect personal information, for example when individuals engage Us to provide the Astral service, through website activity and other forms of communication such as email.
In exceptional circumstances where this does not happen, for example, when We receive unsolicited personal information from a third party that We decide to retain, We will inform individuals as soon as reasonably possible after the collection of personal information.
Through this Policy and other legal notices published on Our Website, We seek to ensure that individuals are informed about the reasons for the collection and that they know how to contact the accountable office bearers at Astral. See section 10 below for details.
6.6 Use or Disclosure of Personal Information
Where We hold personal information about an individual that was collected for a particular purpose (the primary purpose) We will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect Us to use or disclose it for a related purpose. An example of a related purpose in these circumstances might be disclosure to a next-of-kin or healthcare provider in the case of an employee.
In some circumstances, for example, where We believe that the Astral service may be improved through new technologies such as data science, (analytics) or where We see a benefit to individuals, We may use personal information that has been provided to Us by the individual themselves or received from third parties for a purpose that is different from the purpose for which it was given to Us in the first place. Where We do this, We will use and/or disclose the personal information in a de-identified format.
Broadly speaking We use (handle and manage) personal information internally for 2 reasons:
- To provide the Astral service to organisations:
- Examples include: Name, address (physical, postal, email, and Internet Protocol address), cookies, change management, assessments and reports [Add more]; and
- For internal human resourcing:
- Examples include Name, address (physical, postal, email, and Internet Protocol), address, health information, medical service provider and counselor details, next-of- kin, spouse or partner, banking details, tax, photo identity, trade union membership, religious beliefs, gender, cultural and ethnic identity, qualifications, training and the like.
We do not collect biometric forms personal information such as fingerprints.
We also use and retain personal information records which are required to be retained for legal, business, and evidential reasons. Sometimes these come from external sources and third parties.
Broadly speaking We disclose personal information (release it outside of Our possession or control) for the same primary reasons listed above, providing the service, for human resourcing, and where there is a legal obligation to do so.
6.7 Direct Marketing
When We provide a service to individuals and to organisations, We ask for consent to communicate directly with the individuals concerned in order to provide information and promote Our service.
Whenever We do, We allow individuals to opt-out of receiving direct communications and direct marketing notifications. When individuals request Us to stop communicating with them, We will comply with that request.
If an individual requests information about how We came to have their personal information, We will respond, and provide the source of an individual’s personal information wherever possible. We will respond to these requests within a reasonable time (thirty (30) business days).
We do not disclose, sell, or share personal information to third parties for direct marketing purposes.
6.8 Cross-border Disclosure of Personal Information
Astral operates from offices in Australia. These operations include all aspects of internal operations that support the service that We provide as well as the provision of ‘live’ services (where personal information travels over telecommunications lines) and the storage of static personal information in data warehouses and on information systems.
Astral clients are organisations that are located in Australia and New Zealand, but that may also be located in or travelling through other countries.
Astral relies on various third party service providers such as telecommunications providers, and Internet Service Providers. These are primarily based in Australia, but may also be located in other countries.
Because information systems enable Our service, personal information may be located or disclosed in transit and in a static format in countries outside Australia. Whilst We do not currently employ ‘Cloud’ technology services, individuals are nevertheless cautioned to consider how their personal information moves and is stored on global information systems and to make appropriate choices.
6.9 Adoption, Use, or Disclosure of Government Identifiers
We do not adopt, use, or disclose government identifiers of an individual as Our own identifiers.
We do use and disclose government identifiers such as Australian Tax File Numbers, for example, for human resource purposes and where required or authorised by law.
6.10 Quality of Personal Information
We are committed to taking such steps as are reasonable in the circumstances to ensure that the personal information We collect, hold, use, and disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete, and relevant.
To do this, We ask individuals to assist Us. We provide various technical means, including email notifications and user registration access where individuals can access, verify, and update personal information records that We hold. We ask individuals to participate by ensuring their information is accurate, up-to-date, complete, and relevant. Individuals are also encouraged to use the access and correction facilities that We provide. See sections 6.12 and 6.13.
6.11 Security of Personal Information
We are committed to taking reasonable steps to protect personal information that We hold from misuse, (wrong or improper use) interference (access even where the content is not necessarily modified), and loss (accidental, inadvertent, misplaced personal information).
We are also committed to securing personal information from unauthorised access (by someone that is not permitted access to the information), modification (alteration by someone that is not permitted to do so, or who acts beyond the scope of their authority to modify personal information) and unauthorised disclosure (where personal information is released from Our effective control without authority).
To comply with the law and manage risk, Our practices, procedures, and systems aim to protect the confidentiality, integrity, and availability of Our information systems and information, especially the personal information, that We collect, hold, use, and disclose.
Where there is no legal obligation to retain records and evidence, and in circumstances where We no longer need personal information to provide the Astral service or for any purpose for which the information may be used or disclosed under Australian law, We take reasonable steps to destroy the information or to ensure that the information is de-identified.
Our information security and privacy practices include circumstances where Our data handling practices are outsourced to third parties. Because of this, We endeavour wherever possible to bind third party service providers through appropriate legal agreements. We also endeavour to monitor their privacy and security practices where possible.
Whilst there is no current obligation upon Astral to notify individuals or regulators of a breach of personal information, Our policy, in the event of a breach is to inform affected parties in order for them to better protect themselves from possible damage, for example, by changing passwords.
6.12 Access to Personal Information
Where We hold, or have the right and power to deal with personal information (for example, where it is stored by one of Our third party service providers), We will, on request by an individual, normally give that individual access to their information.
We do this so that individuals know what information We hold on them and because it assists Us to ensure that the personal information that We hold is up-to-date, complete, and relevant.
In considering a request for access to personal information by an individual, We will require identification. We reserve the right not necessarily to give access to an individual to their personal information in circumstances, for example, where provided for in law, in instances of commercial sensitivity, and where a third party may be negatively affected.
We will respond to an individual’s request for access to their information within a reasonable time (thirty (30) business days), and We will consider reasonable requests for access to be given in a particular format, for example, through user registration login, by facsimile, email, and postal services. As a matter of courteousy, We will provide reasons for the refusal if access is refused.
No charge will apply when an access to information request is received. We do however reserve Our rights to charge a fee where We incur costs, for example, for photocopying, postage, and costs associated with using an intermediary if one is required.
6.13 Correction of Personal Information
Where We hold personal information, We will take reasonable steps to correct it to ensure that, having regard to the purpose for which We hold it, it is accurate, up-to-date, complete, relevant, and not misleading.
An individual may request that We correct personal information that We hold about them in circumstances where they believe that the information is inaccurate, out of date, incomplete, irrelevant, or misleading.
In considering a request for the correction of personal information that We hold, We will require identification of the requesting individual. We reserve the right not necessarily to effect the changes sought, but undertake to consider reasonable requests and to associate a statement to the record reflecting Our refusal to correct the failed request for correction if We consider refusal the appropriate action.
We will respond to a request to change information within a reasonable time (sixty (60) business days) although changes sought may take longer, for example, because We may need to contact and notify other organisations and individuals about the request.
No charge applies for making a request, correcting personal information, or associating a statement for refusal to change a record.
As a matter of courtesy, We will provide reasons for the refusal if correction is refused, and also a reminder of the complaint process available to individuals who feel aggrieved by the refusal.
7. Complaints, Enquiries and Access to Information Requests
In most circumstances, the Australian Information Commissioner will not investigate a complaint if an individual has not first raised the matter with Us. For this reason, We ask individuals to agree to submit all complaints relating to this Policy to Us first, so that We have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to Us at [Provide email address] and to see sections 8 and 10 below for further details.
8. How to make a Complaint, Enquiries, and Access Information Requests
Individuals can make general enquiries, request access to their information and complain to Us in writing. This includes email communications.
We will respond to complaints within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed, for example, because We may need to contact and notify other organisations and individuals affected by the complaint. In this case, We will endeavor to respond within sixty (60) business days.
9. Skill, Diligence, Care
Astral will exercise reasonable skill, diligence, and care as may reasonably be expected from a similar service provider.
10. Company Information
Name: Astral Consulting Services Pty ltd
Physical address and the address for receipt of legal service of documents: Level 2 Suite 2, 45 William Street, Melbourne VIC 3000
Postal address: Level 2 Suite 2, 45 William Street, Melbourne VIC 3000
Phone numbers: +61 1300 290 075
Website address: www.astral.com.au
Email address: info@astral.com.au
ABN: 67 095 048 776
Directors: D.J Felsbourg, M.L Minson