DATA BREACH POLICY
The Lithgow and District Workmen’s Club Ltd (LWC) is subject to the Commonwealth Privacy Act 1988 (Act). The Privacy Amendment (Enhancing Privacy Protection) Act 2012 which commenced in March 2014 made significant changes to the Act. This policy complies with the new requirements imposed by the Act.
LWC is strongly committed to managing personal information in an open and transparent way. LWC is a registered company and is subject to the requirements of the Act. It adheres to the Australian Privacy Principles (APPs) set out in Schedule 1 to the Act. LWC is strongly committed to protecting your privacy, when you interact with us, as members, guests or visitors.
This policy sets out how LWC collects, holds, uses and discloses personal information including sensitive information. Our objective is to provide you and your family with gaming, hospitality and entertainment services that meet your satisfaction. In the process of you interacting with us, on our website or at our venue, we do collect some information on all our customers.
LWC will be open and transparent about how and why we collect information and how we might use the information. In some cases, if you do not want us to collect or use your information, in a particular way, then you will be given an opportunity to say so.
how this policy will apply to our members, guests and visitors;
outline what kind of information LWC may collect about you, how we collect it and how we might use the information;
how we may disclose that information;
how you can access the information, we hold about you;
when we might use your information to contact you;
how we protect your personal information;
how and why we collect additional information to improve our services.
APPLICATION OF POLICY
LWC undertakes to comply with the Australian Privacy Principles and follows a code established for this purpose. It is our endeavour to follow this code.
LWC regularly reviews all its policies and may update them from time to time. If changes are made, a revised policy, with the changes, will be posted on our website and will be available on request.
PERSONAL INFORMATION COLLECTED AND HELD BY LWC
WHY WE COLLECT PERSONAL INFORMATION
As a Registered Club, we are required to collect basic information about our members that cover data such as names, addresses and contact details. In addition to this information we request for optional additional information that might help us constantly improve our service offerings, in the interest of our members and guests.
If you work for LWC as an employee or are associated with LWC as a supplier or contractor, we will naturally have some basic details on you or your organisation.
5.2 HOW WE COLLECT INFORMATION
LWC may collect personal information from you in a number of ways. These include, but are not limited:
to when you apply for membership;
request to receive products or services;
purchasing food or beverage or other products;
using credit card or EFTPOS card for purchases;
provide products or services;
using LWC website or WIFI;
enter a competition or voting forum;
membership loyalty program;
Use of the Patron App or Member Kiosks
utilise LWC and Motel services;
complete a survey or questionnaire and
purchasing gift cards.
5.3 NOTIFICATION OF COLLECTION OF PERSONAL INFORMATION
LWC publishes various newsletters and marketing material. You may need to agree that you would like to receive one or all of the material that LWC makes available to its members.
With regard to promotions and competitions, you might need to confirm that you agree with the terms and conditions of a particular competition.
5.4 THE PURPOSES FOR WHICH LWC COLLECTS, HOLDS, USES AND DISCLOSES PERSONAL INFORMATION
LWC collects and uses personal information for a variety of different purposes relating to its functions and activities including:
5.4.1 PERSONAL INFORMATION THAT IS REQUIRED
When you become a member or when you update your membership details, we are required to collect contact details that are held in a membership database that is safe and secure. This information is not shared with any organisations outside LWC, unless for reasons of database maintenance or software development. This will be done under strict agreements and supervision.
Under legislation, when a non-member, living within the 13 km radius, visits LWC, the individual has to be signed in by a current member. To make this process simple, we scan their identity card (driver’s licence, photo-card or pension card). For temporary members who do not wish to scan their information they have the option to enter their details into the system manually.
Under legislation, when a non-member living outside the 13 km radius visits LWC, to make the process simple, we scan their identity card (driver’s licence, photo-card or pension card) or for those who do not wish to scan their information they have the option to enter their details into the system manually.
This information is secure and is not used for any purpose other than our need to comply with the legislation.
When a membership card is used in a gaming machine, swipe machine or at any of our restaurants, bars or point of sale outlets, the information is used to award ‘Membership Rewards” and is cross referenced with our membership database. This information, in a consolidated manner, is used to help make decisions on changing or improving our service offerings.
5.4.2 PERSONAL INFORMATION THAT IS OPTIONAL
When using our websites you have the option, to provide LWC with your address, email address and mobile number, or update the information.
When using the Patron application (app) or service, you have the option of leaving your personal details.
When you make a complaint or you compliment LWC on its service offering or its customer service delivery your personal details will be desirable.
When you are browsing through our website, we collect information about the pages that members and visitors use. This helps us determine what our readers find most interesting.
When we conduct research or surveys our interest is aggregate data. We are obliged to make it clear to you if any research or survey could identify you, personally.
5.4.3 PUBLICLY INFORMATION THAT YOU MAY DISCLOSE
When you post information on social media platforms associated with LWC and its venues, it is to be understood that this information is in the public domain and LWC is not in a position to accept any responsibility for who and why anyone might access the information.
5.5 USE OR DISCLOSURE FOR SECONDARY PURPOSES
LWC may disclose your personal information under the following conditions:
For research purposes, without disclosing your personal identity, with the objective of improving or amending our service offerings;
Promote its activites
To provide technical support for our databases or services;
If you provide consent for your identity to be disclosed to a third party
If a patron enters into a Club Safe Self Exclusion agreement; and
If the information is required by law.
Where LWC discloses personal information to third parties it will require restrictions on the collection and use of personal information equivalent to those required of LWC by the Privacy Act 1988.
In relation to electronic records, personal information is collected via LWC’s systems including web-based systems. LWC has put in place measure to protect against loss, misuse and alteration of electronic information. Where necessary, LWC also uses encryption technology to protect certain information and transactions.
LWC is committed to keeping your personal information secure, and we will take reasonable precautions to protect your personal information from unauthorised access, loss, release, misuse or alteration.
Your personal information may be stored in hard copy documents, but is generally stored electronically on LWC software or systems.
LWC maintains physical security over its paper and electronic data stores, such as locks and security systems. LWC also uses computer and network security technologies such as firewalls, intrusion prevention software, antivirus software, external email filtering and passwords to control and restrict access to authorised staff for approved purposes and to secure personal information from unauthorised access, modification, disclosure, misuse and loss.
Whilst LWC takes all reasonable steps to secure your personal information from loss, misuse and unauthorised access, you acknowledge that all activities in which you intentionally or unintentionally supply information to LWC carries an inherent risk of loss of, misuse of, or unauthorised access to such information.
In the interest of safety for our members, guests and visitors, LWC has installed a network of CCTV cameras that record 24 hours a day. The cameras are not intrusive and are carefully managed and supervised.
There is adequate signage around LWC reminding members and guests that the venue is under constant surveillance. Access to the footage is only available to senior management, when warranted.
Relevant footage is provided to the Police upon specific requests and is subject to a procedure where the request is identified, recorded and subject to a release form.
5.7 UNSOLICITED PERSONAL INFORMATION
When LWC receives unsolicited personal information it will assess whether it is personal information that it could legally collect. If it is, it will treat it according to the APPs. If it is not, it will, if lawful to do so, destroy or de-identify it as soon as practicable.
5.8 DIRECT MARKETING
LWC will only use personal information for direct marketing with the individuals consent or when authorized by law.
LWC will not send you any unsolicited commercial messages or material that do not relate to LWC and its promotions, entertainment or service offerings.
We may use information determine about your likes and interests to send you information about our entertainment programs, promotions or dinning offers. This information will be determined from information you might have provided, from your activity history or from your browsing history. You always have to option of opting out of receiving such information.
5.9 DESTRUCTION OF INFORMATION THAT DOES NOT NEED TO BE RETAINED
When LWC no longer needs to retain personal information, and is lawfully able to do so, it will destroy or de-identify that information.
5.10 HOW AN INDIVIDUAL MAY ACCESS PERSONAL INFORMATION ABOUT THE INDIVIDUAL THAT IS HELD BY LWC
Anyone has a right under the Act to access personal information that LWC holds about them. Access to personal information is requested through Senior Management and this will be dealt with under the appropriate legislation.
5.11 HOW AN INDIVIDUAL MAY SEEK THE CORRECTION OF PERSONAL INFORMATION ABOUT THE INDIVIDUAL THAT IS HELD BY THE LWC
Anyone has a right under the Act to request corrections to any personal information that LWC holds about them if they think that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
LWC encourages its members to update or correct personal information, so that the information is accurate and up-to-date. This can be done, via the website or at the reception front desk.
5.12 HOW AN INDIVIDUAL MAY COMPLAIN ABOUT A BREACH OF THE AUSTRALIAN PRIVACY PRINCIPLES BY LWC
Anyone may complain about a breach of an APP by LWC.
LWC welcomes feedback, both positive and negative. All complaints will be taken seriously and dealt with promptly after appropriate internal investigations and consultations overseen by Senior Management.
5.12 HOW LWC WILL MANAGE AN ACTUAL OR SUSPECTED DATA BREACH UNDER THIS POLICY
LWC will manage the process of dealing with an actual or suspected breach in accordance with the Data Breach Procedure and Response Plan.
5.13 DISCLOSURE OF PERSONAL INFORMATION TO OVERSEAS RECIPIENTS BY LWC
LWC may disclose personal information to overseas recipients. For instance, LWC may disclose personal information to a Third Party Booking Site which requires proof of reservation or cancellation. LWC will only provide this information if the booking has been made through the Third Party Booking Site initially where the customer has provided all personal information in the first instance.
Disclosure of personal information to overseas recipients may also be required or authorized by law.
Updates to this procedure
This procedure is scheduled to be reviewed every five years or more frequently if appropriate.
7 CONTACT DETAILS
Contact for all matters related to privacy including
Accessing personal information held about you
Requests to correct personal information held about you and
Complaints about breaches of privacy,
Should be directed as follows:
P: PO Box 747, Lithgow NSW 2790.
T: 02 63 507706
GLOSSARY OF TERMS
Act means the Privacy Act 1988 (Cth)
Australian Privacy Principles (APPs) means the 13 APPs set out in Schedule 1 of the Act
Data breach means the loss, unauthorized access to, or disclosure of, personal information
Notifiable Data Breach (NDB) is a data breach that is likely to result in serious harm to any of the individuals to whom the personal information relates. A NDB occurs when personal information held by an organization is lost or subjected to unauthorized access or disclosure. In such circumstances, LWC must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Privacy Amendment (Notifiable Data Breaches) Act 2017
Personal information means information or an opinion in any form about an identifiable individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.
Privacy Coordinator means the person appointed by LWC from time-to-time to manage and coordinate LWC’s compliance with the Policy and the Procedures at the direction of the Privacy Officer.
Privacy Officer means the person appointed by LWC from time-to-time to manage all inquiries and complaints arising under this Policy. The Privacy Officer may delegate the management of any or all of the inquiries and complaints arising under this Policy to the Privacy Coordinator.
Sensitive information means information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record, or health information, genetic information or biometric information.
Serious harm is determined with regard to the following list of relevant matters as provided for in section 26WG of the Privacy Amendment (Notifiable Data Breaches) Act 2017:
the kind or kinds of information;
the sensitivity of the information;
whether the information is protected by one or more security measures;
if the information is protected by one or more security measures—the likelihood that any of those security measures could be overcome;
the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
if a security technology or methodology:
was used in relation to the information; and
was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information;
the likelihood that the persons, or the kinds of persons, who:
have obtained, or who could obtain, the information; and
have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;
have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;
the nature of the harm;
any other relevant matters.
Unauthorised access means personal information accessed by someone who is not permitted to have access. This could include an employee of the entity, a contractor or external third party (such as hacking).
Unauthorised disclosure means where an entity releases/makes visible the information outside the entity in a way not permitted by the Privacy Act. For example, N employee accidently publishes a confidential data file containing personal information on the internet.
Web Analytics means the measurement collection, analysis and reporting of web data for the purpose of understanding and optimising web usage.