Returned & Services League of Australia (Queensland Branch) ABN 79 902 601 713 (we, us and our or RSL Art Union) respects and upholds the privacy rights of individuals in accordance with the Australian Privacy Principles and the Privacy Act 1988 (Cth) (Privacy Act).
The words “Australian Privacy Principles”, "personal information" and "sensitive information" have the same meaning as under the Privacy Act.
COLLECTION OF YOUR PERSONAL INFORMATION
We only collect personal information that is necessary for what we do (such as providing membership services, veteran research and rehabilitation services, pension, advocacy and welfare services, accommodation services, financial support services and the operation of the RSL Art Union).
The types of personal information we may collect depends on the purpose for which we need the information and may include the following:
• full name, street address, telephone number;
• date of birth and age;
• email address;
• service record;
• information concerning your dealings with the Department of Veterans Affairs;
• payment information, including details of your superannuation fund;
• RSL membership number;
• health information, including your medical history and treating doctor;
• IP address;
• proof of identity information and documentation including driver's license, passport or birth
• certificate information;
• proof of income information and documentation;
• next of kin and emergency contact information.
Website usage information and cookies
Our websites at www.rslqld.org and www.rslartunion.com.au, use small data files called cookies on your computer, which you can choose to accept or decline.
There is also information about the hardware and software on your computer that is automatically collected by our website. This information can include your IP address, browser type, domain names, browsing preferences, access times and the addresses of referring websites. This information is used by us to maintain the quality of our website and to provide us with information regarding the use of our website.
We encourage you to review the privacy statements of websites you choose to link to from our website so that you understand how those websites collect, use and share your information. We have no control over and are not responsible for the manner in which the hosts of other websites use personal information they collect from you.
We will where possible only collect your personal information directly from you. If we collect your personal information from another person and it is unclear that you have consented to the disclosure of that information to us or that information is otherwise not permitted to be disclosed to us, we will, whenever reasonably possible, make you aware that we have done this and the reasons for doing so.
If you do not provide some or all of the personal information we request, we may be unable to effectively provide our services to you.
WHAT WE DO WITH YOUR PERSONAL INFORMATION
We use the personal information we hold about you to do the following things:
• provide membership services to you;
• act as your representative in any matters that may arise from time to time involving the Department of Veterans Affairs;
• provide welfare services to you;
• provide accommodation services to you;
• administer your entry in lotteries run by us;
• liaise with our District Branches and Sub Branches with whom you are involved;
• administer contracts into which we may enter with you;
• accept donations from you;
• supply goods to you;
• administer your involvement as a volunteer with us;
• communicate with you concerning our activities;
• respond to feedback from you;
• develop and/or test our systems;
• for our own internal administrative purposes.
With your consent, we do the following:
• communicate promotional offers and special events to you;
• conduct fundraising;
• conduct marketing activities;
• planning to improve services we offer to our members and the veteran family in accordance with our charitable objects.
We may also need to disclose your personal information where we:
• are under a legal duty to comply with any legal obligation or in order to enforce or apply our terms and conditions; or
• need to disclose it to protect our rights, property or safety of our members, customers or others, including the exchange of information with other companies, organisations and/or governmental bodies for the purposes of fraud protection and credit risk reduction.
Before any personal information is disclosed to a recipient in a foreign country, the Privacy Act requires us to take such steps as are reasonable in the circumstances to ensure that the recipient does not breach the Australian Privacy Principles in relation to the information. However, if you consent to the disclosure of your personal information to overseas recipients, we are not required to take such steps.
By submitting your personal information to us, you expressly consent to the disclosure, transfer, storage or processing of your personal information outside of Australia. In providing this consent, you understand and acknowledge that countries outside Australia may not have the same privacy protection obligations as Australia in relation to personal information.
By submitting your personal information to us, you expressly consent to us using your personal information to provide you with information about our products, services or events or any other direct marketing activity which we consider may be of interest to you. We may also use your personal information for the purpose of providing you with other information, if it is within your reasonable expectations that we would send you such information given the nature of previous communications with you. You may at any time opt out of receiving any communications from us (other than as required for the operation of our activities, e.g. regarding the payment for RSL Art Union tickets) by using the “unsubscribe” facility included in an email you receive from us or by contacting us using the details set out at the bottom of this document.
PSEUDONYMITY OR ANONYMITY
You have the option of not identifying yourself, or of using a pseudonym, when dealing with us provided it is lawful and practical to do so.
We store personal information:
• contained in paper based and other hard copy documents both at our office and at off site secure storage facilities; and
• contained in electronic records, in a controlled and secure environment.
Those records are only accessible by those persons who require access to the personal information for the purposes of carrying out their work on our behalf.
We will take all reasonable steps to protect the personal information we hold from misuse and loss and from unauthorised access, modification or disclosure.
When personal information (such as payment information) is transmitted to other websites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
We will destroy or de-identify personal information in accordance with our data security and data destruction policies or when our legal obligations to retain the information have expired and the information is no longer needed by us.
ACCESS TO YOUR PERSONAL INFORMATION
You may request access to the personal information we hold about you by writing to our Privacy Officer at the address below. You do not have to provide a reason for requesting access. Except in circumstances established under law, if we hold personal information that you are entitled to access, we will endeavour to provide you with a suitable range of choices as to how you may access that information (e.g. post or collection). We may ask you to complete an Access Request form to help us identify and locate the information being requested.
If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, you can ask us to amend it. We will consider your request and:
• if we agree that the information we hold is inaccurate, we will amend it; or
• if we do not agree, then we will add a note to the personal information stating that you disagree with its accuracy.
If we suspect that a data breach has occurred, we will undertake an assessment into the circumstances of the suspected breach within 30 days after the suspected breach has occurred.
Where it is ascertained that a breach has actually occurred and where required by law, we will notify the Privacy Commissioner and affected customers as soon as practicable after becoming aware that a data breach has occurred.
COMPLAINTS AND CONCERNS
We treat complaints relating to privacy very seriously. If you submit a concern or complaint, we will endeavour to deal with it comprehensively and reach an outcome where all parties are satisfied. If you are not satisfied with our response to your complaint, or if you would like further information about privacy in Australia, then we suggest you contact the Office of the Australian Information Commissioner at oaic.gov.au.
YOUR PAYMENT INFORMATION
RSL Art Union’s systems and providers are compliant with the Payment Card Industry Data Security Standard (PCI DSS), and undergo rigorous audits and testing to ensure that confidentiality and the integrity of our systems and information are upheld.
RSL Art Union regularly performs security, vulnerability and malware scanning that is conducted by an external ASV (Accredited Scanning Vendor) to ensure our site remains free of vulnerabilities or malicious software.
Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information supplied is encrypted via Secure Socket Layer (SSL) and Transport Layer Security (TLS) technology.
We implement a variety of security measures and encryption methods, when a user places an order or enters, submits, or accesses their information, to maintain the safety of your personal information.
GDPR - PROCESSING EU PERSONAL DATA
This section entitled “GDPR – Processing EU Personal Data” only applies if you are a resident of the European Union and have passed your personal information (as defined in this section) to us.
General - When we process your personal information we will comply with the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), any local implementing laws and any successor legislation to the GDPR and the local implementing laws. We are the data controller (as defined in GDPR) of the data you pass to us pursuant to this policy.
Where we refer to “personal information” throughout this policy, it has the meaning set out in the Privacy Act (as explained at the beginning of this policy) and also the meaning given to “personal data” in the GDPR. “Processing” has the meaning set out in GDPR and, in practice, means doing anything with your personal information, including storing it.
Retention – if you are a regular customer or subscriber of the RSL Art Union, we will retain your personal information for no longer than 8 years from the date of our last interaction with you. This enables us to comply with certain legal obligations and financial reporting requirements. We may choose to retain your personal information for a shorter period of 25 months from the date of our last interaction with you if you purchase only occasional tickets from us or where we have no interaction with you during a 12 month period.
If we receive a “return to sender”, bounce-back email or similar message when we contact you, we will delete the relevant personal information from our system. We will also delete or update your personal information if you ask us to do so in accordance with the requirements of GDPR.
Grounds for processing - we collect most of your personal information on the grounds of our legitimate interests or fulfilment of a contract, for example, providing you with the RSL Art Union tickets you have purchased and liaising with you in respect of those tickets. If we deem it appropriate, we may also rely on legitimate interests to send you marketing communications, including where you have opened a customer account for the RSL Art Union or purchased tickets for the RSL Art Union. If we are unable to rely on legitimate interests or another ground to process your personal information, we will seek consent from you in accordance with the requirements of GDPR.
If we have obtained consent from you to process your data, you have the right to withdraw your consent at any time. To withdraw your consent, please contact us using the contact information set out below. Please bear in mind that if you withdraw your consent it may affect our ability to carry out tasks for your benefit. Withdrawal of your consent will not affect any processing we have carried out in respect of your personal information prior to you withdrawing consent.
In the section entitled “What we do with your personal information”, we have explained that we may need to disclose your personal information to certain third parties. If any of those third parties is located outside of the European Economic Area (EEA) we will ensure that there are appropriate safeguards in place when the data is transferred in accordance with the requirements of GDPR.
Automated decision making – if you purchase an RSL Art Union ticket, your success or otherwise will be determined as a result of a process of automated decision making. We carry out this example of automated decision making on the grounds that it is necessary to fulfil the contract we have entered into with you.
Your rights – there are a number of rights available to you under GDPR. These include:
• the right to access your personal information and ask us to provide certain information about the processing we carry out in respect of your personal information;
• the right to ask us to rectify any personal information we process that you believe is incorrect or incomplete;
• the right to ask us to erase your personal information;
• the right to ask us to restrict the processing we carry out in respect of your personal information, or to object to the processing we carry out; and
• the right to have your data provided to another data controller in a structured, commonly used and machine readable format (data portability).
Please note that there are some exceptions and caveats to the rights listed above.
Complaints – in addition to your rights set out above in the section entitled “Complaints and Concerns”, you are entitled to complain to the relevant supervisory authority in your jurisdiction. A list of the supervisory authorities throughout the European Union is available here.
OUR CONTACT DETAILS
The Privacy Officer
Returned & Services League of Australia (Queensland Branch)
283 St Pauls Terrace, Fortitude Valley QLD 4006
Ph: (07) 3634 9444
Fax: (07) 3634 9400
Last updated: 22 August 2018