About this policy
This policy applies to personal information collected by CTO Group (CTOG Pty Ltd ATF CTOG Unit Trust). It was last updated in June 2017.
CTO Group is bound by the provisions of the Privacy Act 1988, including the Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for how we handle and maintain people’s personal information. This includes how we collect, store, use, disclose, quality assure and secure personal information, as well as your rights to access or correct your personal information.
You will generally be able to remain anonymous or use a pseudonym when interacting with us. However, it may not always possible for this to occur—for example, when we are authorised or required to deal with you as an identified individual. We will inform you if you are unable to remain anonymous or use a pseudonym when dealing with us.
Our personal information handling practices
We may collect personal information directly from you, your representative or a third party.
We collect and hold a broad range of personal information in records relating to:
- the management of contracts
- complaints (including complaints relating to privacy) and feedback provided to us
- requests made to us under the Freedom of Information Act 1982
- legal advice provided by internal and external lawyers
- the performance of our administrative functions
- employment and personnel matters for our staff and contractors.
We collect this personal information in a variety of ways, including paper-based forms, online (through our websites, as well as email), over the telephone and by fax.
We only collect personal information where that information is reasonably necessary for, or directly related to, one or more of our functions or activities. Generally, we will only collect sensitive information if you consent and it is reasonably necessary for, or directly related to, one or more of our functions or activities. We will not collect any personal information if we do not need it.
When we collect personal information, we are required under the Privacy Act to notify you of a number of matters if it is reasonable to do so. These matters include the purposes for which we collect the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information. To achieve this, we will mainly use privacy collection notices on our forms and online portals.
Kinds of personal information that we hold
The personal information we collect and hold will vary depending on what we require to perform our functions and responsibilities. It may include:
- information about your identity (eg date of birth, country of birth, passport details, visa details and drivers licence)
- name, address and contact details (eg phone, email and fax)
- information about your personal circumstances (eg age, gender, marital status and occupation)
- information about your financial affairs (eg payment details, bank account details, and information about business and financial interests)
- information about your employment (eg applications for employment, work history, referee comments and remuneration)
- information about any security clearance held by you.
We may also collect or hold a range of sensitive information about you, including:
- your racial or ethnic origin
- your health (including information about your medical history and any disability or injury you may have)
- criminal activities you may have been involved in your biometrics (including photographs and voice or video recordings of you).
Use and disclosure of personal information
We will not give your personal information to government agencies, private sector organisations, or anyone else unless you consent or one of the following exceptions applies:
- you would reasonably expect us to use the information for that other purpose
- it is legally required or authorised, such as by an Australian law, or court or tribunal order. This includes express statutory provisions, as well as the more general application of the common law and the exercise of the Executive authority of an Australian government
- it is reasonably necessary for an enforcement-related activity
- we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
- we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
- we reasonably believe that it is reasonably necessary to help locate a person who has been reported as missing
- it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
- it is reasonably necessary for the purposes of a confidential alternative dispute resolution process
- we reasonably believe that it is necessary for our diplomatic or consular functions or activities.
We may also provide your biometric information (such as your photograph) or biometric templates (a digital representation of your distinct characteristics) to an enforcement body (such as an Australian police force, the Australian Customs and Border Protection Service, the Department of Immigration and Border Protection, or the Australian Securities and Investment Commission), as long as we comply with any guidelines made by the Australian Information Commissioner.
Disclosure to overseas recipients
We may need to provide your personal information to an overseas recipient as part of our work. Wherever appropriate, we will ensure that we either have your consent or that your personal information is not identifiable.
In some cases this will not be possible or appropriate, such as when our administrative or legislative functions require that we become involved in a law enforcement matter such as a criminal investigation. We may also disclose your personal information to recipients overseas under international agreements that relate to information between Australia and other countries.
If we are unable to seek your consent to provide your personal information to an overseas recipient, or it is impractical to do so, we will only provide your personal information to an overseas recipient if we are allowed to do so under the Privacy Act.
Quality of personal information
The Privacy Act requires us to take reasonable steps to ensure that the personal information we hold is safe and secure. We are also required to take reasonable steps to ensure that the personal information that we collect is accurate, up-to-date, and complete. This may include correcting your personal information where it is appropriate to do so.
We aim to protect your personal information from loss, unauthorised access, use, modification or disclosure, and against other misuse. Among other things, we safeguard our IT systems against unauthorised access, and ensure that paper-based files are secured. We also ensure that access to your personal information within our systems is only available to our staff who need to have access in order to do their work.
If a data breach occurs, such as if personal information that we hold is subject to unauthorised loss, use or disclosure, we will respond in line with the Office of the Australian Information Commissioner’s Data breach notification—A guide to handling personal information security breaches. We will aim to provide timely advice to you to ensure you are able to manage any loss—financial or otherwise—that could result from the breach.
When the personal information that we collect is no longer required, we delete or destroy it in a secure manner, unless we are required to maintain it because of a law, or court or tribunal order.
When we can refuse a request for access or correction
We can decline access to, or correction of, personal information under circumstances set out in the Privacy Act. This includes situations where we are authorised or required to refuse access.
Generally, where we refuse to give you access, we will give you written notice of the reasons for refusal and the mechanisms available to you to dispute that decision.
Accessing and correcting your personal information
You have a right to access personal information we hold about you. You also have a right under the Privacy Act to request corrections to any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
It is also possible to access and correct documents held by us under the Freedom of Information Act 1982 (the FOI Act). In some circumstances we will suggest that you make your request for personal information under the FOI Act.
This is because:
- an FOI access request can relate to any document in our possession and is not limited to personal information
- the FOI Act contains a consultation process for dealing with requests for documents that contain personal or business information about another person
- you can complain to the Australian Information Commissioner about what we do under the FOI Act
- if you are refused access under the FOI Act you have a right to apply for internal review or Information Commissioner review of the access refusal decision.
How to contact us
Privacy Contact Officer
6 Oxley Street
Griffith ACT 2603
We will respond to your complaint or request promptly if you provide your contact details. We take all complaints seriously and are committed to a quick and fair resolution. We will not take the fact that you have made a complaint into consideration when we perform any of our other functions or activities.
We will not charge you to access your personal information. However, there may be a charge involved for us to process a request under the FOI Act that goes beyond a request for personal information.
You may also make a complaint to the Office of the Australian Information Commissioner (OAIC). If you do so, the OAIC may recommend that you try to resolve your complaint directly with us in the first instance. The OAIC can be contacted on 1300 363 992 or via the Office of the Australian Information Commissioner website. The website also contains further information about making complaints relating to privacy.
What happens when you visit our website
Protecting your privacy online
CTO Group is committed to protecting privacy online in accordance with the Guide to securing personal information issued by the Office of the Australian Information Commissioner.
While every effort is made to secure information transmitted to this site over the internet, there is a possibility that this information could be accessed by a third party while in transit.
When you visit this site, our server logs the following information:
- the type of browser and operating system you are using
- your top level domain name, such as .com, .gov, .au, .uk
- the address of the referring site, such as the previous site that you visited
- your server’s IP address, a number which is unique to the machine through which you are connected to the internet—usually one of your service provider’s machines
- the date and time of your visit
- the address of the pages accessed and the documents downloaded.
This information is used only for statistical analysis and systems administration purposes. No attempt is made to identify users or their browsing activities, except in the unlikely event of an investigation by a law enforcement agency.
A cookie is an electronic token that is passed to your browser which passes it back to the server whenever a page is sent to you.
Our server generates one cookie. It is used to keep track of the pages you have accessed while using our server. The cookie allows you to navigate back and forwards through the web site and return to pages you have already visited. The cookie exists only for the time you are accessing our server.
In addition to web server logs, this website uses Google Analytics, a web analytics service provided by Google Inc. Reports obtained from Google Analytics are used to help improve the efficiency and usability of this web site.
Google Analytics uses ‘cookies’ to help analyse how users use this site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
Search terms you enter when using our search engine are collected, but are not associated with any other information that we collect. We use these search terms to ascertain what people are looking for on our site and to improve the services that we provide.
Interaction between this site and other sites
This site contains links to other sites. This website may also use social sharing tools to make it easy to share information—for example, incorporating Facebook tools, so that users can ‘Like’ content. These other sites may use web measurement tools, customisation technologies and persistent cookies to inform the service they provide to their users.
CTO Group is not responsible for the privacy practices or the content of these sites.
We do not use, maintain or share personally identifiable information made available through social media sites including Facebook and YouTube. You should consult the privacy policies of these sites for further information.