PURPOSE
The Puffing Billy Railway Board (the PBRB), the operator of the Puffing Billy Railway, is committed to protecting the privacy of all individuals’ Personal Information, Sensitive Information and Health Information that it may collect and hold.
The purpose of this Privacy Policy is to inform individuals about the PBRB’s obligations to implement and maintain a Privacy Policy in accordance with the requirements of the Privacy and Data Protection Act 2014 (Vic) (the PDP Act) as amended and with the 10 Information Privacy Principles (IPPs), which are the core of privacy law in Victoria and set out the minimum standard for how Victorian public sector bodies should manage personal information. This Policy should be read in conjunction with Information Management Policy and Corporate Archives Policy.
The PBRB is committed to:
- the responsible collection and management of Personal Information.
- providing individuals with the right to access the Personal Information held about them, and doing so in accessible formats in consideration of individuals with language or literacy vulnerabilities, persons living with disability, children and young people.
- providing individuals with the right to make corrections to the Personal Information held about them; and
- appropriately handling queries and complaints about privacy related issues
- only sharing Personal Information with other parties when permitted to by law or when failure to provide information to another party may result in a breach of any other applicable law.
- Ensuring stakeholders and representatives such as employees, staff and contractors understand their obligations relating to the management of Personal Information.
DEFINITIONS
| TERM | MEANING |
|---|---|
| PERSONAL INFORMATION | is defined as information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 applies. |
| SENSITIVE INFORMATION | is a specific sub-set of Personal Information. It is defined as information or an opinion about an individual’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record that is also Personal Information. |
| HEALTH INFORMATION | Personal Information or an opinion including information, that is not recorded in material form, about: Unless specifically identified in this Privacy Policy, or where the context otherwise requires, references to “Personal Information” may also include references to “Sensitive Information” and “Health Information”. |
2. POLICY STATEMENT
2.1 TYPES OF PERSONAL INFORMATION COLLECTED
The PBRB collects and holds a range of Personal Information to manage and administer its functions, services, and organisational activities. The PBRB collects this Personal Information from its employees, volunteers, contractors, customers, passengers, members, suppliers, tour operators, prospective job and volunteer applicants, and other individuals interested or involved in the operation of the Puffing Billy Railway. The types of Personal Information that the PBRB may collect includes but is not limited to:
- the individual’s full name.
- the individual’s contact details such as address, phone number and email address.
- the individual’s payment information such as credit card details; and
- a copy of the individual’s date of birth, driver’s licence or passport details (e.g., for employment and volunteering purposes).
Generally, the PBRB does not collect Sensitive Information or Health Information relating persons other than employees and volunteers (workforce participants). However, the PB RB may collect Sensitive Information or Health Information from or about individuals where there is a legal requirement to do so, or where the PBRB is otherwise permitted by law. For example, the PBRB may collect some Sensitive Information or Health Information:
- from or about current and prospective employees and volunteers, to make informed safety and operational decisions about the Puffing Billy Railway; and
- from or about passengers (e.g., the individual’s dietary information for dining on the Puffing Billy Railway luncheon or dinner trains, and other catered events).
- When managing or responding to correspondence, feedback, concerns or complaints.
In all other situations, the PBRB will specifically seek the individual’s consent prior to collecting Sensitive Information and Health Information unless permitted by law to do so without that individual’s consent.
If the PBRB collects Health Information from an individual, it will be collected, held, and used in accordance with The Health Records Act 2001 (Vic) and the National Standard for the Health Assessment of Rail Safety Workers.
When collecting any Personal Information from individuals, the PBRB will:
- Only collect Personal Information about an individual that is necessary and relevant to the PBRB’s functions, services and organisational activities;
- To seek the consent of a parent/caregiver where the individual is aged under 18 years of age;
- Take reasonable steps, at or before the time of collection, to ensure that the individual, and in the context of persons aged under 18 their parent and/or caregiver is aware of:
- The purposes for which the PBRB is collecting the information;
- The organisations, if any, to which the PBRB would normally disclose the information.
- The fact that the individual is able to access the information.
- How to contact the PBRB.
- Whether the information is to be transferred physically outside of Victoria or digitally out of Australia; and
- The main consequences for the individual if the information is not provided;
- Take reasonable steps to ensure the information collected is accurate, complete, up-to- date, and relevant to the functions, services and organisational activities performed by the PBRB.
2.2 THE PBRB WEBSITE AND COOKIES
When an individual browses the PBRB website, makes contact with the PBRB electronically or engages with the PBRB on social media, the PBRB may record geographical tagging and statistical data from the activity.
The PBRB may use cookies to collect non personal information, and anonymous information about visits to the PBRB website and to track how the individual reached the PBRB website. Individuals can opt out and disable cookies when visiting the PBRB website, but this may prevent proper functionality of the website. In particular, some pages might not display properly.
Further detail about how to delete cookies or instruct a web browser to delete or refuse cookies, is generally available on the help pages of the relevant web browser.
2.3 PURPOSES FOR THE COLLECTION OF PERSONAL INFORMATION
The PBRB collects, holds, uses and discloses Personal Information from or about individuals where it is reasonably necessary for the PBRB to carry out, manage and administer its functions, services and organisational activities. This includes, but is not limited to the purposes of:
- engaging with prospective and actual employees, volunteers and contractors for recruitment and the ongoing management of the Puffing Billy Railway.
- selling tickets to passengers, members, suppliers, and tour operators including bookings for travel on the Puffing Billy Railway.
- conducting surveys, evaluations, or soliciting feedback from individuals including diverse community groups, such as Aboriginal and Torres Strait Islander communities, those with a disability and children and young people.
- enabling dietary information to be appropriately collected for our dining services; and
- fundraising, memberships and related transactions and administration
- The management and reporting of health, safety and wellbeing incidents, complaints and concerns.
The PBRB also collects, holds, uses and discloses Personal Information from or about individuals for related purposes that the individual would reasonably expect, such as obtaining information for customer feedback, statistical collation, social media analysis and website traffic analysis, subscriptions, mailing lists, newsletters and other direct marketing communications about the PBRB’s events, programs and activities involving the Puffing Billy Railway.
Where the PBRB wishes to use or disclose Personal Information from or about individuals for other purposes, the PBRB will obtain consent from the individual concerned unless otherwise permitted by law or statute. Examples include but are not limited to;
- Referring Personal Information to Victoria Police
- For the purposes of reporting in line with regulatory obligations, for example, Worksafe Victoria
- Reporting safety or wellbeing concerns to the Department of Families, Fairness and Housing.
Where the PBRB uses Personal Information from or about individuals for marketing and promotional purposes, the individual concerned can opt out at any time by notifying the PBRB. Opt out procedures are also included in the PBRB’s marketing communications.
The PBRB may also disclose Personal Information from or about individuals to third parties (including government departments and enforcement bodies) where required or permitted by law.
2.4 USE OF PERSONAL INFORMATION
The PBRB will:
- not use or disclose Personal Information about an individual for a purpose other than for which it was collected, unless such use or disclosure would be reasonably expected, is required to or otherwise permitted by law, or has been expressly authorised by the individual concerned.
- take reasonable steps to ensure that the Personal Information it holds is accurate, complete and up to date.
- take reasonable steps to protect the Personal Information from misuse and loss, and from unauthorised access, modification and disclosure.
- where necessary, take reasonable steps to let an individual know what sort of Personal Information it holds about that individual; and
- where necessary, and requested by the individual concerned, provide the individual with access to the Personal Information held in relation to that individual.
2.5 DATA SECURITY
The PBRB is committed to ensuring that all Personal Information and Health Information is held securely.
Personal Information may be stored in hard copy documents, as electronic data, or in the PBRB’s software or systems until it is securely destroyed when no longer required. Information on the digital management, hosting and storage of Personal Information can be found in Information Communications Technology Acceptable Use Policy.
Some of the ways the PBRB seeks to protect Personal Information collected include the following:
- Confidentiality requirements on the use of information by the PBRB’s employees and volunteers.
- Policies on hard-copy document storage and security.
- Policies on the use of cloud based and portable digital devices (such as USBs, external hard drives, mobile phones) for document storage
- Security measures for access to the PBRB’s computer systems including but not limited to multifactor authentication, application whitelisting, vulnerability scanning and password complexity requirements
- Controlling access to the PBRB’s premises; and
- Website protection measures.
2.6 DESTRUCTION AND DE IDENTIFICATION
The PBRB will retain Personal Information collected from or about individuals whilst it is required for any of the PBRB’s functions, services and organisational activities, or for any other lawful purpose.
The PBRB will take reasonable steps and will use secure methods to destroy or to permanently de-identify Personal Information when it is no longer required for any purpose for which the Personal Information may be used under this Privacy Policy and otherwise in accordance with the PDP Act.
As an example, the PBRB’s destruction and de-identification methods may include:
- Paper records being placed in security bins and/or shredded; and
- Electronic records being deleted from all locations to the best of the PBRB’s ability or encrypted and/or placed beyond use.
Certain records may be held and archived in accordance with the guidelines and recommendations of the Victorian Government and the Public Records Office of Victoria, such as the PROS19/08 Organisational Response to Child Sexual Abuse Incidents and Allegations RDA.
2.7 DISCLOSURE OF PERSONAL INFORMATION OUTSIDE VICTORIA
Generally, the PBRB will not disclose Personal Information outside of Victoria.
If the PBRB does seek to disclose Personal Information outside of Victoria, the PBRB will do so in
accordance with the requirements and permissions of the PDP Act and the IPPs. For example, the PBRB may transfer Personal Information from or about an individual outside of Victoria:
- after first obtaining the consent of the individual concerned or their parent/caregiver in the event that the individual is aged under 18 or otherwise unable to grant informed consent; or
- if the transfer is necessary for the performance of a contract between the PBRB and the individual concerned;
- the transfer relates to the hosting of information on servers based outside of Victoria but within Australia;
- if the PBRB reasonably believes that the recipient is subject to a law, binding scheme or contract which is substantially similar to the IPPs; or
- if the PBRB has taken reasonable steps to ensure that the Personal Information will not be held, used or disclosed by the recipient in a manner inconsistent with the IPPs
- Where required to do so by law or when the failure to provide such information would result in the breach of another applicable or relevant law.
2.8 ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
The PBRB will take reasonable steps to ensure that the Personal Information it collects, uses or discloses is accurate, complete and up to date.
The PBRB has procedures in place for dealing with and responding to requests for access to, and correction of, the Personal Information held about individuals by the individual, or their parent/carer or legal guardian.
In most cases, the PBRB expects that it will be able to comply with an individual’s request to access and/or correct the Personal Information held about them. However, if the PBRB does not agree to provide an individual with access to, or to correct the Personal Information as requested, the PBRB will provide written reasons why.
2.9 COMPLAINTS AND CONCERNS
The PBRB has procedures in place for dealing with and responding to complaints and concerns about its practices in relation to the PDP Act, the IPPs and any alleged breach of this Privacy Policy. The PBRB will respond to privacy-related complaints in accordance with the relevant provisions of the PDP Act.
Internal privacy complaints
If an employee or volunteer has a privacy issue or concern that he or she would like to discuss, the person may contact the People and Culture team. People and Culture will look into the matter and provide a response to the person who raised the issue.
Complaints for a breach of privacy should be raised in the first instance with the Privacy Officer who will seek to investigate the matter and may advise the individual what action, if any, the PBRB will take to resolve the complaint. Complaints will be managed in accordance with PBRB’s Incident Management and Feedback Policy). Breaches of the Privacy Policy by workforce participants may result in disciplinary action and may constitute a breach of the Code of Conduct.
People and Culture can be contacted as follows:
Puffing Billy Railway
Telephone: 03 9757 0773
Email: [email protected]
If the employee or volunteer is not satisfied with the response of People and Culture they should provide a written complaint to the PBRB CEO. The CEO will conduct an investigation and will respond to the person who raised the issue with a decision. The CEO will also advise on action taken on the complaint including the outcome of any investigation conducted by or on behalf of the CEO.
The CEO can be contacted as follows:
Puffing Billy Railway
Telephone: 03 9757 0718
Email: [email protected]
External privacy complaints
For all privacy issues or concerns raised by individuals external to the PBRB, the PBRB’s Privacy Officer can be contacted in the first instance. The PBRB’s Privacy Officer can be contacted as follows:
Puffing Billy Railway
Telephone: 03 9757 0706
Email: [email protected]
Individuals also have the right to make a complaint to the Office of the Victorian Information Commissioner (OVIC). The OVIC has an online privacy complaint form, available for download at: https://ovic.vic.gov.au/privacy/for-the-public/complaints/. The OVIC can also be contacted as follows:
Office of the Victorian Information Commissioner
PO Box 24274
Melbourne VIC 3001
Email: [email protected]
A PDF version of this policy is available, including Supporting Documentation, document information, control and review.