INTRODUCTION

​As part of our business activities in Australia, we may need to collect personal information. Our privacy policy explains how we handle and protect this information.

​

We are committed to complying with the requirements of the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), which outline how personal information must be managed. 

​

Whom does this privacy policy apply to?

This policy applies to any person for whom we currently hold, or may in the future collect, personal information.

This policy does not apply to acts and practices that relate directly to the employee records of our current and former employees.

​

What information does this privacy policy apply to?

In general, ‘personal information’ refers to any information or opinion about an individual who is identifiable or reasonably identifiable.

 

HOW DO WE MANAGE THE PERSONAL INFORMATION WE COLLECT?

We must comply with our professional obligations (including confidentiality obligations) in dealing with an individual’s personal information at all times. We manage the personal information we collect by:

​

(a)  providing team members with training on privacy issues;

(b)  implementing procedures such as providing privacy statements when dealing with a client’s personal information;

(c)  regularly reviewing our privacy compliance; and

(d) implementing security measures to keep the personal information we collect safe, including using unique usernames and passwords on systems that can access personal information and security cards to access on-site information.​​

​

WHAT KINDS OF PERSONAL INFORMATION DO WE COLLECT AND HOLD?

We are a full-service commercial law firm and hold different information depending on the legal and other services provided to clients or, in the case of prospective employees, the information needed to assess future employment with us. The types of information that we may collect and hold include:

​

(a)  contact information (such as name, address and phone number);

(b)  financial information;

(c)   business circumstances;

(d)   family circumstances;

(e)   information about assets and investments;

(f)    employment history;

(g)   gender;

(h)   date and place of birth;

(i)    insurance information;

(j)    banking information;

(k)   credit information;

(l)    credit card details;

(m) expertise and interests;

(n)   tax file numbers;

(o)   driver’s licence and other photographic information;

(p)   video or photographic footage given by clients to us for legal advice;

(q)   information otherwise required by law; and

(r)    any other personal information required to perform the legal or other service to the individual.

 

Where possible, we will only collect the personal information required to provide the legal or other service to the individual, or as required by our professional obligations.

​

WHAT SENSITIVE INFORMATION DO WE COLLECT AND HOLD?

‘Sensitive information’ is a category of personal information that, if misused, may have serious consequences for the individual concerned.

​

We may collect and hold sensitive information where it is necessary for the provision of legal or related services. Such information may include:

​

(a) health information;

(b) racial or ethnic origin;

(c) membership of professional or trade associations or unions;

(d) criminal history;

(e) sensitive information required to be disclosed by law; and

(f) any other sensitive information required to deliver legal or associated services.​​

​

We will not collect sensitive information without the individual’s consent, unless an exception under the Privacy Act applies.

​

HOW AND WHEN DO WE COLLECT PERSONAL INFORMATION?

Where reasonable and practicable, we will collect personal information directly from the individual concerned.

​

However, we also obtain personal information through our referral networks and other external sources. While not exhaustive, these sources may include:

​

(a) professional advisers or agents acting on behalf of the individual;

(b) the individual’s friends, family members, or associates;

(c) financial institutions;

(d) government agencies;

(e) insurance providers;

(f) businesses in relation to their employees, contractors, customers, or suppliers; and

(g) barristers and other solicitors.

​

HOW DO WE HOLD PERSONAL INFORMATION?

We hold personal information in a range of formats and locations, including:

 

(a) physical files stored on our premises;

(b) electronic records maintained on internal servers, websites, and a private cloud;

(c) electronic storage devices such as DVDs and USB drives;

(e) third‑party data storage facilities within Australia; and​

(d) Microsoft services, with mailboxes stored at rest in Australia.

​

We take all reasonable steps to protect the personal information we hold from unauthorised access, misuse, or disclosure. However, we cannot guarantee that unauthorised access or disclosure will never occur.

​

Some of the measures we use to store and protect personal information include:

​

(a) implementing unique usernames, passwords, and other security controls on systems that access personal information;

(b) maintaining a secure document retention system, including locked storage accessible only to authorised personnel, for important documents such as Wills and other originals; and

(c) using lockable compactus units for more sensitive information, key documents, and financial records.

​

WHY DO WE COLLECT, HOLD, USE OR DISCLOSE PERSONAL INFORMATION?

We use and disclose personal information only for the primary purpose for which it is collected, generally to provide legal or related services. For prospective employees, the primary purpose is to assess suitability for employment.

​

We may also use or disclose personal information for secondary purposes that are related to the primary purpose and reasonably expected by the individual, such as:

​

(a) receiving disclosures through our external whistleblower service;

(b) sending legal updates and event invitations (with the option to unsubscribe);

(c) meeting our professional and regulatory obligations; and

(d) making referrals.

​

We may disclose personal information:

​

(a) to service providers or referral partners involved in delivering legal or related services;

(b) to government agencies, including ASIC and the ATO;​

(c) with the individual’s consent; and 

(d) to third‑party contractors providing financial, administrative, IT, or other support services.

​

We otherwise disclose personal information only with consent or where permitted under the Privacy Act.

​​

HOW DO WE MANAGE YOUR CREDIT INFORMATION?

We do not use an individual’s personal information to assess their credit eligibility. However, during the course of providing the legal service to the individual, we may collect credit information that is necessary to provide them with the legal service.

​

What kinds of credit information may we collect?

The main kind of credit information we collect is an individual’s identification information.

​

However, in the course of providing legal or other services, we may be given (and subsequently hold) the following other kinds of credit information:

​

(a) information about any credit that has been provided to you;

(b) your repayment history;

(c) information about your overdue payments;

(d) if terms and conditions of your credit arrangements are varied;

(e) if any court proceedings are initiated against you in relation to your credit activities;

(f) information about any bankruptcy or debt agreements involving you;

(g) any publicly available information about your credit worthiness; and

(h) any information about you where you may have fraudulently or otherwise committed a serious credit infringement.

​

We do not collect your credit information from credit reporting bodies unless it is necessary to provide you with the legal service or you have expressly asked us to.

​

We may collect personal information that may affect your credit worthiness from other credit providers, who have collected that information from a credit reporting body. The kinds of personal information we collect may include any of those kinds of personal information outlined in the ‘What kinds of personal information do we collect and hold’ section of this policy.

​

How and when do we collect credit information?

In most cases, we will only collect credit information about you if you disclose it to us and it is relevant in providing you with the legal service.

Other sources we may collect the credit information from include:

​

(a) banks and other credit providers;

(b) other individuals and entities via referrals;

(c) government bodies; and

(d) your suppliers and creditors.

 

However, in most cases you will be aware that this information is being collected as part of the legal service we are providing to you.

​

How do we store and hold the credit information?

We store and hold credit information in the same manner as outlined in the ‘How do we hold personal information’ section of this policy.

​

Why do we collect the credit information?

Our usual purpose for collecting, holding, using and disclosing credit information about you is to enable us to provide you with the legal service.

​

We may also collect credit information to process payments.

​

Overseas disclosure of the credit information

We will not disclose your credit information to overseas entities unless you expressly advise us to, apart from to the extent that it is necessary or desirable to make such a disclosure to obtain payment of money owed to us.

​

How can I access my credit information, correct errors or make a complaint?

You can access and correct your credit information, or complain about a breach of your privacy in the same manner as set out below.

​

HOW DO WE HANDLE DATA BREACHES?

A data breach occurs when personal information is lost or subjected to unauthorised access, use, modification or disclosure or other misuse or interference.

​

We have implemented a data breach response plan to assist us to effectively contain, evaluate and respond to data breaches in order to mitigate potential harm to any persons affected by a data breach.

​

In summary, our data breach response plan:

​

(a) directs our staff as to the steps they should take in the event of an actual or suspected data breach;

(b) appoints a team to handle data breaches;

(c) specifies a strategy for assessing and responding to data breaches;

(d) sets out the process for notifying any affected persons, the Privacy Commissioner and other relevant parties; and

(e) outlines the review process to help prevent data breaches in the future.

​

We will generally notify you if we reasonably believe that your personal information has been subjected to a data breach if:

​

(a) there is a risk of serious harm to you;

(b) notification could enable you to avoid or mitigate serious harm;

(c) the compromised personal information is sensitive or likely to cause humiliation or embarrassment to you; or

(d) we are required to notify you by law.

 

We will notify the Privacy Commissioner if we reasonably believe that your personal information has been subjected to a data breach that is likely to result in serious harm to you.

​

Where appropriate, we may also notify other third parties of a data breach.

​

HOW CAN YOU ACCESS AND CORRECT YOUR PERSONAL INFORMATION?

It is important the information we hold about individuals is up to date. Individuals should contact us if their personal information changes.

​

Access to information and correcting personal information

Individuals may request access to the personal information we hold or ask for their personal information to be corrected.

​

We will grant an individual access to their personal information as soon as possible, subject to the request circumstances.

​

In keeping with our commitment to protect the privacy of personal information, we will not disclose personal information to an individual without proof of identity.

​

We may deny access to personal information if:

​

(a) the request is impractical or unreasonable;

(b) providing access would have an unreasonable impact on the privacy of another person;

(c) providing access would pose a serious and imminent threat to the life or health of any person;

(d) providing access would compromise our professional obligations; or

(e) there are other legal grounds to deny the request.

 

We may charge a fee for reasonable costs incurred in responding to an access request. The fee (if any) will be disclosed prior to it being levied.

​

If the personal information we hold is not accurate, complete and up to date, we will take reasonable steps to correct it so that it is accurate, complete and up-to-date, where it is appropriate to do so.

​

Complaints

If a person wishes to complain about an alleged privacy breach, they must follow the following process:

​

(a) The complaint must be firstly made to us in writing, using the contact details in this section. We will have a reasonable time to respond to the complaint.

(b) In the unlikely event the privacy issue cannot be resolved, they may take their complaint to the Office of the Australian Information Commissioner.

​

Whom to contact

A person may make a complaint or request to access or correct personal information about the person held by us. Such a request must be made in writing to the following address:

​

Contact person: Privacy Officer

​

Telephone number: 07 5532 5800

​

Email address: admin@pontinghynes.com.au

​

Postal address: PO Box 1782, Southport Qld 4215

​

CHANGES TO THE POLICY

We may update, modify or remove this policy at any time without prior notice. Any changes to the privacy policy will be published on our website.

​

This policy was last updated on DATE. If you have any comments on the policy, please contact our privacy officer on the contact details above.