1 INTRODUCTION AND OVERVIEW Incredible People (ABN 89 836 767 884) is committed to protecting the privacy of your personal information. This Privacy Policy explains how Incredible People manages the personal information that we collect, use and disclose and how to contact us if you have any further queries about our management of your personal information. This Privacy Policy does not cover personal information collected or held by Incredible People about its employees.

Incredible People is required by the Privacy Act 1988 (Cth) (Privacy Act) to comply with the Australian Privacy Principles (APP) (subject to other provisions of the Privacy Act). The APPs regulate the manner in which personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal.

Incredible People is also required to comply with the Spam Act 2003 (Cth) (Spam Act); the Do Not Call Register Act 2006 (Cth) (Do Not Call Register Act); the European Union General Data Protection Regulation (GDPR); and the Notifiable Data Breaches (NDB) Scheme.

1.1 WHAT IS PERSONAL INFORMATION? Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. Special provisions apply to the collection of personal information which is sensitive information. Sensitive information includes (for example) information about a person’s membership of a professional or trade association. Incredible People does not collect sensitive information (as defined by the Privacy Act) without consent.

The kinds of personal information Incredible People collects and holds include:

• an individual’s name, address, DOB, gender, contact number and email address
• username
• post-nominal letters
• employment details
• credit card details

1.2 COLLECTION OF PERSONAL INFORMATION BY INCREDIBLE PEOPLE To the extent required by the Privacy Act Incredible People will not collect personal information about you unless that information is necessary for one or more of our functions or activities, for example:

• conferences, meetings, events and presentations
• newsletters or publications
• membership procedures

When Incredible People collects personal information directly from you, we will take reasonable steps at or before the time of collection to ensure that you are aware of certain key matters, such as the purpose for which we are collecting the information, the organisations (or types of organisations) to which we would normally disclose information of that kind, the fact that you are able to access the information and how to contact us.

When we collect credit card or other payment details, we will not store them, or they will be masked or encrypted after your payment has been processed. Where Incredible People collects information about you from a third party, we will take reasonable steps to ensure that you have consented or have been made aware of the details as set out above.

Similarly, Incredible People may be required to provide your contact details to third party suppliers of services which you would reasonably expect Incredible People to do in order to provide its services. Incredible People provides the opportunity to opt-out of such third party arrangements.

Incredible People acknowledges that there is no obligation for an individual to provide it with personal information. However, if an individual chooses not to provide Incredible People with personal details, Incredible People may not be able to provide the individual with the services reasonably expected to be provided.

1.3 USE AND DISCLOSURE OF PERSONAL INFORMATION BY THE INCREDIBLE PEOPLE If Incredible People uses or discloses your personal information for a purpose (secondary purpose) other than the main reason for which it was originally collected (primary purpose) to the extent required by the Privacy Act, we will ensure that:

• the secondary purpose is related to the primary purpose and you would reasonably expect that Incredible People would use or disclose your information in that way
• you have consented to the use and disclosure of your personal information for the secondary purpose
• the use or disclosure is required or authorised by or under law
• the use or disclosure is otherwise permitted by the Privacy Act

For each visitor to our website or social media site or e-news, we may collect the following type of information for statistical purposes:

• number of users who visit
• date and time of the visits
• pages accessed
• user’s top-level domain name (for example .com or .gov)
• previous site visited
• type of browser used
• type of device used, users’ operating system (such as Windows or Macintosh)
• website or mobile device activity

The Incredible People system requires that the web browser accept cookies, which are used to make logging-in possible. Cookies are pieces of information that a website can transfer to an individual’s computer hard drive for record-keeping. Your cookie may be sent at various times during your visit to our website and may be updated as you access our many different areas. These cookies are not used to collect, store, track or monitor any personal information.

As would reasonably be expected, Incredible People may collect website and mobile device (e.g. apps) statistics (which includes pages accessed and search terms used) but this information is not identifiable (i.e. Incredible People cannot tell who you are): Google Analytics: (or other third-party vendor) demographics and interest reporting (such as what country you are from, what language your computer is set to, age group, gender and interest area).

This is anonymous statistical data and no attempt will be made to identify users. We use this data to evaluate our website and to improve the content we display to you.

We may use Google AdWords, Facebook Pixel and other third-party vendor remarketing tools to advertise trigger ads across the internet. AdWords (and other vendors) remarketing will display relevant ads tailored to you based on what parts of Incredible People website you have viewed by placing a cookie on your machine and/or use Facebook Pixel or Google Tag Manager technology (using your internet browser).

This cookie does not in any way identify you or give access to your computer. The cookie or similar technology is used to say: “This person visited this page, so show them ads relating to that page.” Google AdWords (or other third-party vendor) remarketing allows us to tailor our marketing to better suit your needs and only display ads that are relevant to you.

1.4 WHY DOES INCREDIBLE PEOPLE COLLECT PERSONAL INFORMATION? Incredible People collects personal information for a range of purposes, including:

• to process applications for membership
• manage the membership of the online training portal
• record and maintain membership details and profile information
• provide information on services and benefits available to members
• notify members and non-members about Incredible People events
• website traffic data for statistical, reporting and maintenance purposes
• manage conferences, workshops and events, including:
  – travel organisation, both domestic and international
  – international conferences and exchanges
  – manage grant applications
• distribution of Incredible People products, eg:
  – newsletters
  – purchase of downloadable products

From time to time, Incredible People may survey its members on a range of issues. These surveys help us to identify and analyse the ongoing needs of our members and the quality of our products and services. If you do not wish to participate in these surveys, you can opt out of the survey or please let us know.

1.5 OUR RESPONSIBILITIES UNDER THE GDPR For EU residents that engage with Incredible People, because we collect, use and store your personal information to enable us to provide you with our goods and/or services, we are a “collector” under the GDPR. As such, we have certain obligations under the GDPR when collecting, storing and using the personal information of EU residents. If you are an EU resident, your personal data will:

• be processed lawfully, fairly and in a transparent manner by us;
• only be collected for the specific purposes we have identified in section 1.4 above and personal information will not be further processed in a manner that is incompatible with the purposes we have identified;
• be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
• be kept up to date, where it is possible and within our control to do so (Fellows may update their data by logging into their Fellow’s profile on Incredible People website and editing details). Please let us know if you would like us to correct any of your personal information, by sending an email to info@atse.org.au;
• be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal data was collected; and
• be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.

We also apply these principles to the way we collect, store and use the personal information of all non-EU contacts.

Specifically, we have the following measures in place, in accordance with the GDPR:

• Data protection policies: We have internal policies in place which set out where and how we collect personal information, how it is stored and where it goes after we get it, in order to protect your personal information.
• Right to ask us to erase your personal information: You may ask us to erase personal information we hold about you.
• Right to ask us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal information we hold about you is wrong (to give us enough time to verify if the information needs to be changed), and you request us to restrict the processing of personal information rather than it being erased.
• Notification of data breaches: We will comply with the GDPR in respect of any data breach.

1.6 HOW MIGHT WE CONTACT YOU? We may contact you in a variety of ways, including by post, email, SMS, social media, mobile devices or apps, or telephone call.

Spam We will not send you any commercial electronic messages such as SMSs or emails unless this is permitted by the Spam Act. Any commercial electronic message that we send will identify Incredible People as the sender and will include our contact details. This message will also provide an unsubscribe facility. If you do not wish to receive commercial electronic messages from us, please let us know.

Do Not Call Register We will not call you on a number listed on the Do Not Call Register unless this is permitted under the Do Not Call Register Act. If you do not wish us to call you on a particular number, please let us know.

1.7 WHEN DOES INCREDIBLE PEOPLE DISCLOSE PERSONAL INFORMATION TO THIRD PARTIES? In performing our functions and activities (such as for conferences, presentations, and events as outlined above), we may need to disclose personal information to third parties where you may reasonably expect Incredible People to use or disclose the personal information for a specific purpose. Third parties with whom Incredible People may share your personal information include, where appropriate:

• secure online election provider
• printers and distributers of Incredible People publications and other material
• financial institutions for payment processing
• external business advisers (such as auditors and lawyers)
• travel and conference organisers

1.8 DATA QUALITY AND SECURITY Incredible People aims to safeguard your information to the best of its abilities, through a combination of technical, administrative and physical measures.

All personal information collected by Incredible People will be retained as part of a database, which will be securely monitored and maintained by Incredible People or an approved host. If Incredible People stores personal information with a “cloud” service provider, the provider may be situated outside Australia. Subject to paragraph 1.7, the data will not be made available to a third party, unless it is legally required and verified, without the authority of the individual who provided the personal information.

Incredible People will take all reasonable steps to protect the security of the personal information that it holds. This includes appropriate measures to protect electronic materials and materials stored and generated in hard copy. Where information held by Incredible People is no longer required to be held, and the retention is not required by law, then Incredible People will de-identify or destroy such personal information by a secure means.

However, if you have reason to believe that your interaction with us is no longer secure (for example, if you feel that your online account has been compromised) please contact us by phone: 0417 916 415 or email support@incrediblepeople.net.

Please note some third-party platforms that you might use to engage with us (for example, Facebook, LinkedIn, Twitter, GetResponse or SecurePay) are not under our control. If you have concerns about using these platforms, we encourage you to carefully consider their terms and conditions and other relevant policies.

Incredible People permits your details to be accessed only by authorised personnel, and it is a condition of employment that our employees maintain the confidentiality of personal information.

Payment security of all financial transactions is maintained by Incredible People using EFTPOS and online technologies. It is our policy to ensure that all financial transactions processed meet industry security standards that ensure payment details are protected.

If you are concerned about sending your information over the internet, you can contact us by email or telephone.

1.8.1 DATA BREACH RESPONSE PLAN The Data Breach Response Plan is to enable Incredible People to contain, assess and respond to a data breach in a timely fashion and to mitigate potential harm to affected individuals.

A data breach occurs when information held by Incredible People is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Data breaches involving personal information that are likely to cause individuals to be at serious risk of harm must be reported to the affected individual(s) and the Australian Information Commissioner in accordance with the requirements of the Notifiable Data Breaches (NDB) scheme.

Data breaches may arise from: loss or unauthorised access, modification, use or disclosure or other misuse; malicious actions, such as theft or “hacking”; internal errors or failure to follow information handling policies that cause accidental loss or disclosure; and not adhering to the laws of the states and territories or the Commonwealth of Australia.

When a data breach has occurred or is suspected to have occurred, Incredible People will initiate the following process. However, it should be noted that there is no single method of responding to a data breach and in some cases the following steps may need to be modified. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.

Suspected or known data breach When an Incredible People employee or contractor become aware or suspects that there has been a data breach, they will notify their manager who will assess the risk, document the event and report in the first instance to the Managing Director.

The Managing Director will investigate details of the suspected breach and record a brief description of the nature of the breach, how it occurred, the date of the breach, the date of discovery and the date of notification to Incredible People (for an external breach).  The Managing Director will determine Incredible People’s response and remedial actions to take to contain the breach, which may include:
– if the breach is the result of an ICT security incident (i.e. an event that affects the confidentiality, integrity or availability of Incredible People’s information, systems and infrastructure), notify Incredible People’s IT service manager provider to implement a response;
– stopping the unauthorised practice;
– recovering records;
– shutting down the system that has been breached;
– revoking or changing computer access privileges;
– addressing weaknesses in physical or electronic security

Notification and Review The Managing Director will coordinate notification (if required) of affected individuals  and/or the Australian Information Commissioner.

1.9 ACCESS AND CORRECTION OF YOUR PERSONAL INFORMATION Incredible People has its Privacy Policy available on its website and can also provide a hard copy version upon request. If you would like more information or a hard copy of the Incredible People Privacy Policy, please email support@incrediblepeople.net .

Incredible People will make available for inspection, free of charge, all personal information, based on the information supplied by the individual that it holds in relation to an individual, provided reasonable notice is given. In the event that such a request is made, Incredible People will review our records to determine what personal information is held and endeavour to respond to your request as soon as possible.

Please note that Incredible People will request that identification is provided before personal information is released. In the event that any part of the personal information that the individual inspects is determined to be incorrect and requires alteration then Incredible People will make such alteration in compliance with the corrected advice provided by the individual.

Members are able to update their contact details and profile information online at any time by signing into the Members portal section of the website to Manage Account; or they can email support@incrediblepeople.net .

Opting out Subject to the above, where you have consented to receiving communications from Incredible People, your consent will remain current until you advise us otherwise. However, you can, at no cost, opt out at any time, by sending an email to support@incrediblepeople.net .

FURTHER INFORMATION Please contact Incredible People if you have any queries about the personal information that Incredible People holds about or the way we handle that personal information.