Privacy Policy – John Sands

DEFINITIONS

In this Policy, the following definitions apply:

Individuals means the John Sands Group Group’s employees and persons otherwise contracted or sub-contracted to the John Sands Group, vendors, service providers, customers, agents, licensors, joint ventures, information collected by a third party through a John Sands Group product or any other third parties that have access to and/or utilise personal information collected and/or held by the John Sands Group.

The John Sands Group means John Sands (Australia) Ltd, and The Ink Group Pty Ltd collectively and individually.

Manager means the representative of the John Sands Group to which the Individual reports in relation to the performance of his or her obligations to the John Sands Group.

INTRODUCTION

The John Sands Group acknowledges its commitment to the privacy provisions in the Privacy Amendment Act 2000.

The John Sands Group respects each Individual’s rights to security, privacy and service in relation to the manner in which we utilise their personal information. We will ensure that all of Individuals are treated with respect and will ensure that we meet the levels of privacy they expect. On the 21st December 2001 a new Privacy Amendment (Private Sector) Act came into effect and as a requirement the John Sands Group has developed this Policy and Procedures. The John Sands Group may amend this Policy from time to time and Individuals will be advised of any changes in a timely manner.

PURPOSE

Our Policy and Procedures are based on the Privacy Amendment (Private Sector) Act and adopt the National Privacy Principles contained in the Act to set the standards for privacy protection.

The purpose of this Policy is to outline how the John Sands Group manage your personal information. It also describes the sorts of personal information held and for what purposes, how the information is collected, held, used and disclosed, also how we handle complaints.

WHAT ARE THE NATIONAL PRIVACY PRINCIPLES?

The National Privacy Principles are ten principles or rules in the Act that describe how the John Sands Group should handle personal information.

The Principles are summarised below:

1.	Collection	The John Sands Group will only request information that is necessary and relevant to the service we provide Individuals.
2.	Use & Disclosure	The John Sands Group will not divulge any information it gathers to a third party without the consent of the Individual.
3.	Data Quality	The John Sands Group will endeavour to take all reasonable steps to ensure that the information it collects, uses or discloses is accurate, complete and up to date.
4.	Data Security	The John Sands Group will ensure all information it holds is protected from misuse, unauthorised access, modification or disclosure. Any information that is no longer required will be destroyed.
5.	Openness	The John Sands Group will take reasonable steps to provide an Individual with the details of personal and sensitive information held.
6.	Access and Correction	Individuals have the right to access information held by the John Sands Group. This is subject to some exceptions allowed by law, however we will give Individuals reasons if we deny access.
7.	Identifier’s	The John Sands Group will not adopt identifiers (forms of identification) for an Individual assigned by an external agency.
8.	Anonymity	The John Sands Group will give an Individual the option of not identifying themselves when entering into transactions with us whenever it is lawful and practicable to do so.
9.	Transborder Data Flow	The John Sands Group will not transfer information about an Individual to some one in another country unless we have the consent of the Individual and if we reasonably believe that the information will have appropriate protection (with the exception of some employee details shared within the American Greetings Group).
10.	Sensitive Information	The John Sands Group will only collect sensitive information about an Individual with their consent or if required by Law.

HOW DOES THE JOHN SANDS GROUP HANDLE YOUR INFORMATION?

Definitions:

Personal information is information that allows others to identify you. Specifically it includes your name, age, gender, contact details, health information and some financial information.

Personal information relates to a natural living person. A natural person is a human being rather than for example, a company, which may in some circumstances be recognised as a legal ‘person’ under the law.

Sensitive information concerns an individuals racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs or affiliations, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, health information and disability.

We will act to protect your personal and sensitive information in accordance with the National Privacy Principles.

This is subject to some exceptions, including:

if the collection is required by law, and
when the information is necessary for the establishment, exercise or defense of a legal claim.

COLLECTION OF PERSONAL INFORMATION

All personal information collected and held will be done in accordance with this Policy and we will take all reasonable steps to ensure that the Privacy Principles are properly adhered to. A Privacy Officer has been appointed who is responsible to ensure compliance with this Policy.

The information collected may include an Individuals name, postal or email address, date of birth, financial details including credit rating, tax file number, Australian Business Number (ABN), health information or other information the John Sands Group considers necessary.

The information is collected so that the John Sands Group may:

Administer our customer relationships
Provide our customers with the products and services they request
Provide services to our employees

If it is reasonable or practicable to do so we will collect your personal information from you – this may happen when you complete a contract, a service agreement, an administrative form or when you give us information over the telephone or counter.

In certain cases we may collect your personal information from third parties, eg. superannuation funds, medical providers, financial institutions, legal or financial advisers, payment organisations or publicly available sources of information.

The information we collect may be used for:

Improving services to customers
Assisting customers with queries
The management of employee issues
Evaluating our trading relationship with customers, ie. making responsible credit decisions

If the information required to offer our products and services is incomplete we may be unable to offer the range of products or services our customers and employees require. In most cases, at the time of taking the information the person collecting the information will obtain your consent to take the information and for the purposes for which we intend to use or disclose your information. You may withdraw your consent at any time. Please note that by withdrawing your consent the John Sands Group may not be able to provide the products or services that you require.

You may also deal with us anonymously where it is lawful and practicable to do so. For example, if you are only inquiring about our products or services you do not need to provide your personal details.

USING AND DISCLOSING YOUR PERSONAL INFORMATION

The John Sands Group business is a group of companies that provide greeting cards and related products to retailers.

In line with contemporary business practices we may collect personal information as a way to provide products and services to our customers and our employees. If we need to collect personal information from you, we will tell you why we are collecting the information, your right of access to that information, and the consequences if you choose not to provide that information.

We may disclose personal information to external organisations that help us provide services to all Individuals. These organisations are also bound by similar confidentiality arrangements.

The types of organisations may be, but not limited to, those that are:

Involved in providing, managing, administering our products and services such as third party suppliers;
Involved in the payment system, including financial institutions, superannuation fund managers, etc.;
Involved in reviewing and developing our business systems and procedures including testing or upgrading;
Your representatives, including legal advisers;
As required or authorised by law, such as government or regulatory bodies for purposes related to public health or safety, the prevention or detection of unlawful activities or to protect public revenue.

USING GOVERNMENT IDENTIFIERS

Although in certain circumstances we may be required to collect government identifiers, such as your tax file number, ABN, Medicare number, etc. we will not use or disclose this information other than when required or authorised by law.

PERSONAL INFORMATION SECURITY

The John Sands Group is committed to keeping the personal information you provide us secure. We will take all reasonable precautions to protect the personal information we hold about you from misuse and unauthorised access. We store your personal information in different ways, including in paper and electronic form.

Our security measures include:

Restricted access to employees personal records
Restricted access to our website data base
Employing firewalls, intrusion detection systems and virus scanning tools to prevent unauthorised persons and viruses from entering our systems
Practicing a ‘clean desk’ policy in all our offices with secure storage locations for physical records
Detecting and preventing unauthorised access to premises by employing physical and electronic means
Using dedicated secure networks or encryption when we transmit electronic data

When the information we store is identified as being no longer required, we will take all reasonable steps to ensure that it is effectively destroyed.

We will review our security arrangements from time to time, as we deem appropriate.

ONLINE

The John Sands Group has a website that helps us to promote our brands and products. The site itself collects basic personal information to help us provide a birthday service. The access to information from this site is subject to security protocols.

Our service provider collects information on website activity through the use of ‘cookies’ (a recognition you have visited the website). This information alone does not identify an individual but does provide statistical information to help The John Sands Group analyse and improve our website. You may view our Privacy Policy on our website by logging on to www.johnsands.com.au.

ACCESS TO PERSONAL INFORMATION

You can request access to the personal information the John Sands Group holds about you. John Sands Group employees can request this information via their Manager. Other individuals may make a written request to the John Sands Group representative they usually deal with. We will respond to your access request as soon as possible and commit to responding in no more than 10 working days. If any of the information is inaccurate please inform your Manager or your John Sands Group representative so we can correct it. We will not charge you for requesting access to your personal information.

If we deny access we will give you the reasons, however this is subject to some exceptions allowed by law and include:

access would pose a serious threat to the life or health of any individual;
access would have an unreasonable impact on the privacy of others;
a frivolous or vexatious request;
the information relates to a commercially sensitive decision making process;
access would be unlawful;
access would prejudice enforcement activities relating to criminal activities and other breaches of law, public revenue, a security function or negotiations with you;
legal dispute resolution proceedings; and
denying access is required or authorised by or under law.

ACCESS TO CREDIT REPORTS

The John Sands Group customers have the right to ask for a copy of any credit reports the John Sands Group has obtained from a credit reporting agency. Copies of credit reports may also be obtained directly from the credit reporting agency. You have the right to have any inaccuracies corrected, or if there is any dispute about the accuracy of the information, a file note can be added to your file explaining the position.

NOTIFIABLE DATA BREACHES

Stemming from the Privacy Amendment ( Notifiable Data breaches ) 2017 John Sands have a responsibility to advise the Office of the Australian Information Commissioner ( OAIC ) and affected individuals of any eligible data breaches in respect of personal information they hold where the breach is likely to result in serious harm.

An eligible data breach is not limited too but may include phishing, malware, ransomware, brute force attack, compromised or stolen credentials and hacking by other means. It also includes social engineering attacks or impersonation or actions taken by a rogue insider. While cyber incidents are the most common types of attack this also includes loss or theft of paperwork, storage devices, phones or laptops.

Information could include personal information ( name, phone number and address ), financial details ( bank details, contract details) , identity information ( TFN, passport details ).

Should you be aware that such a breach has occurred or you suspect it has occurred it is a requirement that you contact the John Sands Privacy Officer ( Shane Thornton ) or a member of the Leadership Team ( LST ). The claim will be investigated by the LST and relevant technical support. Should the claim be found to be accurate the OAIC and affected individuals will be notified and corrective measures put in place.

MAKING A COMPLAINT

We recognise that even in best practice run organisations things can go wrong. Should you have a complaint, we encourage you to tell us so that we can resolve the problem. Employees should contact their Managers and other individuals should contact the Manager of the department they usually deal with. We can also be contacted via our Privacy Officer as per the details listed below. If we do not resolve the complaint to your satisfaction then the complaint can be referred to the Privacy Commissioner.

If you have any questions or would like further information on our privacy and information handling practices please contact us by:

E mail : ni*********@***********om.au
Telephone : Nikki Earle on 1800 033 411
Facsimile : (03) 9239 3982
Write to : Nikki Earle (Privacy Officer)
John Sands (Australia) Ltd.
Bag 170 Clayton South MDC, Clayton South, VIC, 3169.

VIOLATIONS

Any Individual in breach of this Policy may be subject to disciplinary action, including possible termination of employment or contract and/or legal action if his or her breach constitutes a violation of any applicable law.

Disciplinary Actions

The following disciplinary actions for breaches of this Policy may include any combination of the following:

counseling, further education and training;
demotion, transfer, suspension, probation or dismissal;
suspension of system access rights;
official warnings that are noted on personnel files;
disciplinary action against the person who complained if there is strong evidence that the complaint was fabricated, vexatious or malicious;
financial penalties and recovery of costs;
termination of contractual agreements; and
civil or criminal prosecution.

Factors affecting Disciplinary Actions

The outcomes of a complaint will depend on a number of factors such as:

the wishes of the person who made the complaint
the severity and frequency of the breach;
the weight of the evidence;
the level of contrition;
whether there have been any prior incidents or warnings

Any action taken by the John Sands Group against an Individual in relation to a breach or an alleged breach of this Policy will be in accordance with the ‘Privacy Policy Complaints Handling Procedure’ to ensure procedural fairness. An Individual alleged to

be in breach of this Policy should contact their Manager or the John Sands Group representative they usually deal with.

AUTHORITY & RESPONSIBILITY

It is the responsibility of all Individuals to ensure they understand and adhere to this Policy and that they maintain up-to-date knowledge of any changes to the Policy and/or procedures.

Ignorance of the existence of this Policy or procedures will not be an acceptable excuse for non-compliance.

It is the responsibility of the Privacy Officer to;

be available to Managers and Individuals to answer enquiries about privacy legislation in general and to assist in the resolution of complaints as required;
act as a mediator when required;
conduct investigations into all formal complaints;
ensure that investigations and meetings are fair and that all parties are heard without bias;
provide training and support to Managers and Individuals regarding privacy legislation and the John Sands Group policy and procedures;
provide advice to Managers and Individuals regarding the best ways of preventing and dealing with privacy legislation issues;
maintain records of any discussions conducted in a ‘Complaints Register’;
ensure the ‘Complaints Register’ is held in a secure location and access is restricted.

EFFECTIVE DATE

This policy is effective 14th September 2018