1. Purpose and scope

This policy governs how Altura Learning Australia Pty Ltd ABN 39 054 798 962 and its related bodies corporate (we, us, our) collect, store, use, disclose and manage personal information. This policy also outlines and explains the types of personal information we collect, how we keep it secure, the purposes for which it is collected, your rights in relation to your personal information, how you can request access to and correct personal information that we hold about you and how you can make a privacy complaint or contact us with your enquiries or concerns.

We take your privacy seriously and are committed to open and transparent management of personal information. When dealing with personal information, we comply with the Privacy Act 1988 (Cth) (Act), the Australian Privacy Principles in the Act, the European Union’s General Data Protection Regulation (GDPR) (if applicable to your personal information) and all other applicable legislation.

Our consultants and contractors are required to enter into written contracts ensuring their strict compliance with the applicable privacy laws.

This policy does not apply to personal information that is exempt under the applicable law..

2. What is personal information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

If the GDPR applies to the personal information we collect from you, then personal information has the same meaning as the definition of ‘Personal Data’ under the GDPR.

3. What kinds of personal information do we collect and why?

We try to only collect personal information when it is necessary to perform our business functions.

Where necessary, we collect and hold personal information that is required to provide you with the televisual training services you are seeking. The kinds of personal information we generally collect and hold include name, age, internet address or screen name, billing address, type of computer, credit card number and other contact information.

For prospective employees, we may collect personal information including name, address, contact details, qualifications and experience, and information contained in references obtained from third parties to assess and process employment applications.

For contractors and consultants, we may collect personal information including contact details, financial details, billing information, qualifications, licences, insurance details and information contained in references obtained from third parties.

If lawful and reasonable to do so, we will destroy and de-identify all unsolicited personal information we receive if we would not normally collect this information to perform one of our functions or activities or if the information is sensitive and no consent has been given.

4. When do we collect personal information?

We will not collect personal information unless it is reasonably necessary for one of our functions or activities. We will usually only collect sensitive information with your consent. All personal information will only be collected through lawful and fair means.

5. Where do we collect personal information from?

The sources from which we collect personal information will depend on the circumstances of the collection and may include the following:

5.1 From you or with your consent

We will try to collect your personal information directly from you, or alternatively, with your consent. We will collect personal information from you:

a) if you provide us with your personal information;

b) when we specifically ask for personal information about you when you sign up to use a service including your name, age, internet address or screen name, billing address, type of computer and credit card number;

c) if you complete relevant agreements, forms, surveys, competitions, questionnaires or you communicate with us by taking part in a discussion forum, email, telephone, in writing or in person;

d) if you are providing services to us or our customers;

e) if you are a supplier, contractor or consultant of ours; or

f) if you apply for employment with us.

From customer companies:

When a company engages our services, we may collect the personal information of their staff where necessary. The personal information collected may include name, age and other contact details.

From our website:

When you visit our website, our web server may download a cookie to your computer. A cookie is a small piece of information sent by our server to your browser. Cookies do not contain personal information about you but can identify a user's browser. We use cookies to capture information about a user's browser. If you do not wish to receive cookies, you may set your browser to refuse them.

6. Can I choose to remain anonymous?

If you are engaging with our services, it is your choice whether you remain anonymous.

We automatically gather anonymous information to monitor use. For example, the numbers and frequency of visitors to our website. This collective data helps us determine how our audiences use parts of our website, so we can improve our services. We may publish or provide this aggregate data to other people or organisations.

If you wish to use a pseudonym that is linked confidentially to your real identity, please let us know and we will discuss with you any arrangements that can be made.

7. How do we use and disclose personal information?

We may use and disclose personal information for the particular purpose for which it was collected (Primary Purpose).

For customers, this will include use and disclosure necessary to provide televisual training services. For example, staff involved in the provision of services or administrative staff (involved in preparation of documentation, billing and other administrative duties) may be provided with personal information.

For prospective employees, this may be for assessing and processing employment applications.

We will only generally use or disclose personal information collected for a Primary Purpose. However, it may be necessary in some cases to disclose personal information for a secondary purpose, including:

a) if we have your consent;

g) if required for the management of our services. For example:

(i) billing or debt-recovery, service-monitoring, complaint-handling, incident reporting, developing and planning services, evaluation and improvement, quality assurance or audit activities, and accreditation activities;

(ii) education and training of our staff (who may not be our employees), where de-identified information is not sufficient for this purpose; and

(iii) disclosure to our consultants and contractors who provide services to us, for example IT and database management service providers.

h) if we are required or authorised by or under a relevant law or a court or tribunal order.

8. Data quality

We will take reasonable steps to ensure that the personal information we collect is accurate, complete, up to date and relevant to the purpose for which it is to be used, both at the time of collection and use.

9. How do we hold personal information and keep it secure?

All personal information collected is securely stored on our electronic databases.

We will take reasonable steps to ensure that the personal information we hold is protected from misuse, loss, interference, unauthorised access, modification or disclosure.

We will notify you, as soon as reasonably practicable, if we find that there has been any unauthorised access, disclosure or loss of your personal information that is likely to result in serious harm to you.

Where we use third parties to process your personal information for us, we will have arrangements in place to ensure that it is fully in accordance with the applicable legislation.

10. Openness

If requested, we will let you know what kind of personal information of yours we hold, for what purpose, and how we handle that information. We will also make this policy available to anyone who requests a copy of it.

11. How can I access or correct my personal information?

You can request access to your personal information held by us, upon written request to our Privacy Officer. We will endeavour to acknowledge the request within 14 days of its receipt and to provide you with access to the information requested within 30 days of receipt of the request. To obtain access to your personal information, you must provide us with proof of identity. This is necessary to ensure that your personal information is provided only to the correct individuals and that the privacy of others is protected.

If, upon receiving access to your personal information or at any other time, you believe your personal information is inaccurate, incomplete or out of date, you can notify our Privacy Officer to correct your personal information. We will endeavour to acknowledge the request for correction within 14 days of its receipt and to correct the information within 30 days of receipt of the request. We will take reasonable steps to correct the information so that it is accurate, complete and up to date.

We may decline a request for personal information in circumstances prescribed in the Act. If so, we will give you a written notice setting out the reasons for refusal and the complaint mechanisms available to you.

12. Do we disclose personal information overseas?

We may disclose personal information to entities outside of Australia and/or the European Union territory, including the United States of America. In such instances, we will take all steps that are reasonable in the circumstances to ensure that the overseas recipient does not breach applicable laws such as the Australian Privacy Principles or the GDPR, unless the disclosure is necessary or authorised by law.

13. Do we use your personal information for direct marketing and can you opt out?

There may be occasions where personal information is used for direct marketing purposes including direct contact, telephone enquiries, email, SMS, letters, internet and web interactions, surveys and other forms of communication. Any such use will be limited to circumstances where you would reasonably expect us to use or disclose your personal information for that purpose and it has been collected from you, or if you have otherwise consented or requested this information.

You have the right:

a) only receive direct marketing communications if you give express consent; or

i) to request that we provide the source of your personal information where reasonable and practicable.

If you have consented to us providing direct marketing to you and you wish to stop receiving such marketing, please contact us on the details set out in this policy or provided in the marketing communication.

14. How can I complain about the handling of my personal information?

If you believe we have at any time breached this policy, you may lodge a written complaint with our Privacy Officer on the contact details in this policy.

We will endeavour to acknowledge your complaint within 14 days of its receipt, and to make a determination on the complaint within 30 days of its receipt.

15. Application of General Data Protection Regulation

If the GDPR applies to the personal data we collect from you, we need your express consent for some of the ways we use your personal information, e.g., for processing special categories of information about you. You can remove that consent at any time.

You also have certain rights applying to the personal information we collect from you, including:

a) under certain circumstances you can request that we erase your personal information and cease further dissemination (including stopping third parties from processing your personal information (Right to be Forgotten);

b) under certain circumstances you can request to receive your personal data in a structured, commonly used and machine-readable format and/or transmit those data to another controller (Right of Portability);

c) you have the right to seek restriction of the processing of your personal information (when we may be storing your personal information but not use it in any way) if you have concerns about the way in which that information is processed or its content or accuracy. Once your concerns have been addressed, the restrictions may be lifted;

d) you have the right to object to the processing of your personal information for direct marketing purposes. Under certain circumstances, we may not be able to comply with your requests. For example, if we required by law to keep the information, if the information is relevant to a legal dispute or we require the information for the purposes of meeting our contractual obligations to you;

e) you have the right not to be subject to a decision based solely on automated processing, including profiling, which may affect our legal rights, for example a refusal of your credit application solely based on that automated processing; and

f) you have the right to complain to the supervising authority regarding the way in which we handle your personal information.

You can also ask us to confirm if we are processing your personal information and if we are, you can ask details regarding:

a) why we are using your information;

b) what information are we using;

c) who we have shared the information with;

d) the period for which your information will be stored, and our criteria to determine that period;

e) the source of your information where it has not been provided by you;

f) the safeguards in place for transfer of personal information to jurisdictions outside of the European Economic Community;

g) the existence of any automated decision-making processes using your data or any profiling; and

h) the transfers of your information to countries outside of the European Economic Community (EEC) territory and the safeguards in place.

Data Sharing Outside the European Economic Community (EEC)

Data on Bridge Learning Management System ("Bridge") is hosted on Amazon Web Services in the United States and European Union. Under GDPR’s requirements any personal data transferred “cross-border”, i.e., outside of the EEC, can be moved pursuant to an authorised legal mechanism.

The Privacy Shield Framework is one legal mechanism to make these cross-border data transfers to the United States legitimate. Instructure/Bridge self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield in November 2017 and the certification remains in good standing, which helps comply with this requirement of the GDPR.

Bridge also uses the European Commission’s Standard Contractual Clauses (model clauses) as an alternative, lawful method to transfer personal data outside the EEC.

16. Contact details and further information

Privacy Officer UK & Ireland
12 Warren Yard, Warren Park
Milton Keynes Buckinghamshire, MK12 5NW
Phone: +44 (0) 1908 318990
Email: privacy.eu@alturalearning.com

Further information about the Australian Privacy Principles and the application of the Act to us can be found at the website of the Office of the Australian Information Commissioner at http://www.oaic.gov.au.

Further information about the General Data Protection Regulation and the application of the GDPR to us can be found at the website of the European Commission at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en.