1 Policy Statement
The objective of this Policy is to ensure that a sound Privacy foundation and framework is established and maintained by Sara Lee. Further, this statement will communicate to the public the type of Personal Information Sara Lee holds, the purpose for which it is held and the manner in which personal information is collected, held, used and disclosed. It will also provide Sara Lee with a clear guide or direction on these matters.
For the purposes of this Policy Statement, “Personal Information” means information which enables an individual to be identified, and includes the individual’s name, address, telephone number, email address and the like, and “Sara Lee” means the Kitchens of Sara Lee (ABN 99 000 629 587), and where the context so dictates, its employees, contractors and agents.
The Privacy Officer will be responsible for informing employees and other relevant parties that a policy and related procedures for Personal Information are established, maintained and enforced at Sara Lee. The Privacy Officer will also be responsible for communicating changes or the creation of new policy and procedures in a timely manner.
Employees and other relevant parties doing business with Sara Lee must ensure they understand and adhere to the Policy implemented for the management of Personal Information and that they maintain an up-to-date knowledge of any changes to the Policy.
3 Privacy Training
All employees will be provided with access to the Policy for the management of Personal Information. They will also be provided with opportunities to attend awareness training periodically.
3.01 New Employees – As part of Sara Lee’s Induction Process, all new employees will be provided with access to and training on this Policy.
3.02 Existing Employees – All existing Sara Lee employees will be provided with access to periodic training on this Policy.
If a Sara Lee employee or relevant third party knows of or suspects a breach of this Policy, they must immediately report it to the Privacy Officer.
Employees or relevant third parties who contravene or do not comply with the Policy for the management of Personal Information may be subjected to disciplinary action.
4.01 Non-compliance is defined as follows:
- a breach of this Policy;
- the compromise of Privacy controls exposing Sara Lee to potential or actual loss, whether that be monetary loss or otherwise;
- any action that may be illegal or perceived to be harassing, offensive or that may adversely affect Sara Lee’s reputation or integrity;
- an attempt, whether successful or not, to gain unauthorized access to Sara Lee’s information systems resources;
- the unauthorized use of Sara Lee’s information;
- the refusal to cooperate with an investigation;
- unauthorized access, viewing, disclosure or manipulation of Sara Lee’s confidential data, information, applications, systems and information system resources; and
- using the assistance of or soliciting a third party to circumvent this Policy.
Any such breach will also be deemed as a breach of the Corporation’s Global Business Standards.
4.02 Disciplinary action for non-compliance with this Policy is within management’s discretion, and will have regard to the seriousness and/or effect of the non-compliance and may include but will not be limited to the following:
- further education and training;
- the issuing of a warning;
- suspension of system access rights;
- financial penalties and recovery of costs associated with the non-compliance;
- immediate dismissal;
- termination of contractual arrangements;
- civil action or criminal prosecution; and/or
- other disciplinary actions.
5 Kitchens of Sara Lee’s commitment to Privacy
Other than the contents of this statement, Sara Lee is governed by the statutory principles known as the National Privacy Principles enunciated in the Amended Privacy Act.
5.01 Sara Lee will maintain the relevant and necessary processes and procedures to ensure compliance with the National Privacy Principles.
5.02 Sara Lee will conduct periodic privacy audits to ensure compliance with the relevant statutory requirements. The audit process will ensure that appropriate enquiries are made to identify:
- the type of personal or sensitive information collected and held;
- how the information is collected;
- the reasons for the collection;
- where and how the information is stored;
- how the information is secured;
- who has access to that information;
- whether that information is shared by anyone;
- whether the intended use or purpose of collection is communicated to those supplying that information; and
- whether that information is current, up-to-date and necessary.
Sara Lee operates in accordance with the following privacy principles:
6 Collection (Principle 1)
Personal Information must only be collected by Sara Lee if it is necessary for its activities and it must be collected by fair, lawful, non-intrusive means. The individual whose Personal Information is being collected must be told the name of the company collecting the information, the purpose of the collection, and to whom it may be disclosed to.
Where Personal Information about an individual is collected from a third party, Sara Lee must take reasonable steps to ensure that the individual is or has been made aware of the matters listed above.
6.01 Sara Lee will not collect Personal Information, unless the information is necessary for one or more of Sara Lee’s business functions.
6.02 Sara Lee will only collect Personal Information by lawful and fair means and not in an unreasonably intrusive way.
6.03 As soon as practicable after Sara Lee collects Personal Information about an individual from the individual, Sara Lee will take reasonable steps to ensure that the individual is aware of:
- the identity of Sara Lee and how to contact it;
- the fact that he or she is able to gain access to the personal information held;
- the purposes for which the information is collected
- the organisations (or the types of organisations) to which Sara Lee usually discloses information of that kind;
- any law requiring the Personal Information to be collected; and
- the main consequences (if any) for the individual if all or part of the information is not provided.
6.04 To the extent that it is practical to do so Sara Lee will only collect Personal Information about an individual from that individual
6.05 If Sara Lee collects Personal Information from a third party, that is from someone other than the individual, Sara Lee will take reasonable steps to ensure that the individual is or has been made aware of the matters listed in procedure 6.03 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of the individual.
7 Use and Disclosure (Principle 2)
Sara Lee should only use or disclose Personal Information if that use or disclosure is the purpose for which it was collected unless the person has consented to a secondary use, or the secondary use is directly related to the primary use and such a use or disclosure would be reasonably expected by the person. This may also be permitted if the use or disclosure is for direct marketing in specific circumstances, or where there is a public interest such as law enforcement and for public or for the individuals’ health or safety.
Personal Information about an individual will not be used for a purpose (“secondary purpose”) other than the purpose for which it was collected unless:
- the individual has consented to that use or disclosure; or
- the individual would reasonably expect the information to be used or disclosed for that secondary purpose; or
- the primary and secondary purposes are directly related; or
- if the information is not Sensitive Information and the use of the information is for the secondary purpose of direct marketing, and:
- it is impractical for Sara Lee to seek the individual’s consent before that particular use; or
- the individual has the opportunity to request Sara Lee that he or she not receive direct marketing communications; and
- the individual has not requested that he or she not receive direct marketing communications; and
- in each direct marketing communication with the individual, Sara Lee draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and
- each written direct marketing communication by Sara Lee with the individual (up to and including the communication that involves the use) sets out Sara Lee’s business address and telephone number and, if the communication with the individual is made by fax or other electronic means, a number or address at which Sara Lee may be directly contacted electronically;
- Nothing in this Policy is intended to:
- deter Sara Lee from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions; or
- override any existing legal obligations to disclose Personal Information; or
- require Sara Lee to disclose Personal Information. Sara Lee is always entitled not to disclose Personal Information in the absence of a legal obligation to do so.
- If Sara Lee uses or discloses Personal Information for a secondary purpose to an enforcement body, for the enforcement of law or for any court process, the person making the disclosure will keep a written record of the use or disclosure.
7.01 Except as otherwise may be provided for herein Sara Lee will not disclose Personal Information about an individual for any purpose other than the primary purpose of collection.
7.02 If Sara Lee discloses Personal Information it must do so in accordance with this Policy.
8 Data Quality (Principle 3)
Reasonable steps will be taken to ensure that the Personal Information that Sara Lee collects, uses or discloses is accurate, complete and up‑to‑date. This means that there will be regular reviews of this information.
8.01 Sara Lee will take steps, which are reasonable in the circumstances to seek to ensure the accuracy, completeness and currency of the Personal Information collected, used or disclosed by conducting regular reviews and audits.
8.02 In order to ensure compliance, Sara Lee may seek to verify the accuracy, completeness and currency of the Personal Information held with the individual whenever Sara Lee is in communication with the individual or will provide the individual with the opportunity in such correspondence or communication, to provide such verification.
9 Data Security (Principle 4)
Sara Lee will take proper steps to protect the Personal Information it holds from misuse, loss, unauthorised access, modification or disclosure. This means where data is stored in a computer, having password access and where in hard copy form, in locked filing cabinets. Reasonable steps will also be taken to destroy or permanently de‑identify Personal Information if it is no longer needed for the purpose for which it was acquired. Sara Lee cannot maintain Personal Information if it is not actually needed to be used in the course of Sara Lee carrying on its business activities.
9.01 Sara Lee will take reasonable steps to protect the Personal Information it holds from misuse, and loss and from unauthorised access, modification or disclosure.
9.02 In order to protect the Personal Information it holds, Sara Lee will ensure that where such information is kept in hard copy form, it will be stored in filing cabinets which will be kept locked to ensure unauthorised access. The keys to such filing cabinets will be kept controlled and secured to limit access to this Personal Information only to authorised personnel. Where such information is kept electronically, Sara Lee will ensure computers are secured by the use of password access. Such passwords will not be shared and will be changed on a regular basis.
9.03 Sara Lee will take reasonable steps, such as carrying out periodic audits, to identify information no longer needed for the purpose for which it was collected or a related secondary purpose and will destroy or permanently de-identify such Personal Information where it is determined that it is no longer needed.
10 Openness (Principle 5)
Sara Lee will make this document available to anyone requesting it and may make it readily available in some other medium.
Upon request Sara Lee will also take reasonable steps to let individuals know, generally, what sort of Personal Information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
10.01 Sara Lee will maintain this Policy and will make it readily available and appropriately accessible. Accordingly, where practical to do so Sara Lee will post this document on an internal database or on a public internet site or will make provision of a hard copy of this Policy.
10.02 Where an individual makes a request for information concerning Personal Information, Sara Lee will take reasonable steps to let the individual know the type of information Sara Lee holds, for what purpose the information is held, how it is collected, held, used and disclosed.
11 Access and Correction (Principle 6)
In most cases, Sara Lee will give individuals access to their personal information, upon the individual making such a request in the prescribed form attached. This is to be coordinated through the Privacy Officer. In these circumstances, this individual will have to verify his or her identity on the prescribed form by supplying their name, address and any other information necessary to verify their identity before access will be provided. Sara Lee will give reasons to the individual for any denial of a request for access or refusal to correct Personal Information.
- If the Privacy Officer cannot resolve a matter concerning access or correction of Personal Information within 10 days of receipt of the request, the Privacy Officer will advise the individual to lodge a Complaint to commence the formal complaint process.
- Where a fee is charged for providing access to Personal Information, that fee:
- will not be excessive; and
- will not apply to lodging a request for access.
- If Sara Lee holds Personal Information about an individual and the individual is able to establish that the information is not accurate, complete and up‑to‑date, Sara Lee will take reasonable steps to correct the information so that it is accurate, complete and up‑to‑date.
- If the individual and Sara Lee disagree about whether the information is accurate, complete and up‑to‑date, and the individual asks Sara Lee to associate with the information a statement claiming that the information is not accurate, complete or up‑to‑date, Sara Lee will take reasonable steps to do so.
11.01 If Sara Lee holds Personal Information about an individual, Sara Lee will wherever possible provide the individual with access to the information upon a request by the individual except in circumstances where this Policy or the National Privacy Principles prohibit such access.
11.02 In order to gain access to his or her Personal Information, the individual must make a formal request for access. Such a request by an individual will only be considered by Sara Lee after the individual provides the relevant information in the form required (such as in writing). This information will be required to satisfy Sara Lee of the individual’s identity so to avoid any unauthorised disclosure of Personal Information. An example of a proforma is attached to this document.
11.03 Upon the making of a request in an acceptable form, the matter will be referred for consideration by the Privacy Officer. The Privacy Officer will consider the request and will decide whether to grant or refuse access by reference to this Policy and the National Privacy Principles.
11.04 Sara Lee may deny an individual direct access to Personal Information but where providing access would reveal evaluative information generated within Sara Lee in connection with a commercially sensitive decision making process, Sara Lee may provide an individual with an explanation of the information.
11.05 Sara Lee may charge for providing access to Personal Information but the charges must not be excessive, must be reasonable in the circumstances and must not apply to the lodging of a request for access. These charges may relate to, for example, photocopying of documentation or for the administration of the request.
11.06 If Sara Lee holds information about an individual and the individual is able to establish that the information is not accurate, complete or up-to-date, Sara Lee must take reasonable steps to correct the information.
11.07 If there is disagreement between Sara Lee and the individual about whether or not the Personal Information held is accurate, complete or up-to-date, then if the individual claiming that the information is not accurate, complete or up-to-date requests a statement from Sara Lee then Sara Lee must take reasonable steps to provide such a statement.
11.08 If Sara Lee denies an individual access or refuses to correct Personal Information, then Sara Lee must provide reasons for doing so.
12 Identifiers (Principle 7)
Sara Lee will not adopt, use or disclose an identifier assigned by a government agency.
12.01 Sara Lee will not adopt an identifier such as a tax file number, medicare number or any other such number assigned to an individual by a government agency as its own.
12.02 Sara Lee will not use or disclose an identifier assigned to an individual by a government agency unless in accordance with this Policy and the National Privacy Principles.
12.03 An identifier includes a number assigned by an organisation to an individual to identify the individual uniquely for the organisation’s operations. An individual’s ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.
13 Anonymity (Principle 8 )
Where it is practicable and lawful individuals will have the option of not identifying themselves when dealing with Sara Lee.
13.01 In circumstances where it is appropriate, practicable and lawful, Sara Lee will allow individuals the option of not identifying themselves when entering into a transaction with Sara Lee.
14 Transborder Data Flows (Principle 9)
Sara Lee will only transfer Personal Information to a recipient outside of Australia in circumstances where Sara Lee’s Policy on Personal Information will not be breached and where:
- The individual consents; or
- The recipient of the Personal Information subscribes to a regime that is similar to Sara Lee’s Policy for the management of Personal Information; or
- The transfer is necessary for the conclusion or the performance of a contract to which the individual has an interest.
14.01 Sara Lee may only transfer Personal Information about an individual to someone outside Australia if this Policy and the National Privacy Principles permit such a transfer.
15 Sensitive Information (Principle 10)
- Sara Lee will not collect Sensitive Information about an individual unless:
- the collection is required or authorised by law; or
- the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns is physically or legally incapable of giving consent to the collection; or
- the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
15.01 Sara Lee will not collect Sensitive Information or Health Information except in accordance with this Policy and the National Privacy Principles.
16 Complaints Handling Process
Sara Lee has a complaints handling process to handle any risks or issues with respect to Personal Information. If an individual thinks that Sara Lee has breached the individual’s privacy with respect to Personal Information held, the individual may lodge a Complaint with the Privacy Officer.
The complaint should set out the following details:
- The Complainant’s name and contact details;
- The name and contact details of Sara Lee;
- A brief outline of the Complaint; and
- A brief outline of how the subject matter of the Complaint was dealt with by Sara Lee.
Sara Lee has a formal Complaints Procedure, which will be followed once a Complaint is lodged.
16.01 An appropriate system will be maintained by Sara Lee to manage, address and resolve privacy related incidents, complaints and breaches relating to this Policy.
16.02 Any incident, complaint or possible breach must be immediately referred to the Privacy Officer to manage and resolve.
16.02 An incident/complaint register will be established and maintained by the Privacy Officer in order to record privacy related incidents, complaints and breaches relating to this Policy.
A Complaint must be immediately forwarded to the Privacy Officer.
If the Privacy Officer assesses the Complaint and does not consider there to have been a breach of the individual’s privacy, the Privacy Officer must inform the Complainant in writing within 10 days of the date of receipt of the Complaint that:
- Based on the information provided by the Complainant there does not appear to be a breach or a need to amend the information; and
- Where the Complainant is not satisfied with the Privacy Officer’s response, the Complainant may request a review of this decision by the Group Counsel who was not involved in making the initial decision.
Upon receiving a request for a review of the Privacy Officer’s decision (that the Complaint does not amount to a breach), the Privacy Officer must forward the request to the Group Counsel for review within 10 days of the request.
Where the Privacy Officer considers that Sara Lee may have breached the individual’s Privacy, the Privacy Officer will direct Sara Lee to comply with Sara Lee’s Policy on Personal Information and will advise the Complainant in writing. The Privacy Officer shall also advise the Complainant of the option of forwarding the matter to the Group Counsel for review of the Privacy Officer’s decision if the Complainant remains aggrieved.
If within 14 days Sara Lee disputes the Complaint, or is not able to demonstrate compliance, the Privacy Officer must refer the Complaint to the Group Counsel.
Upon receiving the Complaint, the Group Counsel may:
- Direct the Privacy Officer to provide reasons for the Privacy Officer’s decision;
- Cause the Privacy Officer to convene a meeting, which may be by telephone conference, of the relevant Sara Lee personnel regarding the alleged breach. The Group Counsel, may, at his or her discretion, invite the Complainant to participate in this meeting, whether it is in person or by written submission.
Upon reviewing the Complaint, and the Privacy Officer’s response, the Group Counsel may:
- Resolve not to pursue the alleged breach; or
- Direct Sara Lee to adopt a certain course of action.
The Group Counsel must within 10 days of a meeting or of the making of a decision, advise Sara Lee and the Complainant of the results of his or her review and may provide reasons for such a decision. The Group Counsel must also advise the Complainant of the option of referring the matter to the Privacy Commissioner if the Complainant remains aggrieved.
Includes (but not limited to) –
- Address (business & private)
- Telephone & fax numbers (business & private)
- E-mail address
Includes Individuals –
- Racial or ethnic origin
- Political opinions
- Membership of a political association
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a professional or trade association
- Membership of a trade union
- Sexual preferences or practices, or
- Criminal record