Mystic Concepts Pty Ltd
Privacy and Information Security Policy
Personal information is defined in s 6(1) of the Privacy Act as 1988:
“Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or an opinion”
To meet expectations about privacy and confidentiality Mystic Concepts has operational processes and procedures to comply with:
- Australian Privacy Principles (APPs) contained in the Privacy Act 1988
- Office of the Australian information commissioner Guide to information security April 2013
This policy does not extend person rights or MCPL’s obligations beyond those defined in the legislation. If there any inconsistency between this policy and the Privacy Act, this policy shall be interpreted to give effect to and comply with the legislation.
This policy includes examples but is not intended to be restricted in its application to such examples. Where the word ‘including’ is used, it shall mean ‘including without limitation’.
When person give us their personal information, it imposes a serious responsibility on us. Protecting person privacy when handling their personal information is very important to us and is fundamental to the way we serve them.
Generally, MCPL will collect personal information directly from person, and only to the extent necessary to provide the service, employment and agency function requested or to carry out our internal administrative operations or meet relevant regulatory requirements. An ‘agency function’ means a service that we provide to deliver and article. We may also collect personal information for the purpose of enhancing our ability to improve service delivery to a customer or to accept an article on behalf of our customers.
We may collect personal information from individuals and corporations when:
- Person fill in an application form for employment or to register as an Agent
- Deal with us over the telephone or over web chat
- Register for, or use, our online services
- e-mail us
- Create an account with us
- Participate in an online promotion
- Provide us with feedback
- Complete online surveys
- Contact, register with, post to, like or follow any of our social media websites, pages, forums or blogs
- Ask us to contact after visiting our website.
We will collect personal information by lawful and fair means.
If person choose to not provide their personal information when requested, we may not be able to deliver the service that the person have requested. We will endeavour to make this as clear as possible for each service.
In some cases, where it makes sense and is lawful, person can interact with us anonymously or by using a pseudonym (an alias). We will endeavour to make this option clear when it is available to them.
As noted above, we will only collect personal information from a person that’s necessary to provide the product or service or to carry out internal administrative functions, or any other personal information they submit to us. We collect different personal information depending on the service that have requested. Some examples include:
Delivery Service: We may also collect personal information from third parties such as drivers, subcontractors, other individuals or any other third party in order to provide our courier, delivery services to them. In such instances we assume the person providing the information is authorised to provide us with their personal information.
Personal information may be collected through the course of fulfilling our Pick-Up & Delivery Services, including but not limited to handling incoming and outgoing mail, articledelivery and collection.
Recruitment Process -, we collect a range of identity and security and visa clearance documents in order to check the eligibility of employment and for work rights. These documents require the collection of identity details such as name, address, and proof of identity details (e.g., drivers licence, passport number). We retain a copy to meet our legal obligations. After the retention period is over, these personal information is deleted in a security manner.
Courier Service – When person engage us to receiver, store or deliver an article we will capture the details of the article including shipping activities (for tracking purposes), the weight and dimensions of the parcel, and the sender and receiver details. This information allows us to route the package and to respond to queries from both the sender and the receiver. We collect personal information when they communicate with us to inquire, book or pay for our delivery services.
There may be occasions (International Courier Service) when we collect information about person from a third party where it is statutory requirement, reasonably necessary or normal business practice to do so, for example we may request and hold sender and receivers personal information (KYC: Know your customer) for the purpose of customs clearance.
Disclosure of Personal Information
We disclose personal information for the purposes for which it has been collected, as set out above. We may disclose personal information to any of our related group companies. They will only use it for the same purposes that we may under this policy. We may provide personal information to insurers, and also to other third parties for limited purposes, such as to help us in providing services to customers.
Those persons, business and other third parties may include:
- Where we have express permission to do so
- Australia Post
- Immigration and Border Protection,
- Statutory bodies
- Subcontractors carrying out works
- Couriers and delivery business
- Where it can reasonably be inferred from the circumstances that person consent to the disclosure to the third parties;
- When organization merge with another organization or substantially all of its respective assets are acquired by a third party, in which case personal information which we hold about our customers, contractors and staff may be one of the transferred assets (subject to the same constraints on use and disclosure as under this policy);
- If we are under a duty or authorised to disclose or share personal information in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions; or to protect the rights, property, or safety of our staff or customers . This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. We deal with third parties that are required to meet the privacy standards required by law in handling personal information, and use personal information only for the purposes that we gave it to them.
Updating Personal Information
It is inevitable that some personal information which we hold will become out of date. We will take reasonable steps to ensure that the personal information which we hold remains accurate and, if they advise us of a change of details, we will amend our records accordingly.
Where information has been disclosed to a third party, MCPL will take reasonable steps to notify the third party of the correction.
Risks to Personal information and Information Security
MCPL have security obligations under the Privacy Act, to take reasonable steps to keep personal information safe and secure from unauthorised access, modification or disclosure and also against misuse and loss.
Mystic Concepts is committed to protecting and securing personal information. We employ appropriate technical, administrative and physical procedures to protect personal information from unauthorised disclosure, loss, misuse or alteration. We limit access to personal information to individuals with a business need consistent with the reason the information was provided. We keep personal information only for as long as it is required for business purposes or by the law.
Mystic Concepts protects personal information by complying with Information Security Standards, Industry Schemes and Statutory obligations. We regularly conduct targeted internal and external audits on our security systems to validate the currency of our security practices.
Appropriate security safeguards and measures for protecting personal information have fully considered in relation to all of the entity’s acts and practices. This could include taking steps and implementing strategies to manage the following:
- Governance : AS/NZ ISO 9001:2015 standard guideline
- ICT security : refer ICT Security Policy
- Data breaches : refer ICT security Policy
- Physical security:
- Security and alarm systems in place to control entry to the workplace
- Possible to identify staff movements from access logs
- Privacy and security been considered when designing the workspace
- Workstations positioned so that computer screens cannot be easily read by third parties
- Visitors have designated access areas not accessing for general work place
- Employees working on sensitive matters able to do so in a private/secure space
- Disposal of personal informations are secured, all obsolete documents and records are shredded
- Secure storage spaces near workstations to secure documents temporarily
- Lockable cabinets and or ‘Undivide web base Quality Management Systems ’ are used to storage the information
- Personnel security and training
- Staff have appropriate security clearance?
- Training provided for staff, contractors regarding physical, ICT and communications security
- Staff informed of changes to policy and procedures or other workplace security requirements
- Workplace policies
- The information life cycle AS/NZS ISO 9001:2015 Standards: International and Australian standards on information security to inform their risk based assessments of threats and vulnerabilities. Internal and external audits in place to ensure compliance with the
- Regular monitoring and review.
Loss of personal Information
- Despite our every effort to protect personal information, there remains the possibility that a breach of our security could occur. In the event of loss of personal information Mystic Concept will:
- Seek to rapidly identify and secure the breach to prevent any further breaches
- Engage the appropriate authorities where criminal activity is suspected
- Assess the nature and severity of the breach including the type of personal information involved and the risk of harm to affected individuals
- Notify the affected individuals directly if appropriate and where possible
- If appropriate, put a notice on our website advising our customers of the breach
- Notify the Privacy Commissioner (at the OAIC) if the breach is significant.