The Lantern Legal Group Pty Ltd t/a Harwood Andrews (Harwood Andrews, We, Us, Our) is a Melbourne based law firm dedicated to providing expert advice and legal services (Legal Services) to private enterprise.
Harwood Andrews is an applicable entity under the Australian Privacy Act (Cth) 1988 (Privacy Act) and the Notifiable Data Breaches scheme under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Scheme). In certain circumstances, Harwood Andrews must also comply with privacy-related laws in other countries.
3. Privacy, Personal Information, Personal Data, Employee Records, Credit-Related Personal Information and Tax File Number Personal Information
For the purposes of this Policy, privacy, personal information, personal data, employee record, credit-related personal information, and tax file number personal information, (Personal Information, PI, PII) all have the same meaning and outcome: The PI either identifies, or it has the potential to identify an individual.
We make no distinction between employee records and other sources of PI such as general, credit or tax-related PI. Neither do we discriminate between different formats of PI (electronic, paper, voice etc.), nor upon whether the information or opinions are true or not. All PI that We Process (see 5 below) and hold (where We have possession or control of a record) or use and disclose (where the information is outside of Our possession or control) is treated with respect, security and high standards.
4. Sensitive Personal Information
Harwood Andrews processes different categories of PI. While some PI merely has the capacity to identify an individual other special categories of PI involve genetic and biometric information, physical and mental health, racial, political, religious or philosophical beliefs, sexual orientation, criminal records and professional or trade association information (Sensitive PI). Where Harwood Andrews Processes Sensitive PI, we employ more rigorous controls than for PI that is limited to identifying an individual.
5. Purpose and Audience
The purpose of this Policy is to provide information to interested persons on how We hold, collect, record, organise, structure, store, adapt, alter, retrieve, consult, use, disclose, transmit, disseminate or make available, align, combine, restrict, erase, destroy and profile (Process) PI. It is also to inform affected individuals (You, Your) about how We handle Your PI and inform You of Your rights and choices.
This scope of this Policy extends to all PI that We process in the course of providing Legal Services, in complying with law and managing risk.
In providing Legal Services, this Policy extends to Our professional activities which include our client relationships, internal operations (management, employees, temporary staff, contractors) and external operations (third parties such as regulators, related legal practices and service providers).
The scope of this Policy extends to our external client-facing activities such as Our online presence at www.harwoodandrews.com.au and to the PI that is collected through Our Websites and the use of email for Legal Services, general communications and marketing purposes.
7. Exclusions and Qualifications
As a law firm, Harwood Andrews is bound by rights and obligations that attach to the administration of justice. These include rules about the classification, handling and protection of information, including legal professional privilege which is derived from the common law and from legislation at both a state and federal level. Legal professional privilege is a fundamental right that vests in the client. In the event of a conflict between PI and client rights, client rights, including rights of privilege and confidentiality will prevail.
This Policy is written in language that it intended to be easy to understand. If something is not clear, We invite You to contact Us so that We can provide assistance. Our contact details are provided in section 16 below. We will also provide contact details every time that We contact You, making it easy for You to contact Us to ask questions and to enforce Your rights.
This Policy outlines the current PI handling practices of Harwood Andrews. We will update this Policy when Our information handling practices change, and We will publish updates on Our Website and through Our email distribution lists.
In all cases where consent is required for Us to Process Your PI, whether it be express consent (verbal, in writing, click-wrap tick box), or implied consent (browse-wrap without a tick-box and other behaviour which indicates consent through continued use), You must give it freely, to a specific kind of Processing and You must be informed about the Processing based upon adequate information and the choices available to You. Naturally, You must have the capacity to understand the circumstances for which consent is required and be able to give (for example be 16 years or older) and communicate consent.
Individuals who are not sure about consent or who think We fall short of the consent requirements are encouraged to contact Us. (Section 16 below).
10. Privacy Principles Governing the Handling of Personal Information
Harwood Andrews is committed to making every reasonable effort to manage PI in an open and transparent way.
10.1 Open and Transparent Management of Personal Information
To support this commitment, We have implemented practices, procedures, and systems to align Our handling of PI with principles that have been derived from Australian privacy law, relevant international law, international standards and best practice.
These practices, procedures and systems are intended to regulate Our internal and external Legal Service operations using administrative, technical and physical controls. The legal notices published on Our Website and email communications are examples of Our administrative controls. Technical and physical controls are generally not made public for security reasons (security is sometimes achieved through obscurity).
10.2 Anonymity and Pseudonymity
Under some circumstances, You have the right to choose to remain anonymous (You cannot be identified, and We do not collect PI), or You can choose to use a pseudonym (You can use a name, term or description that is different from Your own) when dealing with Us.
Circumstances where We give individuals the option to remain anonymous or to use a pseudonym include, for example, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified.
Examples of circumstances where We will need to know the identity of the person that We are dealing with relate to the provision of the Legal Services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction of a PI record, and where cost becomes excessive or impractical without knowing the identity of the individual We are dealing with.
10.3 Collection of Solicited Personal information
We are committed to collecting PI by lawful and fair means and wherever possible only collecting it directly from the individual concerned.
We collect PI from individuals where the information is reasonably necessary for the Legal Services, professional obligations and activities relating to legal services, legal process and to the administration of justice.
In providing Legal Services We also collect Sensitive PI. This Sensitive PI is provided by the individual themselves, by parents and guardians, and by third parties involved in the legal profession and the administration of justice. Where We collect Sensitive PI, We always ask for prior consent in “writing”, where writing includes electronic forms of writing such as email.
Given the nature of legal services, we collect and process PI and Sensitive PI such as: Name; sex; date of birth; language preferences; physical, postal and email address; telephone numbers; occupation; personal, career and criminal history; financial, tax, investment and credit information; identity documents such as travel and drivers licence information; genetic and biometric information, physical and mental health information; information relating to racial, political, religious and philosophical beliefs; sexual orientation and preference, professional or trade association information.
Information collected and processed can vary depending upon the country where the Legal Services are offered. For example, in Australia, we include standard questions for indigenous status, for example Aboriginal or Torres Strait Islander origin (ATSI status).
For internal human resourcing, We collect PI and Sensitive PI, which We may solicit or request from a third party such as an employment agency or referees in the context of employment. From employees, we request third party information such as next-of-kin and medical practitioner details.
In most instances, even for non-sensitive PI where We collect PI, We only do so after a direct request to, and with the consent of the individual to whom the information relates.
In exceptional circumstance, or when authorised or required by law, We will collect PI from some source other than the individual themselves.
10.4 Dealing with Unsolicited Personal information
PI is sometimes provided to Us in circumstances where We have not requested it. In these circumstances, where the information is unsolicited, We will examine whether it could have been collected under the circumstance under section 10.3 above. We will then apply Our minds and decide whether this unsolicited information should be retained, de-identified or destroyed. Having made that decision, We will implement the decision within a reasonable time.
We do not actively seek to collect unsolicited information.
10.5 Notification of the Collection of Personal Information
This Policy, other legal notices published on Our website and Our internal practices, procedures and systems (administrative controls) are Our way to ensure that individuals know about the PI that Harwood Andrews collects and Processes.
We are committed to making all reasonable efforts to inform individuals about the PI We collect before We collect it, for example by making this Policy and Our other legal notices publicly available. We will inform individuals about the collection of PI at the time We collect PI, for example when clients engage Us to provide Legal Services, through Our website activity and other forms of communication such as email.
In exceptional circumstances where this does not happen, for example, when We receive unsolicited PI from a third party which We decide to retain, We will inform individuals as soon as reasonably possible after the collection of PI. This undertaking does not apply in circumstances relating to civil and criminal procedure.
Through this Policy and other legal notices published on Our Website, We seek to ensure that individuals are informed about the reasons for the collection of PI, and that they know how to contact the accountable office bearers at Harwood Andrews. (Section 16 below).
10.6 Use or Disclosure of Personal Information
Where We hold PI about an individual that was collected for a particular purpose (the primary purpose) We will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect Us to use or disclose it for a related purpose. An example of a related purpose in these circumstances might be disclosure to a next-of-kin or health care provider in the case of an employee.
In some circumstances, for example, where We believe that the Legal Service may be improved through new technologies such as data science (analytics), Artificial Intelligence (AI) or where We see a benefit to individuals, We may use PI that has been provided to Us by the individual themselves or received from third parties for a purpose that is different form the purpose for which it was given to Us in the first place. Where We do this, We will use and/or disclose the PI in a de-identified format.
Broadly speaking, We use (process, handle and manage) PI internally for 2 reasons:
- To provide Legal Services; and
- For internal human resourcing:
We do not collect biometric forms of PI such fingerprints.
We also use and retain PI records which are required to be retained for legal, professional services (business) and evidential reasons. Sometimes these PI records come from external sources and third parties, such as the courts, law institutes, government agencies, insurance providers, legal service providers, law enforcement agencies and witnesses.
Broadly speaking We disclose PI (release it outside of Our possession or control) for the same primary reasons listed above; providing the service (including third party service providers) for human resourcing, and where there is a legal obligation to do so.
10.7 Direct Marketing
When We provide a Legal Services to individuals, We ask for consent to communicate directly with the individual in order to provide information and to promote Our Legal Services.
When We provide a Legal Services to juristic entities (companies, trusts, partnerships, not-for-profit organisations), We ask for consent to communicate directly with the individuals concerned (directors, officers, employees etc.) in order to provide information and to promote Our Legal Services.
Whenever We do, We allow individuals to opt-out of receiving direct communications and direct marketing notifications. When individuals request Us to stop communicating with them, We will comply with that request.
If an individual requests information about how We came to have their PI, We will respond, and provide the source of an individual’s PI wherever possible. We will respond to these requests within a reasonable time (thirty (30) business days).
We do not disclose, sell or share PI to third parties for direct marketing purposes.
10.8 Cross-border Disclosure of Personal Information
Harwood Andrews operates from offices in Victoria Australia. These operations include all aspects of internal operations that support the Legal Services that We provide and include the provision of services that involve PI travelling over telecommunications lines (‘live’ data on switched networks) and the storage of static (archived) PI in data warehouses and on information systems.
Harwood Andrews clients are primarily located in Australia, but may also be located in, or be residents or citizens of the European Union (EU), the United Kingdom (UK), the Asia Pacific (APAC) region or elsewhere, with the result that PI flows (is exported and imported) between these other countries.
Harwood Andrews relies on various third-party service providers such as telecommunications providers, internet service providers, information security, application, ‘cloud’, email, data warehousing and other technology and communications service providers. These are based in Australia, the EU, UK, United States of America (USA) and APEC region.
Because information systems enable Our Legal Services, PI may be located or disclosed in transit (live) and in a static (archived) format in countries outside Australia, in the countries mentioned above, or elsewhere. Wherever reasonably possible, we meet international best practice standards and employ recognised mechanisms such as contractual clauses and other agreements to ensure the security and confidentiality of the PI that We Process under privacy, telecommunications and data laws.
Despite our best efforts, there is no guarantee of security or privacy, and individuals are cautioned to consider how their PI moves and is stored on global information systems and to make appropriate choices.
10.9 Adoption, Use or Disclosure of Government Identifiers
We do not adopt, use or disclose government identifiers of an individual as Our own identifiers.
We do use and disclose government identifiers such as Australian Tax File Numbers, for example, for Legal Services, human resource purposes and where required or authorised by law.
10.10 Quality of Personal Information
We are committed to taking such steps as are reasonable in the circumstances to ensure that the PI We collect, hold, use and disclose is accurate, up-to-date, complete and relevant having regard to the purpose for which it is used or disclosure.
To ensure that Your PI is accurate, up-to-date, complete, and relevant, We ask You to assist Us. We provide various technical means, including email notifications and client communications where You can access, verify and update Your PI records that We hold. See sections 10.12 and 10.13 below.
In the event of an Eligible Data Breach (section 13 below) as defined in the NDB Scheme, We will need to contact You, and we need to know that the information we have to do so is correct. For Your on security, please ensure that We know Your preferred means of communication.
10.11 Security of Personal Information
We are committed to taking reasonable steps to protect PI that We hold from misuse, (wrong or improper use) interference (access even where the content is not necessarily modified) and loss (accidental, inadvertent, misplaced PI).
We are committed to securing PI from unauthorised access (by someone that is not permitted access the information), modification (alteration by someone that is not permitted to do so, or who acts beyond the scope of their authority to modify PI) and unauthorised disclosure (where PI is released from Our effective control without authority).
To comply with law and manage risk, Our practices, procedures, and systems aim to protect the confidentiality, integrity and availability of Our information systems and the information on them, especially the PI that We collect, hold, use and disclose.
Where there is no legal obligation to retain records and evidence, and in circumstances where We no longer need PI to provide Legal Services or for any purpose for which the information may be used or disclosed under Australian law, We take reasonable steps to destroy the information or to ensure that the information is de-identified.
Our information security and privacy practices include circumstances where Our data handling practices are outsourced to third parties. Because of this We endeavour wherever possible to bind third party service providers through appropriate legal agreements. We also endeavour to monitor their privacy and security practices where possible.
10.12 Access to Personal Information
Where We hold or have the right and power to deal with PI (for example, where it is stored by one of Our third-party service providers), We will, on request by an individual, normally give that individual access to their information.
We do this so that individuals know what information We hold on them and because it assists Us to ensure that the PI that We hold is up-to-date, complete, and relevant, and we are able to communicate directly with individuals in the event of a data breach.
In considering a request for access to PI by an individual, We will require identification. We reserve the right not necessarily to give access to an individual to their PI in circumstances, for example, where provided for in law, in instances of commercial sensitivity and where a third party may be negatively affected.
We will respond to an individual’s request for access to their information within a reasonable time (thirty (30) business days), and We will consider reasonable requests for access to be given in a particular format, for example, through user registration login, by facsimile, email and postal services. As a matter of courtesy, We will provide reasons for the refusal if access is refused.
No charge will apply when an access to information request is received. We do however reserve Our rights to charge a fee where We incur costs, for example, for photocopying, postage and costs associated with using an intermediary if one is required.
10.13 Correction of Personal Information
Where We hold PI, We will take reasonable steps to correct it to ensure that, having regard to the purpose for which We hold it, it is accurate, up-to-date, complete, relevant, and not misleading.
You, as an individual may request that We correct PI that We hold about You in circumstances where You believe that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
In considering a request for the correction of PI that We hold, We will require identification of the requesting individual. We reserve the right not necessarily to effect the changes sought but undertake to consider reasonable requests and to associate a statement to the record reflecting Our refusal to correct the failed request for correction if We consider refusal the appropriate action.
We will respond to a request to change information within a reasonable time (sixty (60) business days) although changes sought may take longer, for example, because We may need to contact and notify other organisations and individuals about the request.
No charge applies for making a request, correcting PI or associating a statement for refusal to change a record.
As a matter of courtesy, We will provide reasons for the refusal if correction is refused, and also a reminder of the complaint process available to individuals that feel aggrieved by the refusal.
11. Complaints, Enquiries and Access to Information Requests
In most circumstances, the Australian Information Commissioner will not investigate a complaint if an individual has not first raised the matter with Us. For this reason, We ask individuals to agree to submit all complaints relating to this Policy to Us first, so that We have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to Us at email@example.com and to see sections 12 and 16 below for further details.
12. How to make a Complaint, Enquiries and Access to Information Requests
Individuals wanting to lodge a complaint can make general enquiries, request access to their information and complain to Us in writing. Writing includes email communications but excludes text and social media platforms.
We will respond to complaints within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed, for example, because We may need to contact and notify other organisations and individuals affected by the complaint. In this case We will endeavour to respond within sixty (60) business days.
13. Eligible Data Breach
Under the NDB Scheme, Harwood Andrews must notify the Australian Privacy Commissioner and affected individuals of an Eligible Data Breach in relation to PI, credit reporting information, credit eligibility information or tax file number information if, and when:
- There is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
- The information is lost, and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to individuals.
13.1 Actual Eligible Data Breach
If, and when, Harwood Andrews becomes aware of a breach of its network or information systems resulting in the circumstances outlined in 13a and 13b above, Harwood Andrews will:
- Take remedial action;
- Where remedial action fails to adequately limit the risk, notify the individuals concerned, and notify the Office of the Australian Information Commissioner (Commissioner): and
- Work with the individuals concerned and the Commissioner to protect everyone and everything concerned.
13.2 Suspected Eligible Data Breach
If, and when, Harwood Andrews suspects a breach of its network or information systems resulting in the circumstances outlined in 13a and 13b above, Harwood Andrews will:
- Undertake an assessment of the situation with a view to establishing the facts; and do so within a reasonable time (thirty (30) business days).
- When a suspected breach is found to be an actual breach, Harwood Andrews will follow the steps in 13.1 above.
If any person suspects or becomes aware of a breach or an impending breach, please contact Us as a matter of urgency on firstname.lastname@example.org
14. Governing Law
15. Skill, Diligence, Care
Harwood Andrews will exercise reasonable skill, diligence and care as may reasonably be expected from a similar service provider.
16. Company Information
Name The Lantern Legal Group Pty Ltd
Physical address 70 Gheringhap Street, Geelong, VIC, 3220
Postal address PO Box 101, Geelong, VIC, 3220
Phone numbers 03 5225 5225
Website address www.harwoodandrews.com.au
Email address email@example.com
ABN 98 076 868 034