This Privacy Policy applies to all users of Our website at https://pawba.com.au and all other persons who  provide us with their personal information in the normal course of our business. This policy forms part of every agreement made online for the purchase of services from Us.  In this Privacy Policy, “We” or “Us” means Pawba Pooch + Peeps Bus Tours, and “You” means a person in respect of whom We have collected personal information, and “Our” and “Your” have corresponding meanings. Each of the titled sections below will be referred to as a “Policy”, and each of the numbered paragraphs of those Policies will be referred to as a “paragraph”. The Policies and paragraphs are intended to mirror the Principles and clauses of the Australian Policy Principles, with their language modified as necessary to be implementable, practical, relevant consistent and readable.  Any inconsistency between this Privacy Policy and the Australian Policy Principles is unintentional, and in such a case the wording of the relevant part of the Australian Policy Principles will apply and the inconsistent language of this Policy must be ignored. References to “the Act” or to the “Privacy Act” are to the Privacy Act 1988 (Cth) as amended, and its regulations. References to “APP” are to the Australian Policy Principles contained in the Privacy Act, as amended. The Appendix sets out relevant definitions from the Act. We may update this Privacy Policy from time to time in order to implement any changes to the law or to improve it.

1 Open and transparent management of personal information

1.1      The object of this principle is to ensure that We manage Your personal information in an open and transparent way.

1.2      We will take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to Our functions or activities that will ensure that We comply with the Australian Privacy Principles and a registered APP code (if any) that binds Us; and that will enable Us to deal with inquiries or complaints from individuals about Our compliance with the Australian Privacy Principles or such a code.

1.3      We have provided this statement as Our clearly expressed and up-to-date policy (the privacy policy) about the management of Your personal information by Us.

1.4   Without limiting paragraph 1.3, this privacy policy contains the following information:

  1. the kinds of personal information that We collect and hold;
  2. how We collect and hold personal information;
  3. the purposes for which We collect, hold, use and disclose personal information;
  4. how an individual may access personal information about the individual that is held by Us and seek the correction of such information;
  5. how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds Us, and how We will deal with such a complaint;
  6. whether We are likely to disclose personal information to overseas recipients; and
  7. if We are likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in this policy.

1.5   We will take such steps as are reasonable in the circumstances to make this privacy policy available:

  1. free of charge; and
  2. in such form as is appropriate.

Note: We are making this privacy policy available on Our website.

 

1.6  If a person or body requests a copy of this privacy policy of an APP entity in a particular form, We will take such steps as are reasonable in the circumstances to give the person or body a copy in the requested form.

 

2 Anonymity and pseudonymity

2.1  In our dealings with individuals, they will have the option of not identifying themselves, or of using a pseudonym, when dealing with Us in relation to a particular matter, except where paragraph 2.1 applies.

2.2  Paragraph 2.1 does not apply where:

  1. We are required or authorised by or under an Australian law, or a court/ tribunal order, to deal only with individuals who have identified themselves; or
  2. it is impracticable for Us to deal with individuals who have not identified themselves or who have used a pseudonym, in relation to the relevant matter.

3 Collection of solicited personal information

3.1  This part of the privacy policy relates to the collection of solicited personal information.

3.2   If at any time We meet the definition of an “organisation” under the Privacy Act 1988, We will not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of Our functions or activities.

3.3  We will not collect sensitive information about an individual unless:

  1. the individual consents to the collection of the information and, if we are an organisation—the information is reasonably necessary for one or more of Our functions or activities; or
  2. paragraph 3.4 applies in relation to the information.

3.4  This paragraph applies in relation to sensitive information about an individual if:

  1. the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or
  2. a permitted general situation exists in relation to the collection of the information by Us; or
  3. We are an organisation as defined by the Privacy Act and a permitted health situation exists in relation to the collection of the information by Us.

3.5   We will collect personal information only by lawful and fair means.

3.6      We will collect personal information about an individual only from the individual. Where We are expressly authorised by the individual to collect personal information from another source, but can collect the same information from the individual, we will use Our reasonable endeavours to obtain that information from the individual first and will resort to the third party only if we are unable to do so within a reasonable time frame having regard to the circumstances.

3.7    This Policy No.3 applies to the collection of personal information that is solicited by Us. 

 

4 Dealing with unsolicited personal information

4.1 If:

  1. We receive personal information; and
  2. We did not solicit the information;

We must, within a reasonable period after receiving the information, determine whether or not We could have collected the information under policy No.3 if We had solicited the information.

4.2   We may use or disclose the personal information for the purposes of making the determination under paragraph 4.1.

4.3 If:

  1. We determine that We could not have collected the personal information; and
  2. the information is not contained in a Commonwealth record; We must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.

4.4  If paragraph 4.3 does not apply in relation to the personal information, Policies 5 to 13 will apply in relation to the information as if We had collected the information under Policy 3.

 

5 Notification of the collection of personal information

5.1  At or before the time or, if that is not practicable, as soon as practicable after, We collect personal information about an individual, We will take such steps (if any) as are reasonable in the circumstances:

  1. to notify the individual of such matters referred to in paragraph 5.2 as are reasonable in the circumstances; or
  2. to otherwise ensure that the individual is aware of any such matters.

5.2  The matters for the purposes of paragraph 5.1 are as follows:

  1. Our identity and contact details;
  2. if:
  3. We collect the personal information from someone other than the individual; or
  4. the individual may not be aware that the We have collected the personal information; the fact that We so collect, or have collected, the information and the circumstances of that collection;
  5. if the collection of the personal information is required or authorised by or
    under an Australian law or a court/tribunal order—the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection);
  6. the purposes for which We collect the personal information;
  7. the main consequences (if any) for the individual if all or some of

the personal information is not collected by Us;

  1. any other entity, body or person, or the types of any other entities, bodies or persons, to which the We usually disclose personal information of the kind collected by Us;
  2. that Our privacy policy of the We contains information about how the individual may access the personal information about the individual that is held by Us and seek the correction of such information;
  3. that Our privacy policy contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds Us, and how We will deal with such a complaint;
  4. whether We are likely to disclose the personal information to overseas recipients;
  5. if the We are likely to disclose the personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.

6 Use or disclosure of personal information

6.1  If We hold personal information about an individual that was collected for a particular purpose (the primary purpose), We must not use or disclose the information for another purpose (the secondary purpose) unless:

  1. the individual has consented to the use or disclosure of the information; or
  2. paragraphs 6.2 or 6.3 apply in relation to the use or disclosure of the information.

Note: Policy 8 reflects legal requirements under the Act for the disclosure of personal information to a person who is not in Australia or an external Territory.

6.2  This paragraph applies in relation to the use or disclosure of personal information about an individual if:

  1. the individual would reasonably expect Us to use or disclose the information for the secondary purpose and the secondary purpose is:
  2. if the information is sensitive information—directly related to the primary purpose; or
  3. if the information is not sensitive information— related to the primary purpose; or
  4. the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
  5. a permitted general situation exists in relation to the use or disclosure of the information by Us; or
  6. We are organisation and a permitted health situation exists
    in relation to the use or disclosure of the information by Us; or
  7. We reasonably believe that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

6.4 If:

  1. If We at any time are an organisation within the meaning of the Privacy Act; and
  2. subsection 16B(2) of the Act applies in relation to the collection of personal information by Us;

We must take such steps as are reasonable in the circumstances to ensure that the information is de-identified before We disclose it in accordance with paragraphs 6.1 or 6.2.

6.5      If We use or disclose personal information in accordance with paragraph 6.2(e), We will make a written note of the use or disclosure.

6.6   If We collect personal information from a related body corporate; this Policy 6 applies as if Our primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.

6.7    This principle does not apply to the use or disclosure by Us, if we are an organisation within the meaning of the Privacy Act, of:

  1. personal information for the purpose of direct marketing; or
  2. government-related identifiers.

7 Direct marketing

7.1      If We hold personal information about an individual, We must not use or disclose the information for the purpose of direct marketing.

7.2      Despite paragraph 7.1, We may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

  1. We collected the information from the individual; and
  2. the individual would reasonably expect the organisation to use or disclose the information for that purpose; and
  3. We provide a simple means by which the individual may easily request not to receive direct marketing communications from Us; and
  4. the individual has not made such a request to Us.

7.3   Despite paragraph 7.1, if We are an organisation within the meaning of the Act, We may use or disclose personal information (other than sensitive information) about an individual, for the purpose of direct marketing if:

  1. We collected the information from:
  2. the individual and the individual would not reasonably expect Us to use or disclose the information for that purpose; or
  3. someone other than the individual; and
  4. either:
  5. the individual has consented to the use or disclosure of the information for that purpose; or
  6. it is impracticable to obtain that consent; and
  7. We provide a simple means by which the individual may easily
    request not to receive direct marketing communications from Us; and
  8. in each direct marketing communication with the individual:
  9. We will include a prominent statement that the individual may make such a request; or
  10. We otherwise will draw the individual’s attention to
    the fact that the individual may make such a request; and
  11. the individual has not made such a request to Us.

7.4   Despite paragraph 7.1, if We are an organisation We may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.

7.5      Despite paragraph 7.1, if We are an organisation within the meaning of the Act, We may use or disclose personal information for the purpose of direct marketing if We are a contracted service provider for a Commonwealth contract; and

  1. We collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and
  2. the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

7.6  If We are an organisation as within the meaning of the Act and We use or disclose personal information about an individual:

  1. for the purpose of direct marketing by Us; or
  2. for the purpose of facilitating direct marketing by other organisations; the individual may:
  3. if paragraph (a) applies—request not to receive direct marketing communications from Us; and
  4. if paragraph (b) applies—request Us not to use or disclose the information for the purpose referred to in that paragraph; and
  5. request the Us to provide its source of the information.

7.7   If an individual makes a request under paragraph 7.6, We must not charge the individual for the making of, or giving effect to, the request and:

  1. if the request is of a kind referred to in paragraphs 7.6(c) or (d)— We must give effect to the request within a reasonable period after the request is made; and
  2. if the request is of a kind referred to in paragraph 7.6(e)— We will, within a reasonable period after the request is made, notify the individual of its source unless it is impracticable or unreasonable to do so.

7.8  This Policy No.7 does not apply to the extent that any of the following apply:

  1. the Do Not Call Register Act 2006;
  2. the Spam Act 2003;and
  3. any other Act of the Commonwealth, or a Norfolk Island enactment, prescribed by the regulations made under the Privacy Act.

8 Cross-border disclosure of personal information

8.1  Before We disclose personal information about an individual to a person (the overseas recipient):

  1. who is not in Australia or an external Territory; and
  2. who is not Us or the individual;

We must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Principle 1) in relation to the information.

 

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C of the Privacy Act, to have been done, or engaged in, by Us and to be a breach of the Australian Privacy Principles.

8.2      Paragraph 8.1 does not apply to the disclosure of personal information about an individual by Us to the overseas recipient if:

  1. We reasonably believe that:
  2. the recipient of the information is subject to a law, or a binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
  3. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
  4. both of the following apply:
  5. We expressly inform the individual that if he or she consents to the disclosure of the information, paragraph 8.1 will not apply to the disclosure; and
  6. after being so informed, the individual consents to the disclosure; or
  7. the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
  8. a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of the Act) exists in relation to the disclosure of the information by Us,

Note: For what is a “permitted general situation”, see section 16A of the Privacy Act.

 

8.3     Please note that We may not necessarily be aware if an online payment services provider whom We use to provide a payment services portal on our website is sending information outside Australia for processing.  That activity is undertaken by the payment services provider, not by Us, and is normally beyond Our control.  In general, if the computer servers used by such a provider for processing payments are located outside Australia then the processing would probably be subject to the laws of the country where that processing is taking place.  If You are concerned about the security of Your personal information disclosed to the payment services provider then You must take care to review their privacy policy before providing that data and completing your payment transaction.

 

9 Adoption, use or disclosure of government-related identifiers

9.1        We will not adopt a government-related identifier of an individual, such as their Medicare number, as Our identifier of the individual unless that action is expressly authorised by law.

10 Quality of personal information

10.1 We will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that We collect is accurate, up-to-date and complete.

10.2 We will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that We use or disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.

11 Security of personal information

11.1 If We hold personal information, We will take such steps as are reasonable in the circumstances to protect the information:

  1. from misuse, interference and loss; and
  2. from unauthorised access, modification or disclosure.

11.2 If:

  1. We hold personal information about an individual; and
  2. We no longer need the information for any purpose for which the information may be used or disclosed by Us under the Privacy Act; and
  3. the information is not contained in a Commonwealth record; and
  4. We are not required by or under an Australian law, or a court/tribunal order, to retain the information; We will take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

12 Access to personal information

12.1 If We hold personal information about an individual, We must, on request by the individual, give the individual access to the information.

12.2 If We refuse:

  1. to give access to the personal information; or
  2. to give access in the manner requested by the individual;

We will take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of Us and the individual.

12.3 Without limiting paragraph 12.1, access to personal information may be given through a mutually agreed intermediary.

12.4 If We charge an individual for access to their personal information; the charge will not be excessive and must not apply to the making of the request.

12.5 If We refuse to give access to personal information, or to give access in the manner requested by the individual, We must give the individual a written notice that sets out:

  1. the reasons for the refusal (except to the extent that, having regard to the grounds for the refusal, it is not reasonably necessary to explain those reasons in any further detail); and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by the regulations made under the Act.

12.6 If We refuse to give access to personal information, the reasons for the refusal may include an explanation that the decision was based on grounds of commercial sensitivity, where the Privacy Act permits that to be a reason for refusal.

13 Correction of personal information

13.1 If:

  1. We hold personal information about an individual; and
  2. either:
  3. We are satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; or
  4. the individual requests Us to correct the information; We will take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.

13.2 If:

  1. We correct personal information about an individual that We previously disclosed to another entity; and
  2. the individual requests Us to notify the other entity of the correction; We must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.

13.3 If We refuse to notify another entity of a correction of personal information as requested by an individual, We must give the individual a written notice that sets out:

  1. the reasons for the refusal (except to the extent that, having regard to the grounds for the refusal, it is not reasonably necessary to explain those reasons in any further detail); and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by the regulations made under the Privacy Act.

13.4 If:

  1. We refuse to correct the personal information as requested by an individual; and
  2. the individual requests Us to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; We must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

13.5 If a request is made as described in  13.1 or 13.4, We:

  1. must respond to the request within a reasonable period after the request is made; and
  2. must not charge the individual for making the request, for correcting the personal information or for associating a statement with the personal information (as the case may be).

Appendix -Definitions

In the Privacy Act, the following definitions apply:

1 Definition of personal information

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

2 Definition of sensitive information

Sensitive information means:

  1. information or an opinion about an individual’s:
  2. racial or ethnic origin; or
  3. political opinions; or
  • membership of a political association; or
  1. religious beliefs or affiliations; or
  2. philosophical beliefs; or
  3. membership of a professional or trade association; or
  • membership of a trade union; or
  • sexual orientation or practices; or
  1. criminal record;

that is also personal information; or

  1. health information about an individual; or
  2. genetic information about an individual that is not otherwise health information; or
  3. biometric information that is to be used for the purpose of automated

biometric verification or biometric identification; or

  1. biometric templates.

3 Definition of “Organisation”

(1) Organisation means:

(a)  an individual; or

(b)  a body corporate; or

(c)  a partnership; or

(d)  any other unincorporated association; or

(e)  a trust;

that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.

Note: Regulations may prescribe an instrumentality by reference to one or more classes of instrumentality. See subsection 13(3) of the Legislative Instruments Act 2003.

 

Example: Regulations may prescribe an instrumentality of a State or Territory that is an incorporated company, society or association and therefore not a State or Territory authority.

 

 

 

Legal person treated as different organisations in different capacities

 

(2)  A legal person can have a number of different capacities in which the person does things. In each of those capacities, the person is taken to be a different organisation.

 

Example: In addition to his or her personal capacity, an individual may be the trustee of one or more trusts. In his or her personal capacity, he or she is one organisation. As trustee of each trust, he or she is a different organisation