AIA Australia Limited

Transcription

1 AIA Australia Limited Privacy policies & procedures May 2010 The Power of We AIA.COM.AU

2 AIA Australia Limited Privacy policies & procedures Contents Purpose 3 Policy 3 National Privacy Principles Policy & Procedures 3 1 Collection 3 2 Use and disclosure 4 3 Data quality 6 4 Data security 6 5 Openness 7 6 Access and correction 7 7 Identifiers 8 8 Transborder data flows 9 9 Sensitive information 9 10 Complaint handling Monitoring 10

3 AIA Australia Limited Privacy policies & procedures 1 Purpose AIA Australia Limited is committed to the protection of personal privacy and has adopted the National Privacy Principles of the Privacy Amendment (Private Sector) Act Policy This policy sets out the procedures and principles that AIA Australia has adopted in order to protect information about individuals. These principles deal with the collection, use and disclosure of personal information as well as access to information and intrusion issues. The principles comply with the National Privacy Principles of the Privacy Amendment (Private Sector) Act National Privacy Principles Policy & Procedures 1 Collection AIA Australia will only collect information that is necessary for what we do 1.1 AIA Australia will not collect personal information unless the information is necessary for one or more of its functions or activities. AIA Australia will be fair in the way we collect information about you 1.2 AIA Australia will collect personal information only by lawful and fair means and not in an unreasonably intrusive way. AIA Australia will tell you who we are and what we intend to do with information about you 1.3 At or before the time (or as soon as practicable after) AIA Australia collects personal information from the individual concerned, we will take reasonable steps to ensure that the individual is aware of a) the identity of AIA Australia and how to contact us; b) the fact that he or she is able to gain access to the information; c) the purposes for which the information is collected; d) the organisations (or the types of organisations) to which AIA Australia usually discloses information of that kind; e) any law that requires the particular information to be collected; and f) the main consequences (if any) for the individual if all or part of the information is not provided. Where reasonable and practicable AIA Australia will collect personal information directly from you 1.4 If it is reasonable and practicable to do so, AIA Australia will collect personal information about an individual only from that individual. Where AIA Australia collects information about you from someone else, we will do what we can to make sure you know we have done this 1.5 Where AIA Australia collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in clause 1.3 unless telling the individual of those matters would pose a serious threat to the life or health of any individual. Procedures (Collection) Collection not to intrude to an unreasonable extent When collecting personal information, AIA Australia will not intrude to an unreasonable extent upon the personal affairs of the individual concerned. Specified purposes and limitation of collection Personal information will only be collected for previously specified purposes. The nature of personal information collected will be commensurate with the specified purpose and will be limited to that necessary to satisfy that purpose. An individual will not be required to provide information beyond that required to fulfil the explicitly specified legitimate purposes. If AIA Australia inadvertently collects personal information about you which is not necessary for one or more of its functions or activities, AIA Australia will take reasonable steps to destroy or de-identify the information. Notifying the purpose of collection Where personal information is to be collected directly from any individual, reasonable steps will be taken to ensure that the individual is aware of the purpose of collection. In many situations the purpose of collection will be readily apparent to the person concerned. In other circumstances, it will be necessary to provide sufficient additional information to enable the person concerned to understand the purpose of collection. If at the time of collection it is not feasible to notify the person concerned of the purpose of collection, then AIA Australia will, as soon as practicable, take reasonable steps to do so. Personal information obtained from third parties When personal information is obtained from third parties, such information will be limited to that required for the identified purpose and will be collected by lawful and fair means for purposes directly related to AIA Australia s activities. Lawful and fair means AIA Australia will only collect personal information by lawful means and by means which do not mislead or deceive the person concerned or any third-party. AIA Australia will inform customers of any significant consequences of not providing information. Notification of Usual Disclosure Practices If appropriate and practicable to do so, individuals will be notified of any usual disclosure practice of AIA Australia

4 2 AIA Australia Limited Privacy policies & procedures for the personal information being collected. The notification will be provided at the time of collection or as soon as practicable after the collection has occurred. 2 Use and disclosure AIA Australia will only use or disclose information about you for the purpose that you gave us the information or where a lawful exception applies 2.1 AIA Australia will only use or disclose personal information for the primary purpose for which it was collected. Exceptions to this rule are as follows: Use or disclosure for a related purpose a) AIA Australia will use or disclose personal information for a secondary purpose if the secondary purpose is related to the primary purpose for which it was collected and the individual would reasonably expect the information to be used or disclosed for the secondary purpose. In the case of sensitive personal information, use or disclosure for a secondary purpose may only occur if the secondary purpose is directly related to the primary purpose for which the information was collected, and the individual would reasonably expect the information to be used or disclosed for the secondary purpose. Secondary use or disclosure with consent b) AIA Australia will use or disclose personal information for a secondary purpose if the individual consents to the use or disclosure. Use for direct marketing (where no other exception applies) c) AIA Australia will use personal information (but not sensitive personal information) for the secondary purpose of direct marketing if: i) it is impracticable to seek the individual s consent before using the information; and ii) the individual is not charged a fee when they ask not to receive direct marketing communications; and iii) the individual had not made a prior request to AIA Australia not to receive direct marketing communications; and iv) in each direct marketing communication with the individual, AIA Australia draws to the individual s attention, or prominently displays a notice, that he or she may elect not to receive any further direct marketing communications; and v) each written direct marketing communication by AIA Australia with the individual sets out AIA Australia s business address and telephone number and, if the communication with the individual is made by fax or other electronic means, a number or address at which AIA Australia can be directly contacted electronically. Serious threats to life, health or safety d) AIA Australia will use or disclose personal information for a secondary purpose if it believes it to be reasonably necessary to lessen or prevent i) a serious and imminent threat to an individual s life, health or safety; or ii) a serious threat to public health or public safety. Unlawful activity e) AIA Australia will use or disclose personal information for a secondary purpose if it suspects that unlawful activity has been, is being, or may be engaged in and uses or discloses the personal information as a necessary part of its investigation of the matter, or in reporting its concerns to relevant persons or authorities. Required or authorised by law f) AIA Australia will use or disclosure personal information for a secondary purpose if the use or disclosure is required or authorised by or under law. Enforcement bodies g) AIA Australia will use or disclose personal information for a secondary purpose if it believes it to be reasonably necessary for one or more of the following by or on behalf of an enforcement body: i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; ii) the enforcement of laws relating to the confiscation of the proceeds of crime; iii) the protection of the public revenue; iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal. Logging uses and disclosures 2.2 If AIA Australia uses or discloses personal information under paragraph (g) of 2.1, it must make a written note of the use or disclosure. Primary purpose and related companies 2.3 Where AIA Australia has collected personal information from a related body corporate and wishes to use or disclose the information, the primary purpose of collection, for the purposes of applying the exceptions to 2.1, is the primary

5 AIA Australia Limited Privacy policies & procedures 3 purpose for which the related body corporate collected the information. Procedures (Use) These procedures relate to the use of personal information internally within AIA Australia, irrespective of whether that information was collected directly from the individual concerned or obtained from third parties. Use in the performance of duties AIA Australia employees, agents and contractors are only authorised to access or use personal information in the legitimate performance of their duties and strictly on a need to know basis. Staff, contractors and agents are not permitted to access customer information for any purpose other than performance of their duties. Browsing is not permitted under any circumstances. Browsing or using information is a serious offence and is not permitted by the Act. AIA Australia considers that a failure by staff to comply with this policy will constitute serious misconduct and accordingly will give rise to disciplinary action which may include dismissal. Agents and contractors shall be contractually bound to comply with the Privacy law. Use for primary or directly related purposes Personal information may be used for a purpose specified at the time of collection (primary purpose) or for other purposes related to that purpose (secondary purposes) provided that a customer would reasonably expect AIA Australia to use the information for that secondary purpose. Improvement of customer service and direct marketing Personal information may be used to the extent necessary to improve customer service, including product development, market research and marketing, where that use is directly related to the purpose of collecting the information and within the reasonable expectations of the customer. The assessment of whether a proposed use is related to the purpose specified at the time of collection and within the reasonable expectations of the customers will be made on a case by case basis. An example of a legitimate use for a secondary purpose would be using the information on a customer s proposal to advise that it would be more economical to change to different coverage level. The use of personal information to assist in direct marketing of services or products which are unrelated to the services or products originally supplied to the customer will be undertaken in accordance with 2.1(c). That is where the proposed use of personal information is for direct marketing purposes, and such use is not a legitimate secondary use as outlined above, AIA Australia will only undertake such use with the consent of the person concerned. If that is impracticable, AIA Australia will advise the customer of the use at first contact and offer the customer the opportunity to opt-out of further marketing uses. Personal information must not be used for contacting the individual for marketing purposes where the individual has indicated that he or she does not want to be contacted for direct marketing purposes. Intrusion AIA Australia recognises that a balance should exist between the legitimate use of unsolicited communications and their potential for intrusion into personal privacy. AIA Australia will conduct its direct marketing and market research activities in accordance with accepted industry standards and its procedure for direct marketing. AIA Australia will maintain a record of individuals who have requested that they not be contacted by AIA Australia for direct marketing purposes. Personal information will not be used for contacting the individual for marketing purposes where the individual has previously indicated that he or she does not wish to be contacted for direct marketing purposes. Threat to life or health Personal information may be used where it is reasonably necessary to do so and in circumstances where it is believed that there is a serious and imminent threat to the life or health of the individual concerned or of another person. Where personal information is used for this purpose, a record of the circumstances will be retained. Permitted by law Use of personal information is only permitted in accordance with company policies and procedures. In circumstances where use may be required or authorised by or under law, AIA Australia will ensure that the use is lawful and that personal information is only used to the extent required. For enforcement of the law Use of personal information for enforcement of the law will only be permitted in accordance with established company policies and procedures (Industry Codes of Practice or Guidelines adopted by AIA Australia), or with the consent in writing of the Privacy Manager. Other Purposes Use of personal information for any other purpose other than that specified at the time of collection, or as permitted or required by law, will only take place with the consent of the individual concerned. Consent Depending on the circumstances, consent for the use of personal information may be express or implied. Generally express consent will be obtained save where it is impracticable to do so. Consent may be withdrawn at any time, but not with retrospective effect. The individual concerned will be informed of the consequences of withdrawing their consent. Employment data AIA Australia will only use employment information to the extent required by the proper discharge of its employment obligations and appropriate management of its human resources. Access to employment information will be restricted to those needing access for the proper performance of their duties. The Human Resources Department has implemented a detailed Privacy Policy for the use and disclosure of personal information. AIA Australia will comply with the legislative privacy obligations covering employment data and in particular

6 4 AIA Australia Limited Privacy policies & procedures the Tax File Number Guidelines issued under the authority of the Privacy Act Old Criminal Convictions AIA Australia will comply with the provisions of the Crimes Act 1914 which apply safeguards to the use of information about old, minor, or spent criminal convictions. Procedures (Disclosure) These procedures relate to the disclosure of personal information to persons, organisations and agencies external to AIA Australia. Consent Unless falling within one of the other exceptions set out in this principle, the disclosure of personal information to a third party will only occur with the consent of the person concerned. Depending on the circumstances, consent for the disclosure of personal information may be express or implied. Generally express consent will be obtained. Where oral consent is given, a notation to this effect will be appended to the information held by AIA Australia. Consent may be withdrawn at any time but not with retrospective effect. The individual concerned will be informed of the consequences of withdrawing their consent. Disclosure to an agent or contractor of AIA Australia Disclosure of personal information to an agent or contractor of AIA Australia is permitted only: to the extent necessary for the agent or contractor to be able to undertake or perform their contractual obligations, and where the agent or contractor has provided a written undertaking to keep the information confidential, and to use the information only for the purpose for which it was disclosed, and generally comply with the provisions of the Privacy law. Threat to life or health Personal information may be disclosed where it is reasonable necessary to do so in circumstances where it is believed that there is a serious and imminent threat to the life or health of the individual concerned or of another person. Where personal information is disclosed in these circumstances a record of the disclosure will be retained. Permitted or required by law Disclosure of personal information under this heading is only permitted in accordance with company procedure or direction. In circumstances where disclosure may be required or authorised by or under law, AIA Australia will ensure that the request for information is lawful and that personal information is only disclosed to the extent required. Disclosure for law enforcement purposes AIA Australia will disclose personal information to officers and authorities of the Commonwealth, States and Territories when it is reasonably necessary for any of the following purposes: enforcing the criminal law and laws imposing pecuniary penalties, safeguarding national security. Such disclosures will be strictly in accordance with company policies and procedures or as otherwise directed by the Privacy Manager. Where personal information is disclosed for law enforcement purposes or for the protection of public revenue, an auditable record of the disclosure will be retained. 3 Data quality AIA Australia will ensure that information about you is accurate when we collect, use or disclose it AIA Australia will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. Procedures (Data Quality) AIA Australia will use its best endeavours to ensure that personal information is relevant, accurate, complete and up to date for the purpose for which it is to be used, both at the time of collection and before each use. Where personal information is collected from the individual concerned it will generally be assumed to be accurate, complete and up-to-date, at the time of collection, unless there is other information which suggests that it is not. Care will be exercised to determine the accuracy, completeness and currency of personal information collected from other sources. Personal information will not be routinely updated, unless it is necessary for the purpose for which it is to be used. 4 Data security AIA Australia will keep information about you secure 4.1 AIA Australia will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. 4.2 AIA Australia will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under Privacy Principle 2. Procedures (Data Security) Documenting security and storage AIA Australia will document security and storage requirements for all personal information for which it is responsible. In documenting security and storage requirements, AIA Australia will take into consideration the sensitivity of the information, its form and volume, its frequency of use and retention period, the circumstances of its use and storage and any legal or regulatory requirements. Staff should adopt a clean desk policy in relation to personal information. That is, when not being used by staff, documents containing personal information should protecting the public revenue, or

7 AIA Australia Limited Privacy policies & procedures 5 be put away or stored in a manner which prevents it being viewed by others. Documenting retention and disposal requirements AIA Australia will document retention and disposal requirements for all personal information for which it is responsible, taking into consideration the sensitivity of the information, its form, the circumstances of its use and any legal or regulatory requirements. Secure disposal When no longer required to be kept as personal information, such information will be destroyed or made anonymous in a controlled and secure manner in order to prevent any unauthorised persons having access to that information. Information subject to complaint, inquiry or legal process Personal information which is the subject of complaint, inquiry or legal process will not be destroyed until the resolution of that process. 5 Openness AIA Australia will be open with you about the kinds of personal information we hold and what we do with it 5.1 AIA Australia will set out in a document clearly expressed policies on its management of personal information. This document is called AIA Australia Limited Privacy Policy and Procedures and AIA Australia will make the document available to anyone who asks for it. 5.2 On request by a person, AIA Australia will take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. Procedures (Openness) The Privacy Manager is responsible for ensuring that AIA Australia s privacy protection principles and procedures remain appropriate and that AIA Australia operates in compliance with those principles and procedures. Explanatory information about the principles and their application will be available to the public in proposals and policy wordings. Compliance obligation Anyone handling personal information for which AIA Australia is responsible, whether employee, agent or contractor, is expected to act in accordance with the policy and procedures set out in this document. Internal compliance program AIA Australia will maintain a compliance program to ensure that its privacy policy and procedures are applied to all personal information and privacy sensitive activities and to encourage a culture of protecting personal information. The objectives of the compliance program are to : a) Educate employees, contractors and agents about the Company s privacy policy and related procedures. b) Establish and maintain supervisory and system controls that are commensurate with the sensitivity of the information to be protected. c) Incorporate these principles in privacy and customer service procedures. d) Ensure that an assessment of privacy implications is an integral part of the company s product and service development programs. e) Require agents and contractors to comply with these principles. Community awareness AIA Australia will make freely available, upon request, details of its privacy policy together with general details of the types of personal information held, its use, disclosure and retention. 6 Access and correction Wherever possible AIA Australia will let you see the information we hold about you and correct it if it is wrong 6.1 If AIA Australia holds personal information about an individual, it must provide the individual with access to the information on request. Exceptions to this rule are: Serious and imminent threat to life or health a) in the case of personal information which is not health information where providing access would pose a serious and imminent threat to the life or health of any individual; or b) in the case of health information where providing access would pose a serious threat to the life or health of any individual; or Impact on others privacy c) where providing access would have an unreasonable impact upon the privacy of other individuals; or Frivolous or vexatious d) where the request for access is frivolous or vexatious; or Existing or anticipated legal proceedings e) where the information relates to existing or anticipated legal proceedings between AIA Australia and the individual; and the information would not be accessible by the process of discovery in those proceedings; or Prejudice to negotiations f) where providing access would reveal the intentions of AIA Australia in relation to negotiations with the individual in such a way as to prejudice those negotiations; or Unlawful, or where required or authorised by or under law g) where providing access would be unlawful; or

8 6 AIA Australia Limited Privacy policies & procedures Authorised by or under law h) where denying access is required or authorised by or under law; or Prejudice to investigations of unlawful activity i) where providing access would be likely to prejudice an investigation of possible unlawful activity; or Prejudice to law enforcement activities j) where providing access would be likely to prejudice: i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or iii) the protection of the public revenue; or iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders; by or on behalf of an enforcement body; or Damage to national security k) where an enforcement body performing a lawful security function asks AIA Australia not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia. Evaluative information 6.2 Where providing access would reveal evaluative information generated within AIA Australia in connection with a commercially sensitive decisionmaking process, AIA Australia may give the individual an explanation for the commercially sensitive decision rather than direct access to the information. Note: AIA Australia breaches Principle 6.1 if it relies on Principle 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where Principle 6.2 does not apply. Use of intermediaries as an alternative to providing access 6.3 If AIA Australia is not required to provide the individual with access because one or more of paragraphs 6.1(a) to (k) applies, AIA Australia will, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties. Charges for providing access 6.4 If AIA Australia charges for providing access to personal information, those charges: a) will not be excessive; and b) will not apply to lodging a request for access. Correcting personal information 6.5 If AIA Australia holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and upto-date, AIA Australia must take reasonable steps to correct the information so that it is accurate, complete and up-to-date. Associate information with a statement 6.6 If the individual and AIA Australia disagree about whether the information is accurate, complete and up-to-date, and the individual asks AIA Australia to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, AIA Australia will take reasonable steps to do so. Reasons for denying access to or for refusing to correct personal information 6.7 AIA Australia will provide reasons for denial of access or a refusal to correct personal information. Procedures (Access and correction) Access to personal information Individuals are entitled to inquire whether AIA Australia holds personal information concerning them and if so to be advised of its use and disclosure and to obtain a copy or transcript of any relevant document. AIA Australia will maintain procedures to facilitate inquiries. AIA Australia will have adequate identification procedures to establish that the individual seeking access to personal information is in fact who they say they are. AIA Australia will provide a copy of the information in an understandable form within the time frame prescribed. AIA Australia will not charge individuals a fee for access to personal information concerning them, unless requests are considered unnecessarily frequent or extensive. Time Frame AIA Australia will respond to a written request for access, acknowledging the request as soon as possible or at least within 14 days. If a request is straightforward, AIA Australia will often grant access within 14 days or, if the request is more complicated, within 30 days. Alteration and deletion Any individual may challenge the completeness, accuracy, absence or presence of personal information concerning them and have information inserted, corrected or deleted. AIA Australia or the individual concerned may append an explanatory note to the data in the event of an unresolved disagreement. 7 Identifiers AIA Australia will limit our use of identifiers that government agencies have assigned to you 7.1 AIA Australia will not adopt as its own identifier of an individual an identifier that has been assigned to the same individual by: a) an agency; or

9 AIA Australia Limited Privacy policies & procedures 7 b) an agent of an agency acting in its capacity as agent; or c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract. 7.2 AIA Australia will not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in 7.1 unless: a) the use or disclosure is necessary for AIA Australia to fulfil its obligations to the agency; or b) one or more of paragraphs 2.1(d) to 2.1(g) (inclusive) apply to the use or disclosure (these paragraphs relate to uses or disclosures to prevent or lessen a threat to health or safety; uses or disclosures to investigate unlawful activity, where required or authorised by or under law; and for law enforcement and public revenue protection); or c) the use or disclosure is by AIA Australia of a prescribed identifier in prescribed circumstances. 7.3 Identifier includes a number assigned by AIA Australia to an individual to identify uniquely the individual for the purposes of AIA Australia s operations. However, an individual s name or ABN is not an identifier. Procedures (Identifiers) A customer may be required to establish their identity by means of a government assigned identifier but AIA Australia will not insist on the customer providing a particular government assigned identifier (unless required to do so by law), nor will it use such an identifier to organise personal information it holds and match it with other personal information organised by reference to the same identifier. 8 Transborder data flows AIA Australia will take steps to protect your privacy if we send personal information about you overseas AIA Australia in Australia may transfer personal information about an individual to someone (other than AIA Australia or the individual) who is in a foreign country only if: a) AIA Australia reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles in the Privacy Act; or b) the individual consents to the transfer; or c) the transfer is necessary for the performance of a contract between the individual and AIA Australia, or for the implementation of precontractual measures taken in response to the individual s request; or d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between AIA Australia and a third party; or e) all of the following apply: i) the transfer is for the benefit of the individual; ii) it is impracticable to obtain the consent of the individual to that transfer; iii) if it were practicable to obtain consent, the individual would be likely to give it; or f) AIA Australia has taken reasonable steps to ensure that the information that it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles. Procedures (Transborder data flows) AIA Australia shall obtain an individual s consent to transfer information overseas where necessary. No consent shall be obtained in relation to transfers to other AIA Group offices overseas. 9 Sensitive information AIA Australia will limit the collection of highly sensitive information about you. AIA Australia will not collect sensitive information about an individual unless: a) the individual has consented; or b) the collection is required by law; or c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns: i) is physically or legally incapable of consenting to the collection; or ii) physically cannot communicate consent to the collection; or d) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim. Procedures (Sensitive information) Non Discriminatory AIA Australia will not collect, use or disclose information about an individual s: i) political, social or religious beliefs or affiliations, ii) race, ethnic origins or national origins, or iii) sexual preferences or practices, unless the collection or use is in accordance with this procedure. Private lives AIA Australia respects the right of individuals to the privacy of their personal lives and requires all employees, agents and contractors working on behalf of AIA Australia to respect this basic right. Working environment AIA Australia will provide a working environment which is commensurate with the company s privacy policy

10 8 AIA Australia Limited Privacy policies & procedures and which provides an appropriate degree of personal privacy for its employees and contractors. Surveillance Surveillance of customers, employees or contractors will only be undertaken by lawful means and in accordance with this and any other applicable company policy. All proposals to conduct surveillance will require the prior written approval of senior management and the Privacy Manager. AIA Australia maintains video surveillance for security purposes within its premises. Access to AIA Australia s business information AIA Australia reserves the right to access its business records created by employees, agents or contractors and to investigate any suspected improper conduct such as suspected fraud, theft or other illegal act or suspected breach of Company Procedures. Any such investigation will only be conducted in compliance with relevant legislation and Company Procedures. Any personal information disclosed to third parties in the course of such an investigation will be restricted to that appropriate in the circumstances. The Human Resources Department has also developed various policies and procedures in relation to employee privacy. AIA Australia respects the privacy of individuals. AIA Australia considers that a failure by staff to comply with the privacy policy and procedures may constitute serious misconduct and may give rise to disciplinary action. Old criminal convictions AIA Australia will comply with the provisions of the Crimes Act 1914 which apply safeguards to the collection of information about old, minor, or spent criminal convictions. 10 Complaint handling Description of scheme An individual who believes his or her privacy may have been interfered with by AIA Australia may complain in writing to AIA Australia s Compliance Manager who will consider the complaint and attempt to resolve it. If the individual is dissatisfied with the outcome, the complaint will be referred to AIA Australia s Internal Disputes Resolution Committee for response within 45 days of receipt. Persons who are dissatisfied with the determination of AIA Australia s Internal Disputes Resolution Committee may ask the Privacy Commissioner to review the determination. Responsibilities of AIA Australia 10.1 AIA Australia has established an internal disputes resolution process for dealing with privacy complaints This process is readily accessible by individuals without charge This process provides a fair and timely method of handling privacy complaints The contact details for lodging a complaint with AIA Australia are: The Compliance Manager AIA Australia Limited 553 St Kilda Rd Melbourne Vic 3004 How will AIA Australia respond to complaints: 10.5 Where AIA Australia receives from an individual a request for the resolution of a privacy complaint or a written request for a response from AIA Australia in relation to the complaint, AIA Australia will reply to the individual within 45 working days, and, if the complaint is not resolved in a manner acceptable to the individual, AIA Australia will advise of: a) the general reasons for that outcome, where appropriate; and b) information on the further action that the individual can take under the National Privacy Principles, including his or her right to take the complaint to the Privacy Commissioner, should he or she remain dissatisfied with AIA Australia s handling of the complaint or the outcome of the complaint. Complaint Handling by Privacy Commissioner 10.6 An individual who is not satisfied with AIA Australia s handling of his or her privacy complaint may complain about the matter to the Privacy Commissioner. The Privacy Commissioner has powers to investigate the complaint and make a determination on the complaint Individuals will not be charged a fee to have their complaints investigated by the Privacy Commissioner The Privacy Commissioner will endeavour to satisfactorily resolve, by conciliation, mediation or negotiation, all complaints that it receives and will only use its determination-making powers where a conciliated solution is not appropriate The Privacy Commissioners contact details are: Office of the Federal Privacy Commissioner GPO Box 5218 Sydney, NSW, 2001 Or call the Privacy Hotline on Monitoring Responsibilities of AIA Australia 11.1 AIA Australia will ensure that it a) implements appropriate systems and documentation for AIA Australia to comply with the National Privacy Principles; b) monitors privacy complaints and compliance with the National Privacy Principles.

11 FREECALL: aia.com.au AIA /10_COR465