The Lantern Legal Group Pty Ltd t/a Harwood Andrews (HA, we, us, our) is a law firm dedicated to providing expert advice and legal services (Services).
HA is an applicable entity under the Privacy Act 1988 (Cth) (Privacy Act) and the Notifiable Data Breaches scheme under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (NDB Scheme). In certain circumstances, HA must also comply with privacy-related laws in other countries.
For the purposes of this Policy, privacy, personal information, personal data, employee record, credit-related personal information and tax file number personal information (PI) all have the same meaning and outcome: The PI either identifies, or it has the potential to identify an individual.
The purpose of this Policy is to provide information on how we hold, collect, record, organise, structure, store, adapt, alter, retrieve, consult, use, disclose, transmit, disseminate or make available, align, combine, restrict, erase, destroy and profile PI. It is also to inform affected individuals (you, your) about how we handle your PI and inform you of your rights and choices.
All PI that we process and hold is treated securely.
4. Sensitive PI
Where HA processes sensitive PI, we employ more rigorous controls than for PI that is limited to identifying an individual.
The scope of this Policy extends to all PI that we process in the course of providing Services, in complying with the law and managing risk.
This Policy extends to our professional activities which include our client relationships, internal operations (management, employees, temporary staff, contractors) and external operations (third parties such as regulators, related legal practices and service providers). It also extends to our external client-facing activities such as our online presence, where the PI that is collected through our websites and through the use of email for Services, general communications and marketing purposes (refer to our Email Legal Notice).
6. Exclusions and Qualifications
As a law firm, HA is bound by rights and obligations that attach to the administration of justice. These include rules about the classification, handling and protection of information, including legal professional privilege which is derived from the common law and from legislation at both a state and federal level. Legal professional privilege is a fundamental right that vests in the client. In the event of a conflict between PI and client rights, client rights, including rights of privilege and confidentiality, will prevail.
7. About This Policy
This Policy is written in language that is intended to be easy to understand. If something is not clear, please contact us so that we can provide assistance. Our contact details are provided at the end of this Policy.
This Policy outlines the current PI handling practices of HA. We will update this Policy when our information handling practices change. We will publish updates on our website and through our email distribution lists.
While we publish this Policy on our website so that it is easily accessible, we also make copies available on request in paper format. We may charge a fee for providing a copy of this Policy to cover any costs we incur in doing so.
In all cases where consent is required for us to process your PI, whether it be express consent (verbal, in writing, ticking a box), or implied consent (behaviour which indicates consent through continued use), you must give it freely, to a specific kind of processing and you must be informed about the processing based upon adequate information and the choices available to you. Individuals who are not sure about consent or who think we fall short of the consent requirements are encouraged to contact us on the details set out at the end of this Policy.
9. Privacy Principles Governing the Handling of PI
HA is committed to making every reasonable effort to manage PI in an open and transparent way.
9.1. Open and transparent management of PI
9.2. Anonymity and pseudonymity
Under some circumstances, you have the right to choose to remain anonymous (you cannot be identified and we do not collect PI) or you can choose to use a pseudonym (you can use a name, term or description that is different from your own) when dealing with us.
Circumstances where you may choose to remain anonymous or to use a pseudonym include, for example, where you prefer not to be identified, to be left alone, to avoid direct marketing, to keep your whereabouts and choices from others, and to express views in the public arena without being identified.
Examples of circumstances where we will need to know the identity of the person that we are dealing with relate to the provision of the Services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction of a PI record and where costs become excessive or impractical without knowing the identity of the individual we are dealing with.
9.3. Collection of solicited PI
We are committed to collecting PI by lawful and fair means and wherever possible only collecting it directly from the individual concerned.
We collect PI from individuals where the information is reasonably necessary for the Services, to fulfill our professional obligations and activities relating to the Services, to carry out legal process and for the administration of justice.
In providing Services we also collect sensitive PI. This sensitive PI is provided by the individual themselves, by parents and guardians and by third parties involved in the legal profession.
Given the nature of legal services, we may collect PI and sensitive PI such as: name; sex; date of birth; language preferences; physical, postal and email address; telephone numbers; occupation; personal, career and criminal history; financial, tax, investment and credit information; identity documents such as travel and drivers licence information; genetic and biometric information, physical and mental health information; information relating to racial, political, religious and philosophical beliefs; sexual orientation and preference, professional or trade association information.
For internal human resourcing, we collect PI and sensitive PI, which we may solicit or request from a third party such as an employment agency or referees in the context of employment. From employees, we request third party information such as next-of-kin and medical practitioner details.
In most instances, even for non-sensitive PI, where we collect PI, we only do so after a direct request to and with the consent of the individual to whom the information relates.
In exceptional circumstance, or when authorised or required by law, we will collect PI from some source other than the individual themselves.
9.4. Dealing with unsolicited PI
PI is sometimes provided to us in circumstances where we have not requested it. In these circumstances, where the information is unsolicited, we will examine whether it could have been collected in the circumstances set out in this Policy. We will then decide whether this unsolicited information should be retained, de-identified or destroyed. We will implement that decision within a reasonable time.
When we receive unsolicited PI which we decide to retain, we will inform individuals as soon as reasonably possible after the collection of PI. This provision does not apply in circumstances relating to civil and criminal litigation.
9.5. Notification of the collection of PI
This Policy, other legal notices published on our website and our internal practices, procedures and systems (administrative controls) are our way to ensure that individuals know about the PI that HA collects and processes.
We are committed to making all reasonable efforts to inform individuals about the PI we collect before we collect it, for example by making this Policy and our other legal notices publicly available.
Through this Policy and other legal notices published on our website, we seek to ensure that individuals are informed about the reasons for the collection of PI and that they know how to contact us about their PI.
9.6. Use or disclosure of PI
Where we hold PI about an individual that was collected for a particular purpose (the primary purpose) we will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented or the individual would reasonably expect us to use or disclose it for a related purpose. An example of a related purpose in these circumstances might be disclosure to a next-of-kin or health care provider in the case of an employee.
In some circumstances, for example, where we believe that the Service may be improved through new technologies such as data science (analytics), artificial intelligence or where we see a benefit to individuals, we may use PI that has been provided to us by the individual themselves or received from third parties for a purpose that is different from the purpose for which it was given to us in the first place. Where we do this, we will use and disclose the PI in a de-identified format.
Generally, we use (process, handle and manage) PI internally for 2 reasons:
9.6.1. to provide Services; and
9.6.2. for internal human resourcing.
We do not collect biometric forms of PI such as fingerprints.
We also use and retain PI records which are required to be retained for legal, professional services (business) and evidentiary reasons. Sometimes these PI records come from external sources and third parties, such as the courts, law institutes, government agencies, insurance providers, legal service providers, law enforcement agencies and witnesses.
Generally, we disclose PI (release it outside of our possession or control) for the same primary reasons listed above. That is, providing the Services (including third party service providers) for human resourcing and where there is a legal obligation to do so.
9.7. Direct marketing
When we provide Services to individuals, we ask for consent to communicate directly with the individual in order to provide information and to promote our Services.
When we provide Services to other entities (companies, trusts, partnerships, not-for-profit organisations), we imply consent to communicate directly with the individuals concerned (directors, officers, employees etc. of those entities) in order to provide information and to promote our Services.
Whenever we do, we allow individuals to opt-out of receiving direct communications and direct marketing notifications. When individuals request us to stop communicating with them, we will comply with that request.
If an individual requests information about how we came to have their PI, we will respond and provide the source of an individual’s PI wherever possible. We will respond to these requests within 30 business days.
We do not disclose, sell or share PI to third parties for direct marketing purposes.
9.8. Cross-border disclosure of PI
HA operates from offices in Victoria and NSW in Australia. These operations include all aspects of internal operations that support the Services that we provide and include the provision of services that involve PI travelling over telecommunications lines (‘live’ data on switched networks) and the storage of static (archived) PI in data warehouses and on information systems.
HA’s clients are primarily located in Australia, but may also be located in, or be residents or citizens of the European Union (EU), the United Kingdom (UK), the Asia Pacific (APAC) countries or elsewhere, with the result that PI flows (is exported and imported) between these other countries.
HA relies on various third-party service providers such as telecommunications providers, internet service providers, information security, application, ‘cloud’, email, data warehousing and other technology and communications service providers. These are based in Australia, the EU, UK, United States of America (USA) and the APAC countries.
Because information systems enable our Services, PI may be located or disclosed in transit (live) and in a static (archived) format in countries outside Australia, in the countries mentioned above, or elsewhere. Wherever reasonably possible, we meet international best practice standards and employ recognised mechanisms such as contractual clauses and other agreements to ensure the security and confidentiality of the PI that we process under privacy, telecommunications and data laws.
Despite our best efforts, we cannot guarantee security or privacy. Individuals are cautioned to consider how their PI moves and is stored on global information systems and to make appropriate choices.
9.9. Adoption, use or disclosure of government identifiers
We do not adopt, use or disclose government identifiers of an individual as our own identifiers.
We do use and disclose government identifiers such as Australian Tax File Numbers, for example, in the provision of Services, human resource purposes and where required or authorised by law.
9.10. Quality of PI
We are committed to taking such steps as are reasonable in the circumstances to ensure that the PI we collect, hold, use and disclose is accurate, up-to-date, complete and relevant having regard to the purpose for which it is, collected, used or disclosed.
To ensure that your PI is accurate, up-to-date, complete, and relevant, we ask you to assist us. We provide various technical means, including email notifications and client communications where you can access, verify and update your PI records that we hold.
For your own security, please ensure that we know your preferred means of communication.
9.11. Security of PI
We are committed to taking reasonable steps to protect PI that we hold from misuse, (wrong or improper use) interference (access even where the content is not necessarily modified) and loss (whether accidental, inadvertent or misplaced PI).
We are committed to securing PI from unauthorised access (by someone that is not permitted access to the information), modification (alteration by someone that is not permitted to do so, or who acts beyond the scope of their authority to modify PI) and unauthorised disclosure (where PI is released from our effective control without authority).
To comply with the law and manage risk, our practices, procedures and systems aim to protect the confidentiality, integrity and availability of our information systems and the information on them, especially the PI that we collect, hold, use and disclose.
Where there is no legal obligation to retain records and evidence and in circumstances where we no longer need PI to provide Services or for any purpose for which the information may be used or disclosed under Australian law, we take reasonable steps to destroy the information or to ensure that the information is de-identified.
Our information security and privacy practices include circumstances where our data storage and handling practices are outsourced to third parties. Accordingly, we only enter into agreements with third parties which we consider have reasonably compliant privacy policies.
9.12. Access to PI
Where we hold or have the right and power to deal with PI (for example, where it is stored by one of our third-party service providers), we will, on request by an individual, normally give that individual access to their information.
We do this so that individuals know what information we hold on them and because it assists us to ensure that the PI that we hold is up-to-date, complete and relevant and to ensure that we are able to communicate directly with individuals in the event of a data breach.
In considering a request for access to PI by an individual, we will require identification. We reserve the right to refuse access to an individual to their PI in certain circumstances, for example, where provided for by law, where an individual has breached an agreement with us, in instances of commercial sensitivity and where a third party may be negatively affected.
We will respond to an individual’s request for access to their information within 30 business days and we will consider reasonable requests for access to be given in a particular format, for example, through user registration login, by facsimile, email and postal services. If access is refused, we will provide reasons for the refusal.
No charge will apply generally when an access to information request is received. We do however reserve our rights to charge a fee where we incur costs, for example, for photocopying, postage and costs associated with using an intermediary.
If you seek permission to your hard copy documents, we may require you to sign an acknowledgement of receipt of those documents before we will release them to you.
9.13. Correction of PI
Where we hold PI, we will take reasonable steps to correct it to ensure that, having regard to the purpose for which we hold it, it is accurate, up-to-date, complete, relevant, and not misleading.
You, as an individual, may request that we correct PI that we hold about you in circumstances where you believe that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
In considering a request for the correction of PI that we hold, we will require identification of the requesting individual. We reserve the right to refuse the changes sought. If we refuse, we will associate a statement to the record reflecting our refusal to correct the PI. We will provide reasons for the refusal and also a reminder of the complaint process available to individuals that feel aggrieved by the refusal.
We will respond to a request to correct PI within 60 business days, however corrections sought may take longer, for example, because we may need to contact and notify other organisations and individuals about the request.
No charge applies for making a correction request, correcting PI or associating a statement to the record reflecting our refusal to correct the PI.
10. Complaints and Enquiries
In most circumstances, the Australian Information Commissioner (Commissioner) will not investigate a complaint if an individual has not first raised the matter directly with us. For this reason, we ask individuals to submit all complaints relating to this Policy and the handling of PI to us first, so that we have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to us on the details set out at the end of this Policy. We will respond to a complaint within 30 business days.
11. How to Make A Complaint, Enquiries and Access to Information Requests
Individuals wanting to lodge a complaint, make general enquiries, request a correction or request access to their PI must do so in writing. Writing includes email communications but excludes text and social media platforms.
We will respond to such requests within the time frames set out in this Policy.
12. Data Breach
Under the NDB Scheme, HA must notify the Commissioner and affected individuals of an Eligible Data Breach in relation to PI. An Eligible Data Breach occurs when:
12.1. there is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
12.2. the information is lost and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to individuals.
13. General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU (which includes citizens and residents, even when they are not physically located in the EU). It also addresses the export of such PI outside the EU.
HA does not actively provide or seek to provide Services to individuals afforded data privacy protection under GDPR. Nevertheless, we acknowledge that it is possible that the PI of such individuals may be processed as a result of unexpected circumstances, for example, if received through a third-party relationship. If this happens, we will make special arrangements to accommodate you in the exercise of your specific rights. Please ensure that you make us aware of your status if, and when, you become aware that your PI may be processed by us.
HA will use all reasonable efforts to monitor and classify foreign PI under the GDPR and other applicable regulations and handle it accordingly.
14. Governing Law
The principles outlined in this Policy are governed by Australian law.
15. Skill, Diligence, Care
HA will exercise reasonable skill, diligence and care as may reasonably be expected from a similar service provider.