(a) Lander & Rogers is bound by the provisions of the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) in its collection, use, disclosure and storage of personal information. The Privacy Act, which includes the APPs, governs the way personal information is handled in Australia.
2. What is personal information?
"Personal information" is defined under the Privacy Act as information or an opinion about an identified individual or reasonably identifiable individual, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. Personal information also includes "sensitive information" about an individual.
3. What is sensitive information?
"Sensitive information" is defined under the Privacy Act as a sub-category of personal information which includes information or an opinion about an individual's racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, health information, genetic or certain biometric information.
4. What personal information do we collect and hold?
(a) We collect information about you and your interactions with us. The type of personal information we may collect about you will depend upon the nature of our interaction with you.
(b) Specifically, the personal information we collect and hold may include:
- (i) name;
- (ii) mailing or street address;
- (iii) contact details including email address, telephone number or mobile number
- (iv) age and/or date of birth;
- (v) gender;
- (vi) occupational and employment details including employment status and any previous work experience;
- (vii) information from or in connection with your resume or job application if you apply for a position with us;
- (viii) photographs or images of you;
- (ix) payment details, such as your bank account, credit or debit card information; and
- (x) financial and/or credit information.
(c) Lander & Rogers may also collect and hold sensitive information, including:
- (i) health information;
- (ii) trade union membership or associations;
- (iii) racial or ethnic origin; and/or
- (iv) criminal records.
We will only collect sensitive information if the relevant individual has consented, or if the collection is otherwise in accordance with the Privacy Act, for example where the collection is required by law or necessary for the establishment, exercise, or defence of a legal or equitable claim.
5. How do we collect personal information?
(a) We may collect personal information directly from or from a third party. We will only collect personal information from a third party if it is unreasonable or impracticable to collect this information directly from you or if we are otherwise permitted to do so.
(b) Specifically, we may collect your personal information when:
- (i) you use or buy our products or services;
- (ii) you request information about us, our services, programs or events;
- (iii) you participate in our programs and events, such as our Continuing Professional Development days or online Webinars;
- (iv) you provide feedback to us;
- (v) you visit or fill in a form on our website;
- (vi) you visit a premises from which we operate;
- (vii) you submit a job application to us;
- (viii) you contact us by telephone, email, social media, post or in person; and
- (ix) we are otherwise required or authorised by law.
(c) If the personal information we collect includes sensitive information, including health information, we will ask for your consent to collect this sensitive information, unless the law allows us to collect the information without your consent.
(d) We may collect personal information from third parties such as:
- (i) your nominated representative;
- (ii) insurers;
- (iii) your current or former employer;
- (iv) government agencies;
- (v) publicly available sources; and/or
- (vi) other service providers including health service providers.
(e) When we collect personal information from a third party, we will take reasonable steps to tell you that we have done so as close as possible to the time we collected the personal information.
6. Exemptions under the privacy act
7. Why do we collect, hold, use and disclose personal information?
(a) Lander & Rogers primarily collects, holds, uses and discloses personal information to provide legal services to our clients, to operate and market our legal practice business, and for other related purposes, including:
- (i) to perform our organisational functions and activities and operate our business efficiently;
- (ii) to identify and communicate with you;
- (iii) to enable us to provide you with requested information, services or products;
- (iv) to assist our Staff with delivering our services and operating our business;
- (v) to help us manage and enhance the services we provide to you and the events and programs we run;
- (vi) to help us manage and enhance the goods and services we procure from our third-party service providers;
- (vii) to manage and administer any account you hold with us;
- (viii) to enable you to access and use our website and online services;
- (ix) to operate, improve and optimise our website and online services and yours and other users' experience;
- (x) to send marketing and promotional messages to you and other information that has been requested or which may be of interest;
- (xi) to respond to any queries or complaints you have made;
- (xii) to comply with our legal obligations; and
- (xiii) to assist government and law enforcement agencies or regulators.
8. Direct marketing
(a) We will use your personal information to offer you products and services we believe may be of interest you, but we will not do so if you tell us not to.
(b) When you receive electronic marketing communications from us, you may opt out of receiving further marketing communications by following the opt-out instructions provided in the communication.
9. To whom do we disclose personal information?
(a) We may disclose your personal information (which might be sensitive information) to the following third parties for the purposes listed above:
- (i) third party service providers of Lander & Rogers;
- (ii) your nominated representatives;
- (iii) other organisations or individuals who assist us in providing services and events to you or to administer our business;
- (iv) professional service providers and advisors who perform functions on our behalf, such as barristers and accountants;
- (v) medical providers including medical and rehabilitation practitioners for assessing insurance claims; and
- (vi) Government, regulatory authorities or other organisations as required or authorised by law.
(b) When we disclose personal information to third parties, we make all reasonable efforts to ensure that:
- (i) we disclose only relevant information and information that is accurate, complete and up to date; and
- (ii) the third party recipient will comply with the Privacy Act in relation to the use, disclosure and storage of your information.
(c) We will never sell the personal information we collect.
10. Disclosure of personal information outside Australia
(a) In some instances, we may disclose your personal information to recipients located outside of Australia, including to other law firms or third party service providers involved in a legal matter.
(b) Where we disclose personal information outside of Australia, we will take reasonable steps to ensure that the overseas recipient will deal with the personal information for the purpose intended and in a way that is consistent with the APPs.
11. Information collected via our website
(a) A "cookie" is a small file stored by the web browser software on your computer when you access our website. An explanation of cookies can be found on the website of the Office of the Office of the Australian Information Commissioner (OAIC).
(b) We may use session cookies for maintaining contact with a user throughout a web browsing session. Session cookies expire when the browsing session comes to an end or a user shuts down their computer.
(c) We may use persistent cookies for statistical purposes and to improve our website.
11.2 Web beacons
The communications generated from using and/or registering on our website, such as promotional emails, may contain electronic images known as "web beacons". Web beacons generally work in conjunction with cookies, and we may use them with cookies to, for example, count the number of visitors to the website or see whether you have acted on an email or clicked on a link.
11.3 Google Analytics
(b) The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of compiling reports on the websites activity and providing other services relating to the website and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate a person's IP address with any other data held by Google.
(c) You can opt out of the collection of information via Google Analytics by downloading the Google Analytics Opt-out browser add-on here.
11.4 Clickstream data
(a) When you visit our website, a record may be made of your visit, including the following information:
- (i) your server address;
- (ii) your top level domain name;
- (iii) the date and time of access to the site;
- (iv) pages accessed and documents downloaded;
- (v) the previous site visited; and
- (vi) the type of browser software in use.
(b) We may analyse this non-identifiable website traffic data (including through the use of third party service providers) on an aggregated basis to improve our services and for statistical purposes.
(c) No attempt will be made to identify users or their browsing activities except in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect the internet service provider's log files.
11.5 Third party websites
Our website may link to other websites which are outside our control, and other websites outside our control may link to our website. Whilst we try to ensure that we link only to websites which share our privacy and security standards, once you have left our website we cannot be responsible for the protection of any information which you provide on other websites. You should exercise caution and review the privacy statement applicable to the website in question.
12. Storage and security of personal information
(a) We store most personal information in computer systems and databases operated by us or our external service providers. Some personal information is recorded in paper files that we store securely.
(b) We implement and maintain processes and security measures to protect the personal information we hold from misuse, interference or loss, and from unauthorised access, modification or disclosure. This includes:
- (i) training our Staff in how to keep personal information safe and secure;
- (ii) storing hard copy and electronic records in secure systems; and
- (iii) using trusted contracted service providers (including cloud storage providers).
(c) We take all reasonable steps to ensure that all our third party service providers which hold personal information are bound by appropriate contractual obligations regarding the use, protection and disclosure of the information.
(e) If the personal information we store is no longer required by us for any purpose for which it was collected and is no longer required by law to be retained by us, we will destroy or de-identify the information.
13. How can I access or correct my personal information?
(a) We have measures in place to ensure the information we hold about you is accurate, complete and up to date, including by verifying the information with individuals each time they use our services.
(b) Under the Privacy Act, individuals have a right to request access to and correction of their personal information. You may access or request correction of the personal information that we hold about you by contacting us. Our contact details are set out below. There are some circumstances in which we are not required to give you access to your personal information.
(c) There is no charge for requesting access to your personal information, but we may require you to meet our reasonable costs in providing you with access (such as photocopying costs or costs for time spent on collating large amounts of material).
(d) We will respond to your requests to access or correct personal information in a reasonable time, and where applicable, we will correct any inaccurate or out-of-date information within a reasonable time of notification of error.
(e) Where we refuse to provide you with access to your personal information, or to update your personal information in the way requested, we will provide you with reasons for the decision. You may also request that we make a note on your record that you are of the opinion that the information is inaccurate, incomplete, out of date, irrelevant or misleading, (as the case may be).
14. How can I make a complaint?
(a) If you have a complaint or concern regarding our handling of your personal information or think that your privacy has been affected, you should contact us using our contact details below to raise your complaint or concern.
(b) We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation.
(c) If you remain unsatisfied with the way in which we have handled your privacy complaint or concern, you may approach an independent advisor or contact the OAIC. See the OAIC website for more information about how to make a complaint.
15. Data breach
In accordance with our obligations under the Privacy Act, if an 'eligible data breach' which impacts your personal information has occurred, or we have reasonable grounds to suspect has occurred, we will notify you and the OAIC.
A 'data breach' occurs when personal information held by Lander & Rogers is lost or is subject to unauthorised access or disclosure. A data breach is an 'eligible data breach' where there is a likely risk of 'serious harm' to the individual(s) to whom the personal information relates (i.e., the affected individual(s)).
Where required by the Privacy Act, upon becoming aware of or reasonably suspecting an eligible data breach, Lander & Rogers will:
(a) assess whether the data breach is likely to result in serious harm within 30 days of becoming aware of the suspected breach;
(b) prepare a notification statement and give a copy of this statement to the OAIC as soon as practicable after becoming so aware; and
(c) as soon as practicable after preparing the notification statement, notify affected individuals or publish the statement on the Lander & Rogers website and publicise the statement.
16. Contacting us
Please contact our Privacy Officer using the following contact details if you:
(b) wish to make a complaint about the way we have collected, used, held or disclosed your personal information; or
(c) would like to opt out of receiving information about Lander & Rogers' products or services.
Privacy Officer, Lander & Rogers
Level 15, 477 Collins Street
MELBOURNE VIC 3000
Telephone: (03) 9269 9000
Date Reviewed: 1 May 2023