Privacy Policy

STANDARD PRACTICE INSTRUCTION
SPI No. 556  | ISSUE. 1 | SUPPL’T.
DATE. 10/06/2014

SUBJECT: PRIVACY POLICY – HANDLING CUSTOMER INFORMATION

* Denotes amendment since last issue.
Also see: SPI 525 – Records Retention

PURPOSE

Metal Manufactures Ltd (MML) trading as MM Electrical Merchandising (MMEM) takes its privacy obligations very seriously to ensure personal information is handled in accordance with the Australian Privacy Principles of Privacy Act 1988 (Cth). This policy documents how MMEM
handles and protects the privacy of personal information collected from its customers; including credit reports and other credit-related information.

The policy is set out for all MMEM employees and to any other person who collects, uses, stores or disposes of customer personal information for and on behalf of MMEM.

DEFINITIONS

PERSONAL INFORMATION
Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

SENSITIVE INFORMATION
A type of personal information which includes information about an individual’s racial or ethnic origin; health information; political opinions; membership of a political, professional or trade association or trade union; religious beliefs or affiliations; philosophical beliefs; sexual orientation or practices; and criminal record.

POLICY

The following policy points set out how MMEM will handle and protect customer personal information in accordance with the Australian Privacy Principles of the Privacy Act.

1. Collection of Personal Information
   1. Any personal information about individuals must be collected directly from the individual when we deal with them; whenever it is reasonable and practicable to do so.
   2. In some cases, the individual’s personal information may be provided to us by third parties such as business associates, agents or friends. If any person provides information about others, they must ensure they have their consent or are otherwise entitled to provide this information to us.
   3. We will not collect sensitive information unless the individual customer has consented or it
      is required by law. There may, however, be special specified circumstances where this information is collected, for example relating to individual or public health or safety.
   4. The types of personal information collected from an individual include:
      • legal name;
      • business and trading names;
      • the name and title of the individual/s who represent their organisation or access the website on their behalf;
      • the email address of that individual and the organisation;
      • the website address and the domain type of their organisation;
      • the telephone, facsimile, postal and street addresses of the organization
      • information disclosed about the organisation in the individual’s enquiry or message submitted, including information we might be able to infer from the context such as sectoral, employment, turnover, geographical, and size issues; and
      • the subject matter of the enquiry or message.
   5. Personal information is also collected in order to satisfy our regulatory obligations under applicable laws and rules.
   6. We may collect information, by request, about the individual’s use of our service.
   7. When individuals view the MMEM website, information is automatically collected from their visit. This information is used to analyse traffic and computer system patterns for the purpose of improving MMEM’s website.
   8. In some cases, the individual or their organisation may prefer to remain anonymous when interacting with MMEM to the extent that the name of their organisation need not
      be provided to us or in being provided, it is marked in a way that the individual prefers not to be personally identified. This is acceptable if the individual is making a general enquiry. However, all data necessary for contractual relations to exist in real time must be provided to fully supply the individual with our services.
2. Use and Disclosure of Personal Information
   1. MMEM uses personal information only for the purposes for which it was provided and for directly related purposes that are necessary to carry out our functions and activities
      (unless otherwise required by or authorised under law). In general, we use information for the purpose of supplying our goods and services to an individual and to meet our contractual obligations to that individual.The main purposes for which we collect, use and store personal information are:
      • to enable us to contact individual customers;
      • to reply to any queries or requests in relation to a customer’s account;
      • to reply to any queries in relation to the supply of our goods and services;
      • in the administration of accounts, which includes contacting customers in order to update account details (this assists in keeping our records as up to date as
      possible);
      • to notify of changes or improvements to our products or services that may affect our service to the customer; and
      • we may release necessary personal information to administrators who assist in the administration of customer accounts, from time to time.
   2. Use of personal information for direct marketing purposes
      1. MMEM will only use personal information for direct marketing purposes where the individual would reasonably expect MMEM to use the information in that way.
      2. The disclosure of an individual’s details is restricted to only those organisations and individuals that an individual customer would reasonably expect to receive direct marketing material from. Any third parties to which we provide personal information must only use it for the purposes for which it is collected or otherwise as permitted by law – please see point 2.4 ‘Disclosure of Personal Information’.
         Generally, these third party organisations are:
         • commercial companies that have genuine and relevant products or services to inform individual customers of, to whom individual customers would reasonably expect us to disclose information to, as part of our service offering to them; and
         • organisations involved in the distribution or administration for and on behalf of us or related bodies corporate.
      3. Individuals may withdraw their consent and opt out at any time from receiving direct marketing communications from us or from any other company we have approved. MMEM shall promptly action any individual’s request to opt out of receiving direct marketing communications.
   3. Use of personal information overseas
      Where it is necessary to disclose information to overseas MML Group members, service providers or other third parties who operate or hold data outside Australia, MMEM shall
      ensure appropriate data handling and security arrangements are in place. MMEM shall also take reasonable steps to ensure the overseas entity will comply with Australian Privacy Principles. We will only transfer personal information outside Australia to a third party recipient, if the recipient of the information agrees (or is compelled) to comply with privacy policies that are in accordance with, or more stringent than, the Australian Privacy Principles.
   4. Disclosure of personal information
      1. MMEM will only use and disclose personal information for the purpose for which it was collected unless:
         • the individual has consented to the information being used for a secondary use or disclosure;
         • the individual would reasonably expect MMEM to use or disclose the information for another purpose that is directly related to the purpose for which the information was collected; or
         • the use and disclosure is required or authorised by law. For example, to government and regulatory authorities, in an emergency situation or when assisting in lawful enforcement.
      2. Information is only disclosed to third parties if it is deemed necessary for us to disclose that information in order to provide our services. Where personal information is disclosed to a third party, the agreement or contract between MMEM and the third party must contain privacy clauses requiring compliance with privacy policies that are in accordance with, or more stringent than, the Australian Privacy Principles.
3. Quality, Access and Correction of Information
   1. MMEM will take reasonable steps to ensure that the personal information we collect is accurate, up-to-date and complete. These steps include maintaining and updating
      personal information when we are advised by individuals that their personal information has changed, and at other times as necessary.
   2. Requests from an individual or customer to make corrections or update their personal information for information that is incorrect or out of date shall be managed by the
      appropriate staff member in an efficient and timely manner.
   3. Requests to gain access to any personal information held by MMEM must be forwarded to MMEM’s Privacy Officer. Such requests may come from both customers and other
      individuals who have had dealings with MMEM (eg. employment candidates). In certain circumstances and as permitted by law, MMEM may deny access to information, however the individual will be provided with reasons for our decision. For example, there are exemptions specified in the Australian Privacy Principles where access may be denied.
4. Security and Storage of Personal Information
   1. MMEM shall take all reasonable measures to protect personal information that we hold from misuse, loss, unauthorised access, modification or disclosure.
   2. Customer personal information is stored in databases shared by the MML group and its related bodies corporate situated within Australia and equivalent jurisdictions.
   3. MMEM shall use secure servers in order to store customer information and ensure proper data storage.
   4. Any paper based documentation containing personal information of customers shall also be stored securely, eg. in a locked filing cabinet.
   5. When storing data using overseas cloud storage products as well as other overseas information technology products and services, MMEM shall ensure the service provider
      agrees (or is compelled) to comply with Australian Privacy Principles. The agreement or contract between MMEM and the service provider shall contain privacy clauses
      requiring compliance with privacy policies in accordance with, or more stringent than, the Australian Privacy Principles.
   6. When no longer required, and after the retention period has lapsed (as per SPI 525 Record Retention), personal information is deleted or destroyed in a secure manner.
   7. MMEM shall take all reasonable steps to provide the best security we can in the collection or transmission of data on the internet. However, we do not and cannot guarantee security of information transmitted or collected on the internet as it can never be ultimately secure.
5. Credit checks and credit reporting
   Applications for Credit or proposals for Guarantor involve a credit report check. A credit report contains information about the individual’s credit history which helps credit providers
   assess credit applications, verify the individual’s identity and manage accounts held with them. Credit reporting bodies collect and exchange this information with credit providers like us and other service providers such as phone companies.The Privacy Act limits the information that credit providers can disclose about individuals to credit reporting bodies, as well as the ways in which credit providers can use credit reports.
   1. Information exchanged with credit reporting bodies
      The information we can exchange includes an individual customer’s identification details, what type of credit has been extended to them, the amount of credit extended to them, whether or not the individual has met their credit obligations and if a serious credit infringement (such as fraud) has been committed. We also ask the credit reporting body to provide us with an overall assessment score of an individual’s creditworthiness.
   2. Use and storage of credit-related information
      We store credit-related information with other personal information about the customer. Information from credit reporting bodies is used to confirm an individual’s identity, assess applications for credit, manage customer relationships and collect overdue payments. We may also use this information as part of arriving at our own internal assessment of an individual’s creditworthiness.Individuals may request corrections to, or access to credit-related information we hold about them – please see point 3 ‘Quality, Access or Correction’ for details.Credit providers may ask credit reporting bodies to use their credit-related information to pre-screen an individual for direct marketing. Individuals can ask a credit reporting body not to do this.If an individual has been, or has reason to believe they’ll likely be, a victim of fraud (including identity fraud), they can ask the credit reporting body not to use or disclose the credit-related information it holds about them.
6. Questions or Complaints
   If an individual customer has any questions about our privacy practices or wishes to lodge a complaint about how MMEM handles personal information or credit-related information, we ask them to contact MMEM’s Privacy Officer in the first instance. We will investigate and respond to individual’s questions or complaints in a fair, efficient and timely manner.If the individual customer is not satisfied with our handling of their matter, they also have a right to complain to the Office of the Australian Information Commissioner.
7. Contacting the Privacy Officer
   To obtain further information in relation to this Privacy Policy, MMEM employees or individual customers may contact our Privacy Officer:

Ph. (02) 8839 9037 or
Email sandra.askew@mmem.com.au

Approved

Effective

13th June 2014.