Lenard’s Pty Ltd Privacy Statement
About this Privacy Statement
This Privacy Statement applies to all dealings with any person who provides personal information to Lenard’s Pty Ltd (“Lenard’s”) and any company related to Lenard’s. The Privacy Statement applies no matter what method of information collection or storage is used.
The following Privacy Statement has been published to provide a clear and concise outline of how and when personal information is collected, stored and distributed by Lenard’s. This Privacy Statement covers personal information collection via Lenard’s web site.
Commitment to the National Privacy Principles
Lenard’s is committed to complying with the National Privacy Principles.
The National Privacy Principles aim to give people greater control over the way personal information about them is handled by the private sector. In summary, an organisation must take reasonable steps to make individuals aware that it is collecting personal information about them, the purposes for which it is collecting the personal information, and to whom it might pass the personal information to.
There are some restrictions on the uses an organisation can make of personal information and on when an organisation can disclose personal information or transfer it overseas. Except for some special circumstances, individuals have a right to get access to personal information an organisation holds about them and to have the information corrected or annotated if the information is incorrect, out of date or incomplete.
A copy of the National Privacy Principles is attached for your easy referral.
Personal Information collected
The nature of personal information collected and maintained by Lenards varies depending upon the reasons for collecting that information.
Generally the information collected comprises name, address, age group, contact details (including phone, fax, e-mail and postal address) and product preferences.
For statistical purposes we collect information on web site activity (such as the number of users who visit the web site, the date and time of visits, the number of pages viewed and navigation patterns) through the use of “cookies”. This information on its own does not identify an individual but it does provide Lenard’s with statistics that we can use to analyse and improve our web site.
Lenard’s will inform you, whenever possible, when it collects personal information about you.
When the National Privacy Principles do not apply
The National Privacy Principles do not apply to:
- Current or former employment relationships between Lenard’s and any of its related companies and any employee; or
- Employee records.
Lenard’s does not collect Sensitive Information. Sensitive Information, as defined in the Privacy Act 1988, means information about a persons racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices or criminal record.
Use and Disclosure of Personal Information
Unless you have instructed us not to do so, personal information may be shared with related companies within the Lenard’s group, where it will remain confidential. Our goal is to use the information provided to better understand the requirements of our customers, franchisees and suppliers and thereby improve the products and services that we provide.
Lenard’s undertakes not to sell, rent or trade your personal information.
We will not disclose personal information about you unless the disclosure is:
- Required by law;
- Is authorised by law; or
- You have consented to our disclosing the information about you.
In obtaining your consent to disclose personal information about you we will require you to “opt in” to that disclosure. We will therefore assume that you do not consent to any disclosure unless you tell us that you do consent.
Lenard’s takes its obligations to protect personal information very seriously and we make every effort to deal only with ethical suppliers who share and demonstrate this same attitude.
Lenard’s currently collects personal information from customers only in the course of conducting promotional activities and competitions. The collection of personal information is necessary to correctly identify the winner of any competition. It is Lenard’s practice to destroy, in a secure manner, all personal information collected in this manner as soon as possible after the completion of the promotion or competition. We are obliged by law to keep information collected during competitions for a period of up to seven years. Material kept for this reason is not kept in a manner that is readily accessible.
Lenard’s collects personal information from franchisees and prospective franchisees as part of the process of assessing new franchisees. Personal information about franchisees is also collected to facilitate the efficient operation of Lenard’s business. Personal information collected for these purposes is subject to the same disclosure requirements detailed above. Personal information collected in this manner may be used for generally accepted business purposes.
Personal Information quality
Our goal is to ensure that any personal information that we hold is complete, accurate and up to date. To assist us with this, please contact us if any of the details you have provided change. Further, if you believe that any of the information we have about you is not accurate, complete or up to date, contact us and we will use all reasonable effort to correct the information.
Personal Information security
Lenard’s is committed to keeping the data you provide to us secure and we will take all reasonable precautions to protect your personally identifiable information from loss, misuse or alteration.
Lenard’s allows access to personal information only to authorised employees who require access to that information to properly perform their duties, and to the relevant franchisee (where necessary) to resolve customer complaints.
Identification of Personal Information
Lenard’s does not collect or use in any way identification numbers or references that have been assigned to you by other organisations (for example a Medicare number) to uniquely identify individuals other than an ABN (as defined in the A New Tax System (Australian Business Number) Act 1999.
Access to Personal Information
You can request us to provide you with access to the personal information we hold about you. If we are able to, we will provide you with access. We will provide access to all personal information about you that we hold.
To access your personal information you will have to request access in writing and provide to Lenard’s satisfactory evidence that you are entitled to access that personal information.
We aim to acknowledge any request for access to personal information as soon as possible, but at least within 14 days. Access to your personal information will be provided wherever possible within 30 days of your request.
Lenard’s may require payment of its costs in retrieving personal information. Any charges will be calculated according to the actual cost to Lenard’s of retrieving that personal information.
In considering any request for access to personal information Lenard’s may decline to provide access for any of the reasons listed in National Privacy Principle 6.1
A “cookie” is a packet of information that allows the server (the computer that houses the web site) to identify and interact more effectively with your computer.
When you use our web site, we send you a temporary cookie that gives you a unique identification number. A different identification number is sent each time you use our web site. Cookies do not identify individual users, although they do identify a user’s browser type and your Internet Service Provider.
To evaluate the effectiveness of our web site advertising, we may use third parties to collect statistical data. No personal data will be collected on these occasions.
You can configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. Please refer to your browser instructions or help screens to learn more about these functions.
At the end of your interaction with our web site, the cookie “crumbles”. This means it no longer exists on your computer and therefore it cannot be used for further identification or access to your computer.
Changes to this Statement
Lenard’s may make changes to this Privacy Statement from time to time for any reason. We will publish any amended Privacy Statement on our web site.
This Privacy Statement was last amended on 1 November 2001.
Contact us about privacy
If you would like further information regarding this Privacy Statement or if you think we have breached any aspect of this Privacy Statement, please contact us by:
Telephone: +61 7 3100 7800
Facsimile: +61 7 3100 7888
Post: PO Box 5630
WEST END QLD 4101
Complaints about privacy
If you have any complaint about the way that Lenards has handled your personal information you should contact us in the first instance to discuss your concerns.
Lenard’s have appointed our Food Safety and Quality Manager to investigate complaints about how we have handled your personal information. The Food Safety and Quality Manager will investigate your complaint initially by way of a telephone discussion with you and, if necessary, by you providing any written material to the Food Safety and Quality Manager to allow for a proper investigation. The Food Safety and Quality Manager will provide a written response to your complaint, within 28 days of the complaint if possible.
At any stage you may contact the Australian Privacy Commissioner about your complaint.
Contact the Australian Privacy Commissioner
The Australian Privacy Commissioner can be contacted by:
Telephone: 1300 363 992
Post: GPO Box 5218
SYDNEY NSW 1042
Facsimile: +61 2 9284 9666
National Privacy Principles
1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.
1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.
1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause
1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
2 Use and disclosure
2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for the organisation to seek the individual’s consent before that particular use; and
(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and
(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and
(iv) in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and
(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or
(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:
(i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and
(iii) in the case of disclosure-the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or
(e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:
(i) a serious and imminent threat to an individual’s life, health or safety; or
(ii) a serious threat to public health or public safety; or
(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(g) the use or disclosure is required or authorised by or under law; or
(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
Note 1: It is not intended to deter organisations from lawfully co operating with agencies performing law enforcement functions in the performance of their functions.
Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.
2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.
2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.
2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:
(a) the individual:
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically cannot communicate consent to the disclosure; and
(b) a natural person (the carer) providing the health service for the organisation is satisfied that either:
(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(c) the disclosure is not contrary to any wish:
(i) expressed by the individual before the individual became unable to give or communicate consent; and
(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and
(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).
2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:
(a) a parent of the individual; or
(b) a child or sibling of the individual and at least 18 years old; or
(c) a spouse or de facto spouse of the individual; or
(d) a relative of the individual, at least 18 years old and a member of the individual’s household; or
(e) a guardian of the individual; or
(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or
(g) a person who has an intimate personal relationship with the individual; or
(h) a person nominated by the individual to be contacted in case of emergency.
2.6 In subclause 2.5:
- child of an individual includes an adopted child, a step child and a foster child, of the individual.
- parent of an individual includes a step parent, adoptive parent and a foster parent, of the individual.
- relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.
- sibling of an individual includes a half brother, half sister, adoptive brother, adoptive sister, step brother, step sister, foster brother and foster sister, of the individual.
3 Data quality
An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date.
4 Data security
4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 An organisation must take reasonable steps to destroy or permanently de identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.
5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.
5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
6 Access and correction
6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:
(a) in the case of personal information other than health information-providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information-providing access would pose a serious threat to the life or health of any individual; or
(c) providing access would have an unreasonable impact upon the privacy of other individuals; or
(d) the request for access is frivolous or vexatious; or
(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or
(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(g) providing access would be unlawful; or
(h) denying access is required or authorised by or under law; or
(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(j) providing access would be likely to prejudice:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the public revenue; or
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.
6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 If an organisation charges for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.
6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date.
6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up to date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up to date, the organisation must take reasonable steps to do so.
6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.
7.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:
(a) an agency; or
(b) an agent of an agency acting in its capacity as agent; or
(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.
7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).
7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:
(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or
(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or
(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsection 100(2).
7.3 In this clause:
identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
9 Transborder data flows
An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre contractual measures taken in response to the individual’s request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or
(e) all of the following apply:
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
10 Sensitive information
10.1 An organisation must not collect sensitive information about an individual unless:
(a) the individual has consented; or
(b) the collection is required by law; or
(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
(i) is physically or legally incapable of giving consent to the collection; or
(ii) physically cannot communicate consent to the collection; or
(d) if the information is collected in the course of the activities of a non profit organisation-the following conditions are satisfied:
(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;
(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or
(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:
(a) the information is necessary to provide a health service to the individual; and
(b) the information is collected:
(i) as required by law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:
(a) the collection is necessary for any of the following purposes:
(i) research relevant to public health or public safety;
(ii) the compilation or analysis of statistics relevant to public health or public safety;
(iii) the management, funding or monitoring of a health service; and
(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and
(c) it is impracticable for the organisation to seek the individual’s consent to the collection; and
(d) the information is collected:
(i) as required by law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or
(iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.
10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de identify the information before the organisation discloses it.
10.5 In this clause:
non profit organisation means a non profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.