Privacy Policy
1. Purpose of the Policy
This Privacy Policy applies to Bubbaroo Pty Ltd (ABN 60 113 520 255) trading as Cassey & Co and explains how Cassey & Co handles personal information.
Cassey & Co is bound by the Privacy Act 1988 (Cth) (“Privacy Act”), including any relevant privacy code registered under the Privacy Act. Cassey & Co is committed to complying with the Privacy Act in relation to all personal information we collect and committed to protecting the privacy of personal information obtained through its professional service operations.
The Privacy Act incorporates the Australian Privacy Principles (APPs) which set out how personal information must be treated. Disclosure of such information may be compelled by law (for example, under the Social Security Act 1991 (Cth)).
This Privacy Policy governs the Cassey & Co business and applies to any person for whom we currently hold, or may in the future collect, personal information (whether or not a client of Cassey & Co). This policy does not apply to matters which relate directly to the employee records of our current and former employees. In general terms, ‘personal information’ is information or opinions relating to a particular identifiable individual. Information or opinions are not personal information where they cannot be linked to a particular individual.
2. Acknowledgement of Cassey & Co’s Privacy Policy
By accessing the website you accept the terms of this Privacy Policy and you understand that this Privacy Policy applies to information provided to us whether via the website or through any other means. By using the Cassey & Co website, you acknowledge to have read and understood this Privacy Policy. This Privacy Policy does not extend your rights or Cassey & Co’s obligations beyond those defined by the Privacy Act 1988 (Cth) (“Privacy Act”).
By using the website and our professional services, you consent to the collection, storage, use and disclosure of your personal information in accordance with this Privacy Policy and as otherwise permitted under the Privacy Act.
Should there be any inconsistencies between this policy and the Privacy Act, this Privacy Policy shall be interpreted to give effect and comply with the Privacy Act.
The Cassey & Co website contains links to external websites. Cassey & Co is not responsible for the Privacy Policies of those other websites and Cassey & Co recommends that you should review the Privacy Policies of those other websites.
3. Collection of personal information
Cassey & Co collects personal information from clients, customers, employees, job applicants, contractors and other individuals. We collect and hold this information for our business purposes. The main types of personal information Cassey & Co collects and holds relate to:
• the contact details and organisational roles of our actual and prospective clients, suppliers, and other business contacts. Typically, this information includes names, addresses, telephone numbers, e-mail addresses and job titles;
• personal information collected in the course of providing products and services to our clients (for instance financial details if we are engaged to perform financial services, or credit information);
• personal information collected when individuals communicate with us (including via email);
• personal information collected from job applicants when they apply for a job with us and individual contractors when performing a role for us (in some instances this may include sensitive information such as health information if related to the role being applied for or being performed); and
• personal information collected from our employees during the course of carrying out our duties and activities as an employer (in some instances this may include sensitive information such as health information if related to the employee’s role).
• We collect most personal information directly from individuals when we deal with them. The personal information we collect may be provided in forms filled out by individuals, face-to-face meetings, email messages, telephone conversations, when you use our websites or our social media, or by third parties. If you contact us, we may keep a record of that contact.
• In some circumstances, we may take photographs or videos of individuals, such as at seminars or events we run, sponsor or are otherwise involved in.
• We may also collect personal information when it is provided to us by third parties, including our clients. This may include personal information contained in materials provided to us in the course of providing services to our clients. When this occurs, we rely on the person providing us with that personal information having the right to do so.
• Due to the nature of our business, it is generally impracticable for us to deal with individuals on an anonymous basis or through the use of a pseudonym, although sometimes this is possible (for example, when seeking staff or client feedback generally).
4. How we use personal information
The main purpose for which Cassey & Co collect, hold and use personal information are:
• to provide its professional services;
• to maintain contact with clients;
• to keep clients and contacts informed of the services that Cassey & Co offers and of any current developments and updates such as changes of business hours;
• for recruitment purposes;
• for administration and management purposes;
• to provide users with information about other services that Cassey & Co offers and that may be relevant to the user;
• other purposes that are related to Cassey & Co’s business; and
• where required or permitted by law, regulation, rule or professional standard.
If Cassey & Co collects, holds or uses personal information in ways other than as stated in this Privacy Policy, Cassey & Co will ensure to collect, hold or use personal information under the requirements of the Privacy Act.
Employee records are not generally subject to the Privacy Act and therefore this policy may not apply to the handling of information about employees of Cassey & Co.
5. Unsolicited Information
“Unsolicited” personal information is personal information about an individual that Cassey & Co has unintentionally received. This is not a common occurrence for Cassey & Co but when it does occur, Cassey & Co will seek to ensure to protect such personal information with same rigor to those personal information that Cassey & Co intended to collect.
6. Disclosure of Personal Information
Cassey & Co does not routinely disclose personal information to any third party unless:
• use or disclosure is permitted by this policy;
• we believe it is necessary to do so in connection with a product or service we are providing (or, in the case of a partner, employee or contractor of Cassey & Co, it is necessary for maintaining or related to your role at Cassey & Co);
• to protect the rights, property or personal safety of any member of the public or a customer of Cassey & Co or the interests of Cassey & Co;
• you give your consent; or
• such disclosure is otherwise required or permitted by law, regulation, rule or professional standard.
We may also share non-personal or de-identified information for research or promotional purposes. We do not sell personal information to third parties.
Cassey & Co uses a range of third-party providers to help us maximise the quality and efficiency of our services and our business operations (including internal business requirements, such as recruitment and human capital requirements). This means that individuals and organisations outside of Cassey & Co will sometimes have access to personal information held by us and may collect or use it from or on behalf of Cassey & Co. This may include, but is not limited to, independent contractors and consultants, mail houses, off-site security storage providers, information technology providers, event managers, credit managers and debt collection agencies.
7. Disclosure of information outside Australia
Cassey & Co’s Administration, BAS Agent, Business improvement & Bookkeeping operations may occur overseas we may also use overseas facilities or contractors to process, store or backup our information or to provide certain products or services to us. We take care to ensure that other third parties outside Australia to whom we disclose personal information are subject to appropriate restrictions on their handling of that personal information. Due to differences in foreign laws however, these restrictions may not be substantially similar to those required under the Australian Privacy Principles, and the Privacy Act (including mechanisms entitling you to seek redress) may not apply.
Any such disclosure of personal information does not change any of our commitments to safeguard your privacy, and the information remains subject to any existing confidentiality obligations.
8. Accessing your personal information
Users have the right to request access to the personal information that Cassey & Co holds about such user. This right is subject to certain exceptions allowed by law.
Upon your request and subject to applicable privacy laws, Cassey & Co will provide you with access to your personal information that is held by Cassey & Co. You must thoroughly identify the types of information you are requesting. Cassey & Co will deal with your request within a reasonable time – usually within 21 days from the date of the request. Cassey & Co may also recover from you any reasonable costs incurred in supplying you with access to your personal information.
9. Exceptions under Law
You do not have absolute right to access personal information. The law permits Cassey & Co to refuse your request to provide you with access to your personal information, such as circumstances where:
· access would be unlawful;
· access would pose a serious threat to the life or health of any individual;
· access would have an unreasonable impact on the privacy of others; and
· access may prejudice enforcement activities, a security function or commercial negotiations.
10. Information Security
Cassey & Co will take all reasonable steps to protect against the loss, alteration and/or misuse of any personal information under Cassey & Co’s control. Cassey & Co is committed to maintaining your trust by protecting your personal information.
Cassey & Co employs the most appropriate technical, administrative and physical procedures to protect the security of your personal information. Cassey & Co only keeps personal information for as long as it is required for business purposes or by the law.
11. Data retention
When you visit our website, our internet service provider may make a record of your visit and may record, amongst other things, matters such as your personal domain name (if relevant); and/or the time and date of your visit to our website; and/or your internet address. Usually, but not always, this information is applied for statistical purposes. When you visit the website, the server may attach a “cookie” to your computer’s memory. Your browser stores cookie messages in a text file and sends these back to our website each time the browser requests a page from the website. From time to time, we may use cookies to measure usage periods accurately, as well as to ascertain which areas of our website attract traffic. If you do not wish to receive cookies, you may be able to alter your browser settings accordingly. The website may link directly to websites operated by third parties (“third party sites”), which third party sites you acknowledge are not operated by us. We encourage you to review the Privacy Policy (if any) of any third party sites, especially because you agree that we are not responsible for the content or practices of those third party sites or their Privacy Policies regarding the collection, storage, use and disclosure of your personal information.
12. Cloud Computing Services & Storage
We use or may use international cloud computing services and storage providers. Access to such cloud service providers is encrypted (effectively, access can only be obtained through a secure username and password system - some of which require multi-factor authentication), so that data and the personal information contained in such services are protected from unauthorised access.
Countries in which such e-mail, calendar and contact data may be stored include (but are not limited to) Australia and the United States of America. We conduct due diligence on proposed cloud computing service providers, prior to engaging them and as part of this due diligence, we satisfy ourselves and accordingly reasonably believe that the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the personal information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information and also that there are mechanisms that you can access to take action to enforce that protection of the law or binding scheme. We also satisfy ourselves that we will possess effective control over the data. We also use the enterprise version of lastpass to restrict staff from knowing what the passwords are for the cloud based applications they are given access to. We have also locked down their access to CASSEY & CO’s IP address to prevent the staff from accessing any cloud services from outside the organisation.
13. Loss of personal information
Despite Cassey & Co’s effort to protect your personal information, there remains the possibility for a breach of security to occur. Following the recommendations set out by the Tax Practitioners Board, Cassey & Co has established a data breach response plan and will follow the steps outlined in the plan in the event of loss of personal information. The response plan outlines the following:
A data breach occurs when the personal information that Cassey & Co holds of their clients is lost, accessed by unauthorised people, disclosed outside due to malicious action (external and internal), human error and from certain unforeseen circumstances.
• Step 1: Report and Contain - Client and Australian Information Commissioner (OAIC)
• Step 2: Assessment of the breach
• Step 3: Notifying the breach
• Step 4: Reviewing and Documenting
15. Updating your information
It is important that the personal information or credit information that we hold about you is up-to-date. Cassey & Co will take all reasonable steps to ensure that all personal information held by Cassey & Co remains accurate. If you advised Cassey & Co of any change of details, Cassey & Co will amend your records accordingly. Where a third party disclosed your personal information, Cassey & Co will take all reasonable steps to notify the third party of any correction. Where Cassey & Co is unable to update your information, Cassey & Co will provide an explanation as to why the information cannot be corrected.
​
16. Privacy Enquiries
If you wish to make an enquiry about your personal information that Cassey & Co collected, used or held, or make a compliant because you believe that Cassey & Co may have breached the Australian Privacy Principles, you can:
· write to Cassey & Co at PO Box 320, Nedlands, Western Australia 6909; or
· call Cassey & Co on 0481 844 584
We will usually (but not always) grant you access to your personal information or credit information as soon as possible. To the extent permissible by law, we may deny access to personal information or credit information if: your request is impractical or unreasonable; providing you with access would have an unreasonable impact on the privacy of another person; providing you with access would pose a serious and imminent threat to the life or health of any person; providing you with access would mean that there is a possibility that we might compromise our professional duty or obligations; or there are other appropriately justified and/or legal grounds upon which to deny the request (such as for example, on the basis of any exemption or exemptions under the Privacy Act or, by way of a further example, where you are indebted to Cassey & Co and we retain a lien over your file until outstanding costs have been paid or appropriate arrangements have been made in respect of same).
If you are able to establish that personal information or credit information we hold is not accurate, complete and up-to-date, we will take reasonable steps to correct it so that it is accurate, complete and up-to-date, where it is appropriate to do so.Cassey & Co is committed to working with clients to obtain a fair resolution of any complaint or concern about privacy.
17. Privacy Complaints
If you wish to make a complaint about an alleged privacy breach, you should follow the following process:
1. The complaint must be first made to us in writing. We will have a reasonable time to respond to the complaint; and
2. In the unlikely event that the privacy issue cannot be resolved between us and yourself, you may take your complaint to the Office of the Australian Information Commissioner. You may complain about a breach of privacy by contacting us using the contact details below:
· Write to Cassey & Co at PO Box 320, Nedlands, Western Australia 6909; or
· Call Cassey & Co on 0481 844 584
18. Further information on privacy
You can obtain further general information about your privacy rights from the Office of the Australian Information Commissioner by:
• calling their Privacy Hotline on 1800 005 610;
• visiting their website;
• emailing them at info@oic.wa.gov.au; or
• writing to:
Office of the Information Commissioner
Albert Facey House
469 Wellington Street
PERTH WA 6000
19. Changes to this Privacy Policy
We may update, modify or remove this policy at any time without prior notice, with any updated version of our privacy policy being posted on our website. You should review this Privacy Policy regularly to ensure that you are at all times aware of any variations made to this Privacy Policy. You agree that you will be deemed to have consented to such variations of this Privacy Policy by your continued use of the website or our services following any such change or changes to our Privacy Policy being made. If you have any comments on the policy, please contact our privacy officer on the contact details detailed above.