Privacy Policy

Privacy

Spotto Traffic Control is committed to maintaining the privacy and confidentiality of its personnel information collected from customers, employees, contractors and stakeholders. Spotto Traffic Control complies with the Privacy Act 1988 (Cth) including the 13 Australian Privacy Principles (APPs) as outlined in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). Providing an overall framework for our privacy practices, Spotto Traffic Control has developed and implemented this APP Privacy Policy.

This policy is designed to maintain requirements with additional state jurisdictional requirements including:

Information Privacy Act 2014 (ACT);
Workplace Surveillance Act 2005 (NSW)
Privacy and Personal
Information Protection Act 1998 (NSW);
Information Act 2003 (NT);
Information Privacy Act 2009(QLD);
Information Privacy Act 2000 (VIC); and
Personal Information Protection Act 2004 (TAS).

Spotto Traffic Control handles personal information with openness and transparency. This commitment is reflected in the practices, procedures, and systems outlined in this policy, which are designed to ensure compliance with the Australian Privacy Principles (APPs) and any applicable registered APP code. These measures also provide clear processes for Spotto Traffic Control personnel to manage inquiries and complaints related to privacy matters as they arise.

Australian Privacy Principles

Australian Privacy Principle 1 – Open and transparent management of personal information

Purposes for information collection, retention, use and disclosure.

Spotto Traffic Control maintains records of personal information for all individuals involved in any form of business activity with the company.

Spotto Traffic Control is required to collect, store, use, and disclose information from clients and stakeholders for various purposes, including but not limited to:

Delivering services to clients
Managing employees and contractors
Marketing and promoting our products and services
Carrying out internal business operations and activities
Meeting the needs and obligations of stakeholders

Kinds of personal information collected and held

The following types of personal information are generally collected, depending on the need for services delivery:

Contact details;
Employment details;
Educational background;
Demographic Information;
Financial billing information.

The following types of sensitive information may also be collected, held or sighted:

Identity details;
Employee details & HR information;
Complaint or issue information;
Disability status & other individual needs;
Indigenous status;

How personal information is collected

Spotto Traffic Control typically collects personal information directly from the individuals involved. This may be done through various means, including the use of physical forms (e.g., registration, enrolment, or service delivery records) as well as digital methods such as online enquiry forms, web portals, or internal operating systems.

Spotto Traffic Control does receive solicited and unsolicited information from third party sources in undertaking service delivery activities. This may include information from such entities as Governments (Commonwealth, State or Local) and Job Network Providers.

How personal information is held

Spotto Traffic Control’s usual approach to holding personal information always includes robust storage and security measures.

Information on collection is:

As soon as practical converted to electronic means;
Stored in secure, password protected systems, such as financial system, learning management system and student management system; and
Monitored for appropriate authorised use at all times.

Access to each system is restricted to authorised personnel only, with login credentials provided based on individual roles. System access is limited strictly to the functions and information necessary for the performance of their specific duties.
Spotto Traffic Control ICT systems are hosted internally with robust internal security to physical server locations and server systems access. Virus protection, backup procedures and ongoing access monitoring procedures are in place.

Cloud hosting refers to the use of third-party service providers to manage and maintain the infrastructure, data storage, and associated services on behalf of an organisation. In the context of monitoring for the appropriate and authorised use of personal information, cloud hosting allows Spotto Traffic Control to securely store data on remote servers, with access controlled and monitored by both the company and the provider. This setup ensures that only authorised personnel can access personal information, while also enabling real-time monitoring, data protection, system audits, and compliance with privacy and security requirements.

Paper-based records at Spotto Traffic Control are securely destroyed as soon as practicable, using approved shredding and destruction services. Personal information stored across various systems is connected via a unique identification number assigned to each individual by Spotto Traffic Control.

Retention and Destruction of Information

As part of its commitment to privacy and data protection, Spotto Traffic Control manages the retention and secure disposal of personal information in accordance with legal, regulatory, and operational requirements.

Personal information is retained only for as long as it is necessary to fulfil its intended purpose or to comply with applicable laws. Once information is no longer required, it is securely destroyed or de-identified.

Paper-based records are disposed of using secure shredding and destruction services.

Electronic records, if required, are permanently deleted from systems and backups in line with our data management protocols.

Where personal information is stored across systems, it is linked using a Spotto Traffic Control-assigned unique identification number to maintain consistency and reduce duplication.

These practices ensure that personal information is handled responsibly, minimising the risk of unauthorised access, misuse, or disclosure.

Accessing and seeking correction of personal information

Spotto Traffic Control confirms all individuals have a right to request access to their personal information held and to request its correction at any time subject to legal and operational requirements.

In order to request access to personal records, individuals are to contact:

Spotto Traffic Control Management by emailing office@spottotc.com.au

A number of third parties, other than the individual, may request access to an individual’s personal information. Such third parties may include Government Departments (Commonwealth, State or Local) and various other stakeholders.

In all cases where access is requested, Spotto Traffic Control ensures that:

Parties requesting access to personal information are robustly identified and verified.
Where legally possible, the individual to whom the information relates will be contacted to confirm consent (if consent has not been previously provided for the matter);
Only appropriately authorised parties, for valid purposes, will be provided access to the information

Complaints Regarding a Breach of the APPs or a Registered APP Code

If an individual believes that Spotto Traffic Control may have breached any of the Australian Privacy Principles (APPs) or a binding registered APP code, they are encouraged to refer to Spotto Traffic Control’s Complaints and Appeals Policy and Procedure for guidance on the steps that can be taken and how such concerns will be addressed.

Likely overseas disclosures

Spotto Traffic Control confirms that individuals’ personal information is not disclosed to overseas recipients, for any purpose.

Making our APP Privacy Policy available

Spotto Traffic Control provides our APP Privacy Policy available free of charge, with all information being publicly available from the Privacy link on our website at www.spottotrafficcontrol.com.au. This website information is designed to be accessible as per web publishing accessibility guidelines, to ensure access is available to individuals with special needs (such as individuals with a vision impairment).

In addition, this APP Privacy Policy is:
Prominently displayed at Spotto Traffic Control’s premises.
Included within our Employee Handbook.
Noted within the text or instructions at all information collection points (such as informing individuals during a telephone call of how the policy may be accessed, in cases where information collection is occurring); and
Available for distribution at no cost upon request and provided as soon as reasonably possible after the request is received, including in the specific format requested by the individual, were reasonably practicable.

In the unlikely event that the APP Privacy Policy cannot be provided in the specific format requested by an individual, Spotto Traffic Control will explain the circumstances to the requester and make every effort to offer an alternative, appropriate format to meet their needs.

Review and Update of this APP Privacy Policy

Spotto Traffic Control reviews this APP Privacy Policy:
On an ongoing basis, as suggestions or issues are raised and addressed, or as government required changes are identified.

As part of our internal audit processes, conducted at a minimum on an annual basis.
As a part of any external audit of our operations that may be conducted by various government agencies; and
As a component of each and every complaint investigation process where the compliant is related to a privacy matter.

Where this policy is updated, changes to the policy are widely communicated to stakeholders through internal personnel communications, meetings, training and documentation, and externally through publishing of the policy on Spotto Traffic Control’s website and other relevant documentation for clients.

Australian Privacy Principle 2 – Anonymity and Pseudonymity

Spotto Traffic Control offers individuals the option to remain anonymous or use a pseudonym when engaging with us on specific matters, where it is practical to do so. This includes allowing for anonymous interactions in situations such as general enquiries or instances where personal information is not necessary to fulfil the request.

Individuals may choose to interact with us using a name, term, or identifier other than their legal name, wherever feasible. This may include the use of generic email addresses that do not reveal their actual name or generic usernames when accessing public areas of our website or submitting enquiry forms.

Spotto Traffic Control only stores and links pseudonyms to individual personal information in cases where this is required for services delivery (such as system login information) or once the individual’s consent has been received.
Individuals are advised of their opportunity to deal with us anonymously or by pseudonym where these options are possible.

Requiring identification

Australian Privacy Principle 2 generally permits individuals to interact with an APP entity anonymously or using a pseudonym. However, this right may be limited where the entity is legally required or authorised to deal with identifiable individuals, or where it is impractical to provide services or support without knowing the individual’s identity.

Australian Privacy Principle 3 — Collection of solicited personal information

Spotto Traffic Control collects personal information only when it is reasonably necessary to carry out our business activities. Sensitive information is collected only with the individual’s consent, unless we are legally obligated to obtain it, as outlined earlier in this policy. All information is gathered through lawful and fair means. Wherever possible, we collect requested personal information directly from the individual, unless it is unreasonable or impracticable to do so.

Australian Privacy Principle 4 – Dealing with unsolicited personal information

From time to time, Spotto Traffic Control may receive unsolicited personal information. When this occurs, we promptly assess whether the information could have been lawfully collected for our business purposes. If it meets these criteria, we may retain, use, and disclose the information in accordance with the practices outlined in this policy.

If the information could not have been lawfully or appropriately collected, we will take immediate steps to destroy or de-identify it, unless we are legally required to retain it.

Australian Privacy Principle 5 – Notification of the collection of personal information

Whenever Spotto Traffic Control collects personal information about an individual, we take reasonable steps to notify them of the relevant details or otherwise ensure they are informed about the nature and purpose of the information being collected. This notification occurs at or before the time of collection, or as soon as practicable afterwards.

Our notifications to individuals on data collection include:

Spotto Traffic Control’s identity and contact details, including the position title, telephone number and email address of a contact who handles inquiries and requests relating to privacy matters.
The specific details and context of the collection, including the date, time, location, and method used, as well as whether the information was obtained from a third party—along with the name of that third party, if applicable.
If the collection is required or authorised by law, including the name of the Australian law or other legal agreement requiring the collection.
The purpose of collection, including any primary and secondary purposes.
The consequences for the individual if all or some personal information is not collected.
Other organisations or persons to which the information is usually disclosed, including naming those parties;
Whether we are likely to disclose the personal information to overseas recipients, and if so, the names of the recipients and the countries in which such recipients are located.
A link to this APP Privacy Policy on our website or explain how it may be accessed; and
Advice that this APP Privacy Policy contains information about how the individual may access and seek correction of the personal information held by us; and how to complain about a breach of the APPs, or any registered APP code, and how we will deal with such a complaint.

Where possible, we seek confirmation from the individual that they understand these details, which may be obtained through verbal confirmation during in-person discussions, signed declarations or acceptance of terms via website forms.

Collection from third parties

Where Spotto Traffic Control collects personal information from another organisation, we:

• Confirm whether the other organisation has provided the relevant notice to the individual; or

• Whether the individual was aware of these details at the time of collection; or

• If this has not occurred, we will undertake this notice to ensure the individual is fully informed of the information collection.

Australian Privacy Principle 6 – Use or disclosure of personal information

Spotto Traffic Control only uses or discloses personal information it holds about an individual for the particular primary purposes for which the information was collected, or secondary purposes in cases where:
• An individual consented to a secondary use or disclosure.
• An individual would reasonably expect the secondary use or disclosure, and that is directly related to the primary purpose of collection; or
• Using or disclosing the information if required or authorised by law.

Requirement to make a written note of use or disclosure for this secondary purpose

If Spotto Traffic Control uses or discloses personal information in accordance with an ‘enforcement related activity’ we will make a written note of the use or disclosure, including the following details:

The date of the use or disclosure.
Details of the personal information that was used or disclosed,
The enforcement body conducting the enforcement related activity,
If the organisation used the information, how the information was used by the organisation; and
The basis for our reasonable belief that we were required to disclose the information.

Australian Privacy Principle 7 – Direct marketing

Spotto Traffic Control does not use or disclose any personal information it holds about an individual for direct marketing purposes., unless:

The personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing; or
The personal information has been collected from a third party, or from the individual directly, but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing; and
We provide a simple method for the individual to request not to receive direct marketing communications (also known as ‘opting out’).

Each direct marketing communication from Spotto Traffic Control such as emails or text messages includes a clear and prominent statement informing individuals of their right to opt out of future communications, along with instructions on how to do so. Individuals may also request, at any time, that we do not use or disclose their personal information for direct marketing purposes, or for the purpose of facilitating direct marketing by third parties. We respond to such requests promptly and carry out any necessary actions at no cost to the individual.

We also, on request, notify an individual of our source of their personal information used or disclosed for the purpose of direct marketing unless it is unreasonable or impracticable to do so.

Australian Privacy Principle 8 – Cross-border disclosure of personal information

Before disclosing personal information about an individual to an overseas recipient, Spotto Traffic Control takes reasonable steps to ensure the recipient handles the information in a manner that does not breach any applicable privacy obligations.

Australian Privacy Principle 9 – Adoption, use or disclosure of government related identifiers

Spotto Traffic Control does not adopt, use or disclose a government related identifier related to an individual except:

In situations required by Australian law or other legal requirements.
Where reasonably necessary to verify the identity of the individual.
Where reasonably necessary to fulfil obligations to an agency or a State or Territory authority; or
As prescribed by regulations

Australian Privacy Principle 10 – Quality of personal information

Spotto Traffic Control takes all reasonable steps to ensure that the personal information it collects is accurate, current, and complete. Additionally, we make every effort to confirm that any personal information we use or disclose is accurate, up-to-date, complete, and relevant to the purpose for which it is being used or shared.

This is particularly important:

When we initially collect the personal information; and
When we use or disclose personal information.

We take measures to ensure that personal information is factually accurate. When the information reflects an opinion, we consider relevant facts and differing viewpoints to make a well-informed assessment, clearly identifying it as an opinion. Information is verified as current in relation to the specific point in time it pertains to.

Quality measures in place supporting these requirements include:

Internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information (including training personnel in these practices, procedures and systems);
Protocols that ensure personal information is collected and recorded in a consistent format, from a primary information source where possible.
Ensuring updated or new personal information is promptly added to relevant existing records.
Providing individuals with a simple means to review and update their information on an ongoing basis through our online portal.
Reminding individuals to update their personal information at critical services delivery points (such as completion) when we engage with the individual.
Contacting individuals to verify the quality of personal information where appropriate when it is about to be used or disclosed, particularly if there has been a lengthy period since collection; and
Checking that a third party, from whom personal information is collected, has implemented appropriate data quality practices, procedures and systems.

Australian Privacy Principle 11 — Security of personal information

Spotto Traffic Control actively assesses whether it is necessary to retain the personal information in its possession and takes appropriate measures to ensure its security. This includes taking reasonable steps to safeguard the information against misuse, interference, loss, and unauthorised access, alteration, or disclosure.

We destroy or de-identify personal information once it is no longer required for any lawful purpose for which it may be used or disclosed.

Access to Spotto Traffic Control offices and work areas is restricted to authorised personnel. Visitors must receive approval from relevant staff to enter the premises. Paper-based records are securely stored in designated areas with access limited to authorised individuals only.

Spotto Traffic Control conducts regular training sessions and distributes information bulletins to personnel on privacy-related matters, including the application of the Australian Privacy Principles (APPs) to our practices, procedures, and systems. Privacy training is also incorporated into our induction program for all new staff.

Spotto Traffic Control conducts regular internal audits, at least annually and as required, to assess the effectiveness and relevance of the security and access controls, procedures, and systems we have in place.

Australian Privacy Principle 12 - Access to personal information

When Spotto Traffic Control holds personal information about an individual, we provide access to that information upon request. In handling such requests, we:

Ensure through confirmation of identity that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf.
Respond to a request for access:
Within 14 calendar days, if access is refused, we will provide written notification outlining the reasons for the refusal and advising the individual of the available complaint resolution options; o
Within 30 calendar days, we provide access to the requested personal information in the format specified by the individual, were reasonably practicable.
Provide information access free of charge.

Australian Privacy Principle 13 – Correction of personal information

Spotto Traffic Control takes reasonable steps to correct any personal information we hold to ensure it is accurate, up-to-date, complete, relevant, and not misleading, considering the purpose for which the information is maintained.

Individual Requests

On an individual’s request, we

Correct personal information held; and
Notify any third parties of corrections made to personal information, if this information was previously provided to these parties.

In cases where we refuse to update personal information, we:

Give a written notice to the individual, including the reasons for the refusal and the complaint mechanisms available to the individual,
Upon request by the individual whose correction request has been refused, take reasonable steps to associate a statement with the personal information that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading.
Respond within 14 calendar days to these requests; and
Complete all actions free of charge.

We take reasonable steps to correct personal information in our records when we determine that it is inaccurate, outdated, incomplete, irrelevant, or misleading. This may come to our attention through the collection of updated details, notifications from third parties, or other sources.

Responsible Officer

The responsible officer for the implementation for this Policy and Procedure is the Chief Executive Officer.