Last Updated: June 2017
Crescendo Music is committed to protecting the privacy of individuals from whom we collect information. We are committed to the Privacy Act 1988 in the way we collect, use, secure and disclose personal information.
This policy applies to the following:
a) Crescendo Music staff and employees;
b) Organisations, companies or individuals contracted by Crescendo Music to perform a function or activity of Crescendo Music;
c) Any organisation, company or individual carrying out outsourced work on behalf of Crescendo Music.
1. Personal Information
1.1 For the purposes of this policy, personal information is defined to be:
a) Information or an opinion that is recorded in any form, about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Even if the information or opinion is not true, it could still be classified as personal information if an individual can be readily identified from it.
b) This includes, but is not limited to:
b. Postal address;
c. Telephone/Mobile Number;
d. Email Address;
f. CCTV Footage;
g. Date of Birth;
h. Financial Details;
i. Medical information;
j. Employment History;
k. Study History;
m. Login details.
2. collection of data
2.1 Crescendo Music will only collect information when the information is absolutely necessary for Crescendo Music’s functions or activities.
2.2 The following considerations must be made prior to the collection of information:
a) is the collection necessary for one or more of Crescendo Music’s functions or activities;
b) is the function or activity able to be performed without requiring the collection of that personal information;
c) can the information be requested in a simplified or less intrusive manner, and still have the function or activity performed to the same capacity; and
d) what the consequences would be of an individual’s failure to provide specific personal information that would be requested of them.
2.3 If the criteria outlined in section 2.2 is fulfilled, and it is deemed necessary to collect personal information, the amount of information collected should be limited to what is absolutely necessary to carry out the function or activity.
2.4 If information is being collected that is not necessary to carry out the function or activity, the individual must be made aware that it is not mandatory to supply that information. The decision of an individual to withhold providing non-essential information must not be held against them in any way.
2.5 Crescendo Music must collect personal information only by lawful and fair means and with the consent of the individual’s information being collected.
2.6 At or before the time Crescendo Music collects personal information from an individual (or, if that is not practicable, as soon as practicable after), Crescendo Music must take reasonable steps to ensure that the individual is aware of:
a) the identity of the organisation collecting the information (that is, Crescendo Music) and how to contact it; and
b) the fact that the individual can gain access to the information; and
c) the purposes for which the information is collected; and
d) the organisations or kinds of organisations to whom Crescendo Music usually discloses information of that kind;
e) any law that requires the particular information to be collected; and
f) the main consequences (if any) for the individual if all or part of the information is not provided; and
2.7 Individuals must be made aware of the consequences to them if they don’t provide their personal information to Crescendo Music.
2.8 If it is reasonable and practicable to do so, Crescendo Music must collect personal information about an individual only from that individual.
2.9 If Crescendo Music collects personal information about any individual(s) from someone else (e.g. a marketing “list”), it must take reasonable steps to ensure that the individual(s) is or has been made aware of the matters listed above, and has provided a form of consent to the fact that their information may be passed on to third parties for marketing purposes. Any planned purchase of marketing lists must be reviewed by the Governance and Strategy team before being completed.
2.10 If Crescendo Music wishes to monitor telephone calls for business improvement purposes (e.g. in the Ticketing call centre) the customer must be made aware prior to the telephone call taking place that the call will be monitored. Any staff that will be involved in these telephone calls must be made aware that some of their calls may be monitored.
2.11 When collecting personal information either on-line, in person, or otherwise; a statement must be given outlining the specific reasons for the collection of the information and to whom will be able to access it. This statement must outline the following:
a) The purpose the information is being collected for;
b) The consequences to the individual if the information is not provided;
c) To whom (or which organisations) the information may be disclosed to;
3. Use and Disclosure
General use and disclosure
3.1 Crescendo Music may use or disclose personal information for the purposes for which it was collected (referred to as “primary purposes”).
3.2 Crescendo Music must not use or disclose personal information about an individual for a purpose other than the primary purpose (that is, for a secondary purpose) unless:
a) the secondary purpose is related to a primary purpose; OR
b) the individual has consented to the use or disclosure; OR
c) Crescendo Music has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; OR
d) the use or disclosure is required or authorised by or under law.
3.3 It can be very difficult to determine what secondary uses or disclosures are permitted, therefore the Privacy Officer must be consulted prior to using or disclosing personal information outside of a primary purpose, or where the individual has not otherwise consented to the use and disclosure of the information.
Disclosure to third parties
3.4 An individual should be provided with the opportunity to “opt out” of having their details disclosed to a third party, except in the cases where that disclosure is to a third party who carries out an activity on behalf of Crescendo Music which is related to the primary purpose of collection, e.g. contractors, agencies.
3.5 Only the personal information necessary for the third party to perform their stated activity should be disclosed.
3.6 It is important that Crescendo Music ensures any third parties it discloses personal information to are contractually obliged to handle that personal information in an appropriate manner.
Disclosure to law enforcement agencies
3.7 If a law enforcement agency requests personal information, the request must be passed to the Privacy Officer for processing.
Disclosure in emergency situations
3.8 In an emergency situation, personal information may be disclosed to a third party if it is reasonably believed that disclosure is necessary to lessen or prevent either of the following:
a) A serious and imminent threat to an individual’s life, health, safety or welfare; or
b) A serious threat to public health, safety or welfare.
3.9 Personal information collected from an individual must not be used for direct marketing purposes, unless the individual has consented to this use.
3.10 Personal information about individuals held by Crescendo Music, must never be sold to another party, or disclosed to a third party who is known to be in the business of on-selling customer lists.
3.11 Additionally, personal information must not be disclosed to third parties for them to use for direct marketing purposes unless the individual has consented to this use and disclosure.
3.12 Obtaining consent for direct marketing from Crescendo Music must not be bundled with obtaining consent for another use or disclosure, or with consent to disclosure to another party for them to use for direct marketing purposes. Individuals should have the freedom to provide their personal information for a primary purpose, without having to agree to their information being used for direct marketing purposes, or without having the choice of who they consent to receiving direct marketing from.
3.13 See section 2.11 of this policy for guidance on the purchase of marketing “lists”.
4. Data Quality
4.1 Crescendo Music must take reasonable steps to ensure that the personal information it collects, uses and discloses is accurate and up to date.
• While Crescendo Music will take reasonable steps to ensure that all information is up to date, individuals who have ongoing contact or work with Crescendo Music should inform the company if their details change.
4.2 When collecting personal information, where possible confirm with the individual that that information has been recorded correctly.
4.3 If an individual notifies Crescendo Music of any changes to their personal information, or preferences in terms of how that information is used, those changes must be processed and entered into all databases where their information is held as soon as possible after the notification is received.
4.4 If information is to be used after the time it was collected, consideration should be given to the accuracy of the information and the impact on the individual if it is inaccurate. If inaccurate information could have an adverse impact on the individual, then steps should be taken to verify the accuracy and completeness of the information before it is used.
4.5 If personal information is being transferred from one location to another, e.g. from hard copy to soft copy, or from one database to another, checks must be made to ensure the data is transferred completely and accurately.
5. Data Security
5.1 Crescendo Music must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure, in line with Crescendo Music’s information Security Policy.
5.2 Crescendo Music must take reasonable steps to destroy or permanently de- identify personal information if it is no longer needed for any purpose.
Access to Personal Information
5.3 Only staff members who require access to personal information to carry out their specified job role should have access to that information, whether that be access to, or within an Information System, or physical access to hard copy information.
Storage of Personal Information
5.4 Personal information held in a hard copy format must be filed and held securely within locked offices or filing cabinets.
5.5 Personal information must never be taken from the system or location it is stored within, other than to use that information in accordance with this policy.
5.6 The security of all systems that hold personal information must be assessed when the system is installed and reassessed on a regular basis thereafter. Access security settings must ensure that only staff who need access can access personal information stored within the system.
5.7 Personal Information must never be stored on USB storage devices, CDs or other portable data storage devices, e.g. external hard drives, iPods or MP3 players.
Transmission of Personal Information
5.8 Appropriate precautions should be taken when emailing personal information and information should only be emailed when absolutely necessary.
5.9 If personal information needs to be emailed care should be taken to ensure email addresses are correct, that an indication is given in the email that it contains personal information, and that copies are not sent or forwarded to people who do not need that information.
5.10 Email addresses themselves can be personal information, and therefore care should be taken when disclosing them within an email. When sending group emails, the “BCC” (blind carbon copy) function should be used when including multiple recipients who are not Crescendo Music employees or contracted individuals, and when the other recipients on the email do not need to know they were included in the communication.
5.11 Faxes containing personal information should only be sent when that information cannot be transmitted by any other method. If a fax must be sent then the confirmation page must be removed from the fax machine and receipt of the fax should be confirmed with the recipient.
Destruction or de-identification of Personal Information
5.12 Where personal information is no longer required for a purpose for which it can be used under the Privacy Act 1988, and it does not constitute a Public Record (Refer Public Records Act 1973), or is required to be retained under any other piece of legislation, it should be de-identified or destroyed. Hard copy information must always be shredded.
5.13 A significant amount of information held by Crescendo Music will constitute a Public Record. Therefore please contact the Governance and Strategy team for advice before destroying or de-identifying any personal information.
Payment card data
5.14 Any storage, processing, transfer or purging of payment card data at Crescendo Music must be in compliance with the Payment Card Industry Data Security Standard (PCIDSS). All procurements of new systems that process, store or transfer payment card data must be reviewed by the Governance and Strategy team prior to implementation.
6. Access and correction
6.1 When requested by an individual, Crescendo Music must allow the individual access to all the information which the company holds about that individual, unless:
a) providing access would pose a serious and imminent threat to the life or health of any individual;
b) providing access would have an unreasonable impact on the privacy of other individuals;
c) the request for access is frivolous or vexatious; or
d) the information relates to existing legal proceedings between Crescendo Music and the individual.
6.2 If an individual requests access to personal information held by Crescendo Music, Crescendo Music must:
a) provide access, or reasons for the denial of access; or
b) provide reasons for the delay in responding to the request for access to the personal information as soon as practicable, but no later than 45 days after receiving the request.
6.3 If Crescendo Music is not required to provide the individual with access to the information Crescendo Music must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 Where providing access would reveal evaluative information generated within Crescendo Music in connection with a commercially sensitive decision-making process, Crescendo Music may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
6.5 All requests for access to personal information must be forwarded to the Privacy Officer before access can be granted.
6.6 Crescendo Music may charge for providing access to personal information. If Crescendo Music charges for providing access to personal information, Crescendo Music:
a) must advise an individual who requests access to personal information that Crescendo Music will provide access on the payment of the prescribed fee; and
b) may refuse access to the personal information until the fee is paid.
6.7 If Crescendo Music holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, Crescendo Music must take reasonable steps to correct the information so that it is accurate, complete and up to date.
6.8 If an individual requests the correction of personal information held by Crescendo Music, Crescendo Music must:
a) correct the personal information, or provide reasons for the refusal to correct the personal information; or
b) provide reasons for the delay in responding to the request for the correction of personal information,
c) as soon as practicable, but no later than 45 days after receiving the request.
6.9 If the individual and Crescendo Music disagree about whether the information is accurate, complete and up to date, and the individual asks Crescendo Music to associate with the information a statement claiming that the information is not accurate, complete or up to date, Crescendo Music must take reasonable steps to do so.
6.10 Requests to update an individual’s name and contact details can be acted upon by anyone with authorised access to that information.
6.11 Requests to update any other form of personal information must be forwarded to the Privacy Officer.
7. Unique Identifiers
7.1 Unique identifiers, usually a number, are sometimes used to facilitate data matching for personal information. The use of unique identifiers is only permitted when Crescendo Music can demonstrate that the assignment of the unique identifier is necessary to carry out our functions efficiently. For information on how to manage unique identifiers assigned to personal information by third parties, consult the Governance and Strategy team.
8.2 Where it is lawful and reasonably practicable, an individual should have the option of not identifying themselves when transacting with Crescendo Music.
8.3 When requesting personal information from an individual, you must therefore consider why that information is required, and whether it is necessary to conduct that transaction.
8.4 In instances where the provision of the information is optional, this should be made clear to the individual concerned.
9. sensitive information
9.1 Sensitive information about an individual must not be collected unless:
a) it is necessary to perform a Crescendo Music function or activity;
b) the information is collected directly from the individual themselves; and
c) the individual has consented.
9.2 If it cannot be proved that the sensitive information is necessary for a Crescendo Music function or activity, sensitive information must not be collected.
9.3 Information should only be collected for a specific purpose, which must be clearly identified, and stated to the individual at the time of collection, and the amount of information collected should be limited to what is absolutely necessary to achieve that purpose
9.4 The sensitive information collected must never be used for any other purpose outside the primary purpose of collection, without that individual’s consent.