Privacy Policy
Data Protection Notice
This Data Protection Notice (“Data Protection Notice”) sets out the basis which Cambridge JMD
Holdings Pte. Ltd. and its subsidiaries (including Cambridge RE Partners Pte. Ltd. (“CREP”) and Cambridge JMD Investment Management Pty Ltd (“CJMDIM”)), and the funds, and entities comprising the funds, managed by CREP and/or CJMDIM as set out in Attachment 1 (the “CREP Group”, “we”, “us”, or “our”) may collect, use, disclose or otherwise process personal data in accordance with both the Personal Data Protection Act 2012 of Singapore (“PDPA”), and the Privacy Act 1988 (Cth) of Australia (“Privacy Act”), as applicable.
​
Some privacy rights and obligations in Australia may differ from those in Singapore. In Schedule 1: Australian Privacy Policy Addendum (“Australia Addendum”), we have included information specific to the Privacy Act to supplement this Notice (i.e. the Data Protection Notice without the Australia Addendum) where there are differences between the Privacy Act and PDPA.
Personal Data
1. As used in this Data Protection Notice:
“customer” means an individual who (a) has contacted us through any means to find out more about any products or services we provide, or (b) may, or has, entered into a contract with us for or in relation to the supply of any products or services by us, or any business transactions with us; and
“personal data” means data, whether true or not, about an individual, which may include a customer, who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access.​
​
2. Other terms used in this Data Protection Notice shall have the meanings given to them in the PDPA (where the context so permits).
​
3. You may interact with us in a variety of different ways (including indirectly) and the types of personal data that we collect about you will depend on the type of dealings you have with us. Generally speaking, the kind of personal data we collect may include:​​
​
​
Type of Personal Data
What This Includes
How/When Do We Collect
This Information?
Personal and
contact details
This may include your:
− full name;
− address;
− telephone number;
− email address;
− date of birth;
− marital status; and/or
− gender
We may collect this information directly from you in person or:
− during our interactions with you;
− when you contact us via our online forms, email, phone or social media (including LinkedIn);
− when you apply for a position at a CREP Group entity; and/or
− when you otherwise interact with us on a commercial basis, including as a supplier to us.
Workplace
Information
This may include:
− details of your
employment history;
− information about your
education, qualifications
and certifications;
− your tax file number;
− your working eligibility rights;
− your suitability for the
role you are applying
for;
− details about your referees;
− health information and
incident reports (this may include sensitive information); and/or
− other information provided as part of our recruitment process.
We may collect this information through our recruitment process when you apply for a position with us, or otherwise during
your employment.
Background check
information
Including national police
check information (if applicable). This may include sensitive
information, such as if you have a criminal record.
We may collect this information directly from you through our recruitment process, when you apply for a position with us, or otherwise during your employment.
We may also collect this information:
− from third parties (for example,
verification providers, referees,
previous employers, or professional registration authorities); and/or
− from publicly available information (for example, court decisions)
Proof of identity
information
This may include:
− your driver’s licence;
− your nationality;
− your visa (if applicable);
− your tax file number; and/or
− other similar identity
information
We may collect this information directly from you if you are a job applicant or employee.
We may also collect this information about you indirectly from third parties, for example, our advisors assisting with the
management of your investments.
Transactional and
payment information
This may include:
− information about
investments that you
make or any transactions you
undertake as part of your relationship with us; and/or
− your bank account details.
We may collect this information:
− if you enter into, or propose to enter into, a transaction with us, including any investments; or
− during your employment with us.
Financial
information
This may include information about your:
− financial circumstances
and objectives;
− assets;
− income;
− liabilities and expenditure;
− bank account details
and transaction history; and/or
− investment preferences.
We may collect this information about you directly from you to provide you with our services.
We may also collect this information indirectly from third parties, including:
− your representatives, including your lawyers, financiers or other
authorised agents; or
− other third parties such as mortgage brokers and/or financial service providers.
Call recording /
CCTV information
This may include call recordings and CCTV footage.
We may collect call recording information from calls that you make to the CREP Group, noting that you will always be advised of the call recording in advance if applicable.
We may collect CCTV footage
of you in person, from CCTV surveillance systems that monitor our properties and premises, including our corporate offices and premises at which our investments are
located, when you enter such locations.
Property / Rental information
collected from you in person
This may include identity
documents (such as your
drivers licence), phone number, email address etc. (in addition to CCTV footage stated above).
We may collect personal information from you in person when you visit one of the premises our investments are located at.
This will include premises for which we are the landlord, and where you visit such premises for rental inspections.
Information required
to be collected by law
CREP Group may also hold
other kinds of personal data
as permitted or required by law.
We may collect this as required.
Publicly available information
Information that is publicly
available online, such as on
online forums, websites, and social media channels (for example, ASIC search results).
We may collect this directly from the publicly available source (e.g. the Land Titles Office, relevant State and Territory Valuers General, ASIC, ACRA, online
forums, websites, or social media
channels).
Other types of information
collected during our interactions
This may include information that you provide us so that
we can provide you with information regarding an investment and related services, or so that we can undertake
transactions or dealings with you.
We may collect this information directly from you:
− when you request information about an investment or related services;
− when you propose or actually enter into an agreement with us, for the CREP Group to manage investments on your behalf;
− if you post information to any of our social media sites, or interact with us on social media; and/or
− when you make an enquiry, provide feedback, or make a complaint (via phone, email or in person).
Company information
This may include:
− company information such as the company’s shareholder and/or director details;
− ACRA or ASIC search
results; and/or
− information about your
company’s employees,
contractors or suppliers.
We may collect this information:
− directly from you as part of our supplier onboarding process if you are a current or prospective supplier; or
− from publicly available sources such as ACRA and ASIC in the course of providing our services.
Online and digital
services information
This may include information (that is not always identifiable) about your:
− network and device information (such as your device ID, type and IP address);
− geo-location information;
− browsing information,
including information about how you interact with our website, what content you viewed and
your session duration;
− web form inputs such as
your name, address, email address and phone number;
− transaction data; and/or
− information collected from cookies and/or tracking pixels.
We may collect this information about you when you use our website, via use of online behavioural tracking technologies such as cookies and/or tracking pixels. For further information, please see
Attachment 2: Cookies, pixels and tracking technology.
Unsolicited
information
Unsolicited personal data is
personal data we receive
that we have taken no active steps to collect (for example, an employment application sent to us by an individual on their own
initiative, rather than in response to a job advertisement).
We may collect this information directly from you when you contact us. Please note that we may keep records of unsolicited personal data to the extent
that it is permitted by the Privacy Act (for example, if the information is reasonably
necessary for one or more of our
functions or activities).
If not, we will destroy or
de-identify the information as soon as practicable, provided
it is lawful and reasonable
to do so.
CREP Group may also collect other kinds of personal data that we notify you of at the time of collection.
Information about your health, racial or ethnic origin, political affiliations, criminal record and religious or philosophical beliefs are all examples of sensitive information. If we do need to collect sensitive information about you (for purposes of employment or otherwise), we will only do so with your consent or where we are required or permitted to do so by law.
Collection, Use And Disclosure Of Personal Data
4. We generally do not collect your personal data unless (a) it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes, or (b) collection and use of personal data without consent is permitted or required by the PDPA, the Privacy Act, or other applicable laws.
​
5. We may collect, use and disclose your personal data for any or all of the following purposes:
​
(a) performing obligations in the course of or in connection with our provision of the products, and/or services requested by you;
(b) verifying your identity;
(c) communicating with you, including by phone, email or mail, such as by responding to, handling, and processing queries, requests, applications, complaints, and feedback from you;
(d) managing your relationship with us;
(e) doing business with you, if you interact with us on a commercial basis (including if you are a service provider, contractor or supplier);
(f) managing your relationship with us as an employee or contractor, including during the recruitment process, to consider your suitability as a prospective employee or contractor, investigate incidents (including potential incidents) which occur on our premises and to collect, use and store your personal data for administration and
management purposes;
(g) processing payment or credit transactions;
(h) administering, managing and processing any transactions you enter into, or propose to enter into, with us, including the acquisition of your assets, any applicable payments, our billing and account purposes or otherwise;
(i) assisting with any business, share sale, or corporate restructure if we transfer or sell all or part of our assets or business, or if we undergo any kind of corporate restructure, acquisition or sale;
(j) keeping our records accurate, complete and up-to-date;
(k) complying with any applicable laws, regulations, codes of practice, guidelines, or rules,
or to assist in law enforcement and investigations conducted by any governmental
and/or regulatory authority;
(l) any other purposes for which you have provided the information;
(m) develop and improve the services we provide, including by obtaining your feedback regarding such services;
(n) managing and improving our operations, IT systems and business including through Artificial Intelligence, to conduct the general operation and management of CREP Group, train staff (including IT, development, legal and finance teams), test, train and develop our technology systems and services and administer our website and internal operations;
(o) for security purposes in connection with the use of CCTV to monitor and safeguard our properties, manage building operations, respond to incidents, consider compliance with contractual terms and conditions such as leases, support compliance with building regulations and workplace health and safety requirements and ensure the safety of our staff;
(p) transmitting to any unaffiliated third parties including our third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the aforementioned purposes; and
(q) any other incidental business purposes related to or in connection with the above.
​
6. In addition to the purposes listed above, CREP Group may use your personal data for other purposes which we notify you of when we collect your personal data and for purposes otherwise permitted or required by law.
7. We may disclose your personal data:
(a) to any member of the CREP Group;
(b) to contractors, service providers and other third parties who provide services to us, including technology service providers and administration service providers;
​
(c) where such disclosure is required for performing obligations in the course of or in connection with our provision of the products and services requested by you (including Know Your Customer (KYC) checks and Anti-money Laundering (AML) checks);
​
(d) to our professional advisors (including tax, legal or other corporate advisors), third party service providers (including corporate services providers and IT service providers), agents and other organisations we have engaged to perform any of the functions with reference to the above mentioned purposes;
​
(e) to government and regulatory authorities and other third parties if a law, regulation, search warrant, subpoena or court order legally requires or authorises us to do so; or to a third party, in the event of or in contemplation of a change in ownership of all or a part of us through some form of merger, purchase, sale, lease or amalgamation or other form of business combination, provided that the parties are bound by appropriate agreements or obligations which require them to use or disclose your personal data in
a manner consistent with the use and disclosure provisions of this Data Protection Notice, unless you indicate otherwise.
​
8. The purposes listed in the above paragraphs may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under a contract with you).
Deemed Consent By Notification
(THIS SECTION APPLIES TO SINGAPORE ENTITIES IN CREP GROUP AND/OR IN RELATION TO
PERSONAL DATA IN SINGAPORE ONLY.)
9. We may collect or use your personal data, or disclose existing personal data for secondary purposes that differ from the primary purpose which it had originally collected for pursuant to paragraphs 5 and 6. If we intend to rely on deemed consent by notification for such secondary purposes, we will notify you of the proposed collection, use or disclosure of his personal data through appropriate mode(s) of communication.
​
10. In particular, we may rely on deemed consent by notification to collect, use or disclose your personal data for the following purposes:
​
i. tax purposes (whether in Singapore, Australia or otherwise).
​
11. Before relying on deemed consent by notification, we will assess and determine that the collection, use and disclosure of the personal data will not likely have an adverse effect on you.
​
12. You will be given a reasonable period to inform us if you wish to opt-out of the collection, use and disclosure of your personal data for such purposes.
​
13. After the lapse of the opt-out period, you may notify us that you no longer wish to consent to the purposes for which your consent was deemed by notification by withdrawing your consent for the collection, use or disclosure of your personal data in relation to those purposes.
Reliance On The Legitimate Interests Exception
(THIS SECTION APPLIES TO SINGAPORE ENTITIES IN CREP GROUP AND/OR IN RELATION TO
PERSONAL DATA IN SINGAPORE ONLY.)
​
14. In compliance with the PDPA, we may collect, use or disclose your personal data without your
consent for the legitimate interests of the CREP Group or another person. In relying on the legitimate interests exception of the PDPA, the CREP Group will assess the likely adverse
​
15. effects on the individual and determine that the legitimate interests outweigh any adverse effect.
In line with the legitimate interests’ exception, we will collect, use or disclose your personal data for the following purposes:
a. fraud detection and prevention;
b. detection and prevention of misuse of services; and
c. network analysis to prevent fraud and financial crime, and perform credit analysis.
​
The purposes listed in this paragraph may continue to apply even in situations where your relationship
with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter.
Withdrawing Your Consent
(THIS SECTION APPLIES TO SINGAPORE ENTITIES IN CREP GROUP AND/OR IN RELATION TO
PERSONAL DATA IN SINGAPORE ONLY.)
​
16. The consent that you provide for the collection, use and disclosure of your personal data will
remain valid until such time it is being withdrawn by you in writing. You may withdraw consent
and request us to stop collecting, using and/or disclosing your personal data for any or all of
the purposes listed above by submitting your request in writing or via email to our Data
Protection Officer at the contact details provided below.
​
17. Upon receipt of your written request to withdraw your consent, we may require reasonable time
(depending on the complexity of the request and its impact on our relationship with you) for
your request to be processed and for us to notify you of the consequences of us acceding to
the same, including any legal consequences which may affect your rights and liabilities to us.
In general, we shall seek to process your request within fourteen (14) days of receiving it.
​
18. Whilst we respect your decision to withdraw your consent, please note that depending on the
nature and scope of your request, we may not be in a position to continue providing our products
or services to you and we shall, in such circumstances, notify you before completing the
processing of your request. Should you decide to cancel your withdrawal of consent, please
inform us in writing in the manner described in paragraph 16 above.
​
19. Please note that withdrawing consent does not affect our right to continue to collect, use and
disclose personal data where such collection, use and disclose without consent is permitted or
required under applicable laws
Access To And Correction Of
Personal Data
20. If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided in paragraph 27 below.
​
21. Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.
​
22. We will respond to your request as soon as reasonably possible. In general, our response will be within fourteen (14) days. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA or the Privacy Act, as the case may be).
Protection And Storage Of Personal Data
23. You should be aware that no method of transmission over the Internet or method of electronic
storage is completely secure. We cannot guarantee the security of your data during transmission. Any transmission is at your own risk. However, once we have received your information, we have procedures and security measures in place to try to prevent unauthorised access, collection, use, disclosure, or modification. Your personal data will be stored in databases held on servers located in a technologically secured environment, accessed only by authorised personnel or contractors (with login and password protection). We also maintaincomputer and network security, by using firewalls, anti-virus software and other security
systems to control access to our computer systems.
Retention Of Personal Data
(THIS SECTION APPLIES TO SINGAPORE ENTITIES IN CREP GROUP AND/OR IN RELATION TO
PERSONAL DATA IN SINGAPORE ONLY.)
​
24. We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.
​
25. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.
Transfers Of Personal Data Outside Of Singapore And Australia
We may transfer personal data to countries other than the country in which the data was originally collected. In other words, your personal data may be shared outside of the jurisdiction in which you are located. Where your information is processed or shared within the CREP Group or to any other recipients, your information data is likely to be transferred to or fromAustralia, Malaysia, Singapore, and Hong Kong for the purposes set out above.
Data Protection Officer And Regulators
27. You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:
Name of Data Protection Officer : Tan Tchia Hui Enoch
Contact No. : +65 6348 8908
Email Address : info@cambridgerepartners.com
28. If you are located in Australia, the Office of the Australian Information Commissioner can be
contacted by telephone on 1300 363 992, or you can fill out this form to make a complaint about
our handling of your personal data. Full contact details for the Office of the Australian
Information Commissioner can be found online at www.oaic.gov.au.
Effect Of Data Protection Notice And Changes To Data Protection Notice
29. This Data Protection Notice applies in conjunction with any other notices, contractual clauses
and consent clauses that apply in relation to the collection, use and disclosure of your personal
data by us, such as the privacy collection notices provided by us when you commence your
employment with us, or engage a CREP Group entity’s services or invest in a fund managed
by a CREP Group entity.
​
30. We review our policies and procedures regarding personal data from time to time, and may revise this Data Protection Notice with or without any prior notice to you. However, where we make a material change to this Data Protection Notice, we will update our website, and where appropriate, notify you directly). You may determine if any such revision has taken place by referring to the date on which this Notice or Australia Addendum was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
​
Effective date : 22 Dec 2025
Last updated : 22 Dec 2025
Attachment 1: Funds, And Entitles Comprising The Funds, Managed by CREP or CJMDIM
â–ª Cambridge Social Infrastructure Fund
â–ª CSIF Investments Pte. Ltd.
â–ª Cambridge Social Infrastructure Australia Trust
â–ª CSIF Australia Pty Ltd
â–ª Cambridge Green Square Trust
â–ª Cambridge Kingfisher Trust
â–ª Cambridge Kent Street Trust
â–ª AMEC En-Tech Fund
Attachment 2: Cookies, Pixels And Tracking Technology
CREP Group may collect statistical information when you access and use our website by utilising features and technologies of your internet browser and that built into our website infrastructure, including cookies and tracking pixels. We use these tracking technologies for a variety of purposes, including to:
​
− collect data about our website traffic;
− analyse how our website is being used;
− improve our website; and
− provide more user friendly and customised website and online services.
​
These features and technologies do not specifically identify you unless you otherwise provide personal
data to us that enables identification. As such, information collected through these tracking technologies
may be personal data.
​
Cookies
A ‘cookie’ is a small file stored on your computer’s browser, which helps us better understand our users
and assists us to deliver content via our websites. We collect certain information via cookies, such as
your device type, browser type, IP address, and pages you have accessed on our website. Below are the main types of cookies we use a combination of:
Type of Cookies
How We Use This Cookie
Session Cookies
Session cookies are used to track your movements from page to page.
These cookies are usually erased when you close your web browser.
Persistent Cookies
Persistent cookies are stored on your device between browser sessions for a pre-defined amount of time. These cookies allow the site to remember your information or settings across the site. These cookies also enable targeted advertising.
Functional Cookies
Functional cookies remember information such as usernames or language settings and may allow the site to display important alerts. These cookies are not considered necessary, and can be blocked by the user, although this may impact how the site functions.
First party Cookies
First-party cookies are small data files stored on your device by our website. These cookies help improve your experience by remembering your preferences, enabling essential website functions, and providing insights into how you interact with our site. They are set and managed directly by the website you are browsing, ensuring a personalised browsing experience
Necessary Cookies
Necessary cookies are either session or persistent cookies, and are used to perform functions such as storing data and remembering you between pages. Similar to session cookies, these cookies are necessary for a number of functional features on our website.
Tracking and
Social Cookies
Tracking and social cookies are either session or persistent cookies, but are not essential to the function of our website. These cookies help improve your experience by providing content relevant to you.
Tracking pixels
​
A tracking pixel is a piece of code that a business or third-party provider can place on its website or in
email to collect information about a user’s activity, including the site pages users visit, time spent on each page, IP address, and/or form inputs (as relevant). When users visit pages with pixels, the pixel “loads” and sends the information it is designed to collect back to the server. For example, in the case of third-party pixels, the information is sent to a third-party service provider.
​
Below are the main types of tracking pixels we may use a combination of:
Type of Pixel
How We Use These Pixels
Retargeting Pixels
These are coded to monitor specific actions you make, such as which pages you visit, how much time you spend on each page, or how far you scrolled down a page. These help us understand our users’ behaviour on our website.
Conversion Pixels
These are designed to track completed actions. When an action is completed it sends a signal back to the server. This data helps us understand how effective a particular webpage is at encouraging specific actions.
Analytical Pixels
These pixels collect a wide range of data, including page views, time spent on the site and visitor demographics
Opting out
​
If you do not wish to receive any cookies (other than those that are strictly necessary) you can change
your web browser preferences to control how the bowser deals with cookies. For example, depending
on which browser your device uses, you may be able to disable certain third-party cookies. Please note
that if you disable certain cookies, you may be unable to access certain pages or content on our website.
To change your web browser preferences, please visit the relevant preferences or settings page on
your browser and amend the privacy settings in relation to cookies and site data. It may be necessary
for you to opt out separately from each device and browser that you use to access online content.
We also use third-party service providers that may collect data related to your use of our online services
through a suite of tracking technologies, such as third-party cookies, tracking pixels and web beacons,
for analytic and/or marketing purposes.
These third party providers may update their policies and settings from time to time, so we encourage
you to review their terms and policies for more information on their data collection practices and options
available to you for managing your privacy. Please note that how these third parties handle and use
your data is governed by their own privacy policies, not ours.
In addition to opting out of cookies via your browser as described above, you can opt out of the following
third-party analytical tools we use via the instructions available at the links below:
Provider
Description
Meta Platforms
Inc
If you use Facebook, Instagram, Threads or any other platforms or networks owned or used by Meta, you can generally adjust your ‘ad preferences’ in the account settings of the respective platform that you access and see ads in.
Alphabet Inc
If you use YouTube, Google or any other platforms owned by Alphabet, you can manage how tracking technologies are used by checking your browser or account settings and adjusting your ‘privacy & safety’ and ‘search personalisation’ settings.
Schedule 1:
Australian Privacy Policy Addendum
Last updated: 22 Dec 2025
​
This Australia Addendum supplements the Notice and applies to the extent that the Australian Privacy
Act applies in relation to the handling of personal information by the CREP Group. In case of any inconsistency between this Australia Addendum and the rest of this Data Protection Notice, this Australia Addendum prevails.
​
The Data Protection Notice together with the Australia Addendum constitute our Privacy Policy for the purpose of Australian Privacy Principle 1.
Personal Information under
the Australian Privacy Act
In this Australia Addendum and the Data Protection Notice as it relates to the processing of personal information in Australia, “personal information” has the same meaning as “personal information” as
defined in the Australian Privacy Act.
​
“APP” refers to the Australian Privacy Principles contained in the Privacy Act.
Consent
Under the Australian Privacy Act, the requirements regarding consent are different from what is set out
in the Notice. For example, under the Australian Privacy Act, consent may be express or inferred and
is not required in order to collect personal information unless the information is sensitive and an
exception does not apply.
​
Deemed consent is not required under the Privacy Act for the use and disclosure of personal information
for a secondary purpose. CREP Group only uses and discloses your personal information for the
purpose for which it was collected, including related secondary purposes as permitted by the Privacy
Act and APP 6.
Can you deal with us without providing your personal information?
Where it is lawful and practicable, you will have the option of not providing your name, or using a fake
name, when you deal with us. This includes for example, when you submit an enquiry via our website.
​
However, in many circumstances we may need your real name as it may not be practicable for us to
deal with you anonymously or pseudonymously on an ongoing basis. For example, when you choose
to engage us to provide you with our services. This means that if we do not collect your personal
information, we may not be able to provide you with the products and/or services you have asked for.
Transfers of personal information outside of Singapore and Australia
Requirements for the transfer of personal information outside of Australia differ from those under the
PDPA. We will abide by the requirements of the Privacy Act where it applies.
Access Requests
Notwithstanding paragraph 20 of this Data Protection Notice, if you make an access request for the
purpose of APP 12, this is limited to personal information which we hold about you.
Complaints
If you have any questions or concerns about this Data Protection Notice, Australia Addendum or how
we have handled your personal information, you may contact us at any time using the relevant contact
details set out above in paragraphs 27 of the Data Protection Notice.
Please also contact us if you have a complaint about privacy. If you make a complaint about privacy,
the following will occur:
No.
Step
1.
We will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally acknowledge your complaint within a week.
2.
If your complaint requires more detailed consideration or investigation:
​
• we will acknowledge receipt of your complaint within a week and endeavour to
complete our investigation into your complaint promptly; and
​
• we may ask you to provide further information about your complaint and the
outcome you are seeking.
3.
We will then typically gather relevant facts, locate and review relevant documents
and speak with the individuals involved.
4.
In most cases, we will respond to your complaint within 30 days from when we receive
your complaint. If the matter is more complex or our investigation may take longer,
we will let you know.
If you are not satisfied with our response to a complaint, or you consider that we may have breached
the Privacy Act (including the Australian Privacy Principles), you are entitled to make a complaint to the
Office of the Australian Information Commissioner (the Australian privacy regulator). The contact details
of the Office of the Australian Information Commissioner are set out in paragraph 28 of the Data
Protection Notice.
Certain rights do not apply under the Privacy Act
Under the Australian Privacy Act, certain rights or statements set out in the Data Protection Notice do
not apply. Accordingly, our practices may vary to what is generally set out in the Data Protection
Notice, provided we look to comply with the Australian Privacy Act and the APPs.