Section A: Terms of Policy
Centennial Property Group (‘CPG’ or ‘the Group’, ‘we’ or ‘us’) is committed to ensuring the privacy and security of individuals’ personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth).
1. the kinds of personal information that we collect and hold;
2. how we collect and hold that personal information;
3. the purposes for which we collect, hold, use and disclose personal information;
4. how an individual may access personal information about them that we hold;
5. how an individual may seek the correction of such information;
6. how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds us;
7. how we will deal with such a complaint; and
8. whether we are likely to disclose personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries).
The Group’s main business activities are the management and operation of wholesale real property Schemes and wholesale mortgage Schemes.
Australian Privacy Principles (“APPs”) are part of the Privacy Act 1988 and regulate the way in which organisations may collect, use or disclose an individual’s Personal Information.
Personal information means information or an opinion (whether or not true, and whether nor not recorded) about an identified individual, or about an individual who is reasonably identifiable.
Personal information that relates to an individual’s own characteristics, beliefs or affiliations is known as ‘sensitive information’ and will only be collected with an individual’s consent or when it is required by law.
3. Collection of personal Information and how it is used
We collect personal information from individuals only to the extent this is necessary for us to comply with Australian law and perform functions associated with our business activities. We may share that information within our corporate group. While some contacts with us such as general enquiries may be made anonymously or by using a pseudonym, if the relationship is to progress any further (by you becoming a client or having a business relationship with us) it will be necessary for us to know who you are. Similarly, we cannot deal with complaints made anonymously or by pseudonym.
Complying with law
Australian anti-money laundering legislation requires us to obtain personal information about our Managed Investment Scheme customers, the sources of their Schemes, and their beneficial owners, some of which is used to verify their identity and to assess the risk of that customer being involved in money laundering or terrorism financing. We will also need customers to inform us about any changes to their personal information.
We obtain personal information about individuals through the following functions associated with our business activities:
For unitholders in any wholesale Schemes we operate from time to time: complying with maintaining the unit register, making calls on units, making payments of distributions or capital sums, maintaining records required by relevant anti-money laundering legislation, informing you of investment opportunities.
For potential investors: informing you of investment opportunities (see CONTACTING YOU below).
For contractors: tendering for jobs or projects with us, communicating about the progress of the job or project.
For jobseekers: communication about jobs available with us, checking information in your resume about your qualifications and work history, speaking to recruitment consultants, previous employers and personal referees, checking you have no criminal convictions. We may keep this information even if we do not employ you so as to contact you in the future if a suitable opportunity arises.
Our website may contain links to other websites for you to access. You should be aware that the privacy policies of the operators of those other sites may not be the same as ours and you should refer to their own privacy policies.
For persons who contact us by email: we may collect your email address, your name and (if shown in your email) the name of your employer and its or your postal address.
For tenants of our properties: We collect and use personal information about current tenants and prospective tenants to document contractual arrangements and manage relationships with tenants and to evaluate whether or not we will grant leases and ancillary contracts. We also use personal information to manage tenancies, to update our records in the ordinary course of our business of property ownership and management, to process and respond to any enquiry or complaint received, for security and risk management purposes (including incident investigation, loss prevention, claims management and litigation) and to comply with applicable legal requirements relating to tenants.
For visitors to CPG owned or managed properties: we may use CCTV to maintain the safety and security at properties we own or manage. We use CCTV recordings only to identify individuals for security, risk management, loss prevention and incident investigation. Recordings collected by CCTV may be provided to tenants, law enforcement bodies and insurers. If you are involved in an incident we may ask for medical information and information from other consultants and third parties.
4. Use and Disclosure of Personal Information
We will not make personal information about an individual that we have collected for business purposes available to anyone outside the Group except for our third party service providers, as instructed by that individual, or where required by or permitted by law.
Where we use third – party service providers, these service providers may have access to an individual’s personal information to perform contractually specified services – for example, the maintenance of unit registers or operation of our website. We contractually require that all personal information obtained and accessed by such providers be kept confidential and in accordance with the Australian Privacy Principles.
5. Current and former employees
Employee records are exempt from the Australian Privacy Principles and the Federal Privacy Act. However employees may have a right of access to certain employment records under state or Federal employment legislation. We are committed to keeping employment information confidential and secure.
6. How information is collected
We will collect personal information directly from the relevant individual, unless it is unreasonable or impracticable to do so (for example, in checking resume information) or unless it is appropriate for us to obtain independent checks of the information (for example in relation to whether a customer is a ‘politically exposed person’ or ‘PEP’ for the purposes of anti-money laundering legislation).
Methods of collection of personal information include: Emails and letters sent to us, including resumes; information that contractors give us as part of the tendering process; face to face meetings; interviews; business cards; telephone conversations, Managed Investment Scheme application forms; data bases.
We may also collect information about you from our agents, outsourced providers or other third parties, including:
• financial advisers
• security registrars and administrators
• suppliers, consultants and contractors
• potential, current and former employees and contractors
• potential, current and former tenants
7. What Information Is Collected
We may ask you for the following information, depending on our relationship with you:
• Your name, gender, phone numbers, postal and residential addresses and email address
• Your bank account details
• Your professional experience and qualifications
• If you are acting on behalf of your employer, your job title, employer’s name and contact information
• For consultants or subcontractors, we may also collect additional information such as your ABN, professional and/or public liability insurance details
• For job applicants only: citizenship, any visa details, and possibly also membership of professional organisations and former employer or referee contact details
• For customers of our managed investment schemes who are individuals or who have beneficial owners who are individuals: their full name, date of birth, residential address, PEP status (and name of any related PEP) and, if a sole trader, full business name, ABN and full address of principal place of business, together with certified copies of photographic identity documents (driver’s licence or passport) or non-photographic identity documents and Medicare or tax file number;
• For injury claimants, information about the nature of the injury and related medical information. This may be sensitive information.
Where clients are corporations, they may provide us with personal information about their directors or different contact persons within that corporation including name, job title, and contact information. We may also need to enquire if any director is a PEP.
Where a consultant or subcontractor is a corporation we may also collect additional information about their directors, managers, or contact persons which could include names, job titles, business and personal addresses and phone numbers.
We may also receive personal information (which may be sensitive information) from you in job interviews or telephone conversations and from your referees or from our own researches, including to verify your citizenship, visa details, qualifications, references and other information that you give us.
8. Where a third party gives us information
Should a third party give us unsolicited personal information about an individual, we will within a reasonable period determine whether or not we could have collected the information directly and, if not, we will take reasonable steps to destroy or de-identify that information unless the law otherwise requires.
Individuals have the right to ask us to let them know the source of the personal information we hold about them. So long as a response is not impracticable or unreasonable, we will reply to all queries within a reasonable period without cost to the individual.
9. Collection Notices
When we collect personal information from an individual, or obtain personal information about them, we will give the individual a collection notice, specific to that collection.
10. Contacting You
From time to time, we may use your personal information to tell current customers or potential investors about CPG products and services we think you may want to receive. Where we do this electronically, we will comply with the Spam Act 2003 (that is, send communications only with the express consent of the recipient, or consent inferred from an existing relationship, which identifies the sender, and which includes an ‘unsubscribe’ mechanism). If you do not want to receive electronic or other marketing messages you may ask us not to send you direct marketing by following the unsubscribe instructions on our communications or by contacting us using the details set out in the communication and we will comply as soon as reasonably practicable.
12. Overseas Individuals and Recipients
Customers located overseas may have additional privacy rights that apply under local law, such as the European Union General Data Protection Regulation.
We are not likely to disclose personal information directly to overseas recipients, but to the extent that personal information held kept by us or any third party provider and is backed up using services located in the cloud (which could be overseas servers) or servers not located in Australia, back ups of that information could be held overseas. We are not aware of the countries in which relevant servers are likely to be located.
13. Security and Quality of Personal Information:
We will take all reasonable steps to ensure that any personal information about you which we hold is:
(a) secure: protected from misuse, interference and loss and from unauthorised access, modification or disclosure;
(b) appropriate: accurate, complete, up to date, relevant and not misleading having regard to the purpose for which it is held.
While we take reasonable steps to protect all the personal information in our possession that we have collected through our website, we cannot guarantee the security of all data submitted to us over the internet.
Your personal information may be kept and be accessible in both hard and soft copy at our Australian office(s).
The Group operates secure data networks protected by industry standard firewall with password protected systems. Our Group security and privacy policies are periodically reviewed and enhanced as necessary.
We restrict access to personal information to our employees, and contracted third party providers who need to know that information in order to process it for us and who are subject to strict contractual confidentiality obligations. They may be disciplined or their contract terminated if they fail to meet these obligations. Our access to your personal information is limited to the following departments for their respective purposes: Finance, IT, Property Management, and Compliance (including the Privacy Officer).
We may disclose your personal information to third parties who assist us in the operation of our business and the provision of our products and services such as our securities registries to the extent necessary for our business purposes, including (where appropriate):
• financial institutions for obtaining credit facilities and payment processing
• valuers of properties
• credit reporting agencies and guarantors
• claims management services
• injury management services
• property management services
• government agencies (where required by law).
We will take reasonable steps to destroy or de-identify personal information if we no longer need it for any authorised purpose and are not required by law to retain it. Some information may need to be retained for purposes of corporate governance purposes.
14. Access to personal information
We will handle all requests for access in accordance with the APPs. In most cases, we will give an individual access to any personal information that we hold about them within a reasonable period and in the manner requested, if that is reasonable. In some cases, we may refuse access where refusal is required or permitted by law. We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, information that is only available on older back up tapes, or would involve developing a new system or significantly changing an existing practice), or which risk the privacy of others. We will provide the individual with reasons for any refusal. We may charge a reasonable fee for giving an individual access to their personal information, however at present we do not propose to make any charge.
To request access to your personal information please contact the CPG Privacy Officer at the address below.
15. Correction of personal information
We appreciate any assistance to keep any personal information that we hold up to date, complete and accurate. If you want to update any personal information, you may do so by contacting the CPG Privacy Officer.
We will, on request, normally amend any of your personal information which is inaccurate, incomplete, out of date, irrelevant or misleading (without cost to you) where:
(a) we have requested you to provide us with the updated information (for example, in accordance with our obligations under anti-money laundering legislation);
(b) we are satisfied that the information needs to be corrected; and/or
(c) we agree with your request that the information be corrected.
If we disagree with your request, we will write to inform you of our concerns about making the change you have requested, giving reasons for our refusal and notifying you of available complaint mechanisms. If you wish, we will then (at no cost to you and within a reasonable period), take reasonable steps to associate with the appropriate records of your personal information a statement that you claim the information is inaccurate, incomplete or out of date (whichever is relevant) and that you have requested a particular change.
16. Data breach obligations
CPG maintains systems to respond to internal or external data breaches in accordance with the guides and resources at:
A breach will need to be reported to the regulator and to persons involved when:
• there is unauthorized access to, or disclosure of, personal information held by CPG, or where personal information is lost in a situation where unauthorized access or disclosure is likely to occur, and
• there is a risk of serious harm to the individuals to whom the information relates (for example, access to their bank details, identity theft or reputational harm), and
• CPG has not been able to prevent the likely risk of serious harm to the individuals to whom the information relates by remedial action.
The steps for dealing with a possible data breach are set out in the chart at the end of this document.
17. Complaints process
If you have a complaint about how we handle your personal information, please contact our Privacy Officer.
The Privacy Officer will acknowledge your complaint within three business days of receipt and will seek to resolve your complaint within 20 days of receipt.
Centennial Property Group Privacy Officer
Level 27 Bligh Chambers
25 Bligh Street
Sydney NSW 2000
Telephone: +61 2 8277 6688
18. Copies of this policy and further information
This policy is available on our website and hard copy will be provided on request to our Privacy Officer. If you require more information about the way that we handle your personal information, contact our Privacy Officer.
As the Federal Government introduces new privacy legislation, this Policy will be reviewed and updated accordingly. We will also regularly review this Policy and may change it from time to time. The date at which this Policy was most recently updated is given above.
21. Further Information
More information on privacy legislation and guidance material is available from the Office of the Australian Information Commissioner.
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Facsimile: +61 2 9284 9666
Section B: Privacy Report
1. The Privacy Officer
1.2 The Privacy Officer will provide a quarterly report to the Compliance Committee as described further below.
2. Monitoring and reporting process
2.1 The Privacy Officer is accountable for monitoring service providers which have access to personal information obtained by or on behalf of CPG and for reporting any instances of non-compliance identified in relation to services provided.
2.2 In the Privacy Officer’s report, the following matters will be addressed in relation to the relevant reporting period:
(a) whether all personal information held by CPG is appropriate and is kept confidential and secure (see IT Resources – Security);
(b) to the extent that any such information has been shared with third parties on a need to know basis, whether contractual provisions are in place to ensure that such information is kept secure;
(c) how third parties have been monitored;
(d) whether there have been any internal or external data breaches; and
(e) what privacy requests have been received.