KDR GOLD COAST PTY LTD – PRIVACY POLICY
KDR Gold Coast Pty Ltd is committed to protecting your privacy. We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Information Privacy Act 2009 (Qld) (IP Act), which regulate the way in which agencies and organisations must manage personal information. This Privacy Policy describes the types of personal information we hold and how we handle this information in connection with the operation and maintenance of the Gold Coast Light Rail (GCLR).
Terminology
In this policy:
(a) the expressions “we”, “us” and “our” refer to KDR Gold Coast Pty Ltd (KDGC);
(b) the expressions “you” and “your” refer to any individual whose Personal Information we may handle from time to time;
(c) Personal Information has the meaning set out in the applicable Privacy Laws;
(d) Privacy Laws means the Privacy Act or the IP Act (as applicable); and
(e) Privacy Policy means this document, as updated from time to time.
Types of information collected
We only collect Personal Information to the extent that this is reasonably necessary for one or more of our functions or activities.
This includes the following kinds of information:
(a) your full name and contact details, including email address, phone number and address;
(b) images of you captured by CCTV and body-worn camera footage;
(c) technical and usage information about how you use our website and app, including internet protocol address, browser type, time zone setting and location;
(d) your marketing preferences; and
(e) any other information you provide us from time to time, including through any direct contact with us and via our online channels (including social media).
IP addresses and cookies
We may collect information about your computer, including where available, your IP address, operating system, browser type and other technical information for system administration. This is statistical information about our users’ browsing actions and patterns, and helps us to improve our site and to deliver a better service. Some of the cookies we use are essential for our website and app to operate. If you use our website and app, you agree to our use of cookies and analytics tools. You may block cookies by activating the setting on your browser or device which allows you to refuse the setting of all or some cookies.
Method of Collection
Our preference is to collect Personal Information about an individual directly from that individual, unless it is unreasonable or impracticable for us to do so.
We may collect Personal Information in a number of ways. We collect personal information directly from you, including when you:
(a) use our services;
(b) purchase tickets;
(c) use or access our website and app (including by filling in the contact form or otherwise uploading information);
(d) subscribe to our email newsletters or other communications;
(e) monitoring and taking enforcement action in relation to fare evasion on network – our authorised officers are entitled to collected identity information in this context under the transport Operations (Passenger Transport) Act 1994 (Qld);
(f) contact us via email or via our social media channels or when you contact our contact centre; or
(g) respond to surveys or marketing materials carried out by or on behalf of KDGC.
If you choose to correspond with us in writing, we may retain the content of your messages together with your email address and our responses. We provide the same protections for these electronic communications that we employ in the maintenance of information received by other methods.
We may collect personal information about you from recordings captured by CCTV or body-worn camera footage collected in and around GCLR trams and stations.
We may also collect information indirectly, for example, from third party service providers or other sources such as government bodies, departments and contractors, law enforcement and insurance providers. This may include Translink, the Queensland Police Service (QPS) and GoldlinQ Pty Ltd.
Purposes of collection
We collect your Personal Information so that we may operate and maintain the GCLR and better service our customers.
The purposes for which we may collect Personal Information in operating and maintaining the GCLR include, but are not limited to:
(a) managing trams and stations;
(b) ensuring passenger and community safety;
(c) maintaining the security of our facilities, including minimising and detecting unlawful activity and assisting law enforcement and government bodies and departments in carrying out their responsibilities;
(d) monitoring and enforcing policies, procedures and conditions applicable to use of the GCLR;
(e) communicating with you (including by email, direct message and phone call);
(f) providing you with information and updates about KDGC and the GCLR generally;
(g) organising and running our functions, events and activities;
(h) understanding the use and effectiveness of our website and app;
(i) managing the financial and administrative records of KDGC; and
(j) more generally, in the day-to-day running of our organisation and the GCLR, including the general management, administration and operation of KDGC.
Use and disclosure
We will only use or disclose Personal Information in accordance with applicable Privacy Laws.
The purposes for which we will use and disclose Personal Information when operating and maintaining the GCLR include, but are not limited to:
(a) assisting law enforcement with the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;
(b) assisting government bodies and departments (including Translink) and where required to make disclosures under law;
(c) investigating, managing and resolving incidents and legal claims;
(d) handling insurance claims; and
(e) recovering debts owed to KDGC.
Where we engage external entities to perform some of our functions and activities, and these arrangements require access to, or collection of personal information on behalf of KDGC, we will take reasonable steps to ensure that these entities are bound to comply with appliable Privacy Laws.
Disclosure of Personal Information to third parties
We may share your Personal Information with third party contractors (including outsourced and cloud service providers) who may be unable to avoid accessing Personal Information in the course of providing technical or other business support services to us.
We may also share your Personal Information with third party organisations to the extent necessary for the purposes described above, or where we are required to do so by law. These third parties may include, but are not limited to:
(a) GoldlinQ Pty Ltd (as operator franchisee of the GCLR);
(b) lawyers, accountants and professional advisors;
(c) agents, contractors or our subsidiaries or other affiliated companies;
(d) insurance providers;
(e) debt recovery providers;
(f) government bodies or departments; and
(g) law enforcement authorities.
Surveillance activities
We operate surveillance cameras (CCTV and body-worn cameras) in and around GCLR assets for various purposes consistent with this Privacy Policy, including monitoring people movement and general operational purposes, as well as the purposes of minimising and detecting unlawful activity, preventing crowd disturbances and assisting law enforcement and our security contractors in carrying out their responsibilities. The surveillance recordings, including personal information held on those recordings, may be provided:
(a) to law enforcement bodies or an agency responsible for government or public security, to the extent that KDGC is required or authorised by applicable law; and
(b) to third parties (including security contractors and other third party service providers) in accordance with this Privacy Policy, to the extent that KDGC is required by applicable law, under its contractual obligations or where it considers it reasonably necessary for purposes set out in this Privacy Policy.
Consequences if Personal Information is not collected
If we are not able to collect your Personal Information, we may not be able to provide the requested services to you or may not be able to provide the requested services to the same standard or scope that we would typically be able to provide.
Direct marketing
We will not use or disclose Personal Information for the purposes of direct marketing to you unless:
(a) you have consented to receive direct marketing materials; or
(b) we are otherwise permitted to do so by law.
You can ask to be removed from our marketing list (or from specific communications) at any time by contacting us, or by following the prompts in the relevant communication, where applicable.
Storage of data and overseas disclosure
The Personal Information we hold is either stored on our servers or the servers of third-party service providers, located both in Australia and overseas. We take reasonable steps to protect Personal Information held from misuse and loss and from unauthorised access, modification or disclosure.
Some of our service providers and related bodies corporate with which we share Personal Information as described above may be located in overseas locations. In addition, we, or our subcontractors, may use cloud technology in connection with the storage of Personal Information, and it is possible that this may result in offshore storage. In each of these circumstances, we will take reasonable steps to ensure that your Personal Information is protected in compliance with applicable privacy laws.
Data security
We take reasonable steps to protect the Personal Information which we hold from misuse or loss and from unauthorised access, modification or disclosure. We will destroy or de-identify Personal Information once we no longer require it for our business purposes.
We will comply with our obligations relating to the notification of eligible data breaches. To the extent we are required to notify you of a data breach, we will take reasonable steps to make you aware of such data breach.
When using our website or app or communicating with us via social media, you should be aware that no data transmission over the Internet can be guaranteed as totally secure. Although we strive to protect such information, we do not warrant the security of any information that you transmit to us over the Internet and you do so at your own risk.
From time to time, we may hyperlink to external websites. These websites are not subject to this Privacy Policy, and we are not responsible for the content or privacy practices employed by those websites. You should review the privacy policy of each individual website you access via hyperlinks.
Changes to the Privacy Policy
From time to time, we may change our policy on how we handle Personal Information or the types of Personal Information which we hold. Any changes to our policy will be published on our website.
You may obtain a copy of our current Privacy Policy from our website or by contacting us on the details below. Please check our website from time to time in order to determine whether there have been any changes.
Access, correction and further information
We will take such steps as are reasonable to ensure that the Personal Information which we collect remains accurate, up-to-date and complete.
We will provide you with access to your Personal Information held by us unless we are permitted under applicable Privacy Laws to refuse to provide you with such access. Please contact us via the details below if you:
(a) wish to have access to the Personal Information which we hold about you;
(b) consider that the Personal Information which we hold about you is not accurate, complete or up-to-date; or
(c) require further information on our Personal Information handling practices.
There is no charge for requesting access to your Personal Information but we may require you to meet our reasonable costs in providing you with access and fill out the relevant application forms (if required).
If you consider that the information which we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, we will take reasonable steps, consistent with our obligations under applicable Privacy Laws, to correct that information if you so request.
We will respond to all requests for access and/or correction within a reasonable time. Please be aware that, to preserve the confidentiality of your Personal Information, we may require proof of your identity before providing you with access to such Personal Information.
Contact
KDGC’s contact details are set out below:
Telephone: 1800 064 928
Email: customerservice@ridetheg.com.au
Complaints
If you have any questions about this Privacy Policy or wish to make a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your Personal Information, please contact us via the details above. We take all complaints seriously and any complaint will be investigated by us. You will be notified of our decision as soon as is practicable after it has been made, usually within 30 days after receipt.
If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner, or alternatively, the Office of the Information Commissioner (Queensland) on the below details for guidance on alternative courses of action which may be available. We will provide our full cooperation in the event that you elect to pursue this course of action.
Office of the Australian Information Commissioner:
Mail: GPO Box 5288, Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Website: https://www.oaic.gov.au
Office of the Information Commissioner (Queensland):
Mail: PO Box 10143, Adelaide Street, Brisbane, Queensland 4000
Phone: 1800 642 753
Email: enquiries@oic.qld.gov.au
Website: https://www.oic.qld.gov.au
We acknowledge the original inhabitants of this area, including the Yugambeh people and family groups within, and recognise their connection to the land, waters and resources in the area now known as the Gold Coast. We pay our respects to their Elders past, present and emerging.
