Who are we and how does this policy apply?
This policy applies to Ampol Limited (ACN 004 201 307) and its related bodies corporate (collectively referred to in this policy as "Ampol"). Please note that in May 2020, Caltex Australia Limited changed its name to Ampol Limited and a similar change will be made to its related bodies corporate as we transition to our new and iconic Australian brand.
What is the purpose of this policy?
This policy outlines how Ampol manages the personal information and credit-related personal information that we hold about our customers, potential customers, contractors and others. Ampol is bound by the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) ("Privacy Act") and the applicable parts of the credit reporting requirements in Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct.
Under the Privacy Act, and throughout this policy, "personal information" is information or an opinion relating to an individual who is reasonably identifiable. In this policy, where we refer to "you" or "your", we are referring specifically to natural persons as opposed to other entities such as partnerships, trusts and companies.
Part I of this policy details Ampol’s management of personal information generally.
Part II of this policy provides specific details about how Ampol manages credit-related personal information.
Part III of this policy sets out how Ampol protects personal information and credit-related personal information, and how you may seek access to or correction of or make a complaint about, that information.
PART I – MANAGEMENT OF PERSONAL INFORMATION
How does Ampol collect personal information?
The main way in which Ampol collects personal information is through completion of paper-based or electronic forms or through forms provided in Ampol's applications or on Ampol's internet (for external users) and intranet (for employees) website pages. Ampol may also collect personal information by recording telephone calls made to the Ampol call centre (see below for more information), in face-to-face meetings and in interviews.
Ampol may collect personal information from third parties, such as from referees in the case of prospective employees. Sometimes we collect personal information about you from other people or organisations. This may happen without your direct involvement. For instance, we may collect personal information about you from:
- publicly available sources of information, such as public registers
- your representatives (including your legal adviser, executor, administrator, guardian, trustee, or attorney)
- your employer
- ·other organisations, who jointly with Ampol, provide products or services to youcommercial information service providers, such as companies that provide criminal and fraud prevention reports.
At or before the time Ampol collects your personal information, or if that is not practicable, as soon as practicable afterwards, Ampol will give you notice as follows:
(a) the purposes for which the information is collected
(b) to whom, or the types of individuals or organisations to which, Ampol might usually disclose information of the kind collected; and
(c) any law that requires the particular information to be collected, and the main consequences if all or part of the information is not provided.
What information does Ampol collect?
The personal information Ampol may collect about you is dependent upon your relationship with Ampol. The following are some examples of the types of personal information that Ampol may collect from individuals whether directly or indirectly, through a service provider or through an operator of a Ampol outlet:
(a) In the employment context:
- application forms - name, addresses, telephone numbers
- resume details - which will usually include details such as an individual's name, address, telephone numbers and email address, academic qualifications, employment history, and referees
- reference checking
- pre-employment medical (with the prospective employee's consent)
- psychological and drug testing criminal record checks.
- employment application forms
- personal details including name and address, telephone numbers and email address
- bank account details (for salary/wages)
- tax file number details (for salary and superannuation).
(b) Commercial customers
- personal details - including names, addresses, telephone numbers, email address
- financial details including banking details - for payments (where applicable).
(c) StarCard Customers
- application forms - information including but not limited to names, addresses, telephone numbers, email address and employment details
- financial details including bank account details.
(d) Customers generally
- monitoring and/or recording interactions with customer service representatives at Ampol’s call centre - customers' and employees' conversations at Ampol’s call centre may be monitored and/or recorded for coaching, training, record keeping and dispute resolution purposes. Callers will be notified at the outset if such monitoring or recording is to occur and be given the option not to have the call recorded. Ampol may, even if the phone call is not recorded, collect personal information during those telephone calls to assist with your query.
- competitions and contests - Ampol may use the personal information collected from competitions and contests (for example, the contestant's name and address) to market certain of its products to the contestants. Where Ampol intends to do this, it will advise the contestant of this in the competition's terms and conditions.
(e) Foodary Application customers
- personal details – including names, telephone numbers, email addresses
- financial details – including credit card details (where provided)
- monitoring and recording interactions with the Application and Ampol's customer support team
- location data
- details of purchases made through the Application
(f) Loyalty programs (and including, where applicable, temporary card holders)
- applicants for temporary card - information including but not limited to names, addresses, telephone numbers, email address and employment details
- members presenting cards - car number, name, address, telephone number, email address.
- personal details – including names, addresses, telephone numbers and email addresses
- financial details – including bank account details.
- Loyalty programs including the Woolworths Everyday Rewards Program (and including, where applicable, temporary card holders)
- application forms including a new franchisee information request - names, addresses, telephone numbers, email addresses
- financial details including banking details - for payments (where applicable)
- company searches, which may include related parties, guarantors and directors and owners
- good character and criminal background checks which may include the National Police Certificate (Australian Federal Police and Australian Criminal Intelligence Commission); the Anti-money laundering/Counter Terrorism Financing Rules global screening check; and criminal watch list check
- information confirming identity including certified 100 points of ID
- credit file authentication checks
- information on entitlement to work in Australia
- public record checks
- bankruptcy records checks (including International)
- land titles check
- Supreme Court civil litigation check.
- personal details for share register purposes – including names, addresses, email address and number of shares held
- financial details – including tax file number and bank account details
- shareholder registry – Ampol is required to maintain a register of shareholders under the Corporations Act 2001 (Cth).
How does Ampol use and disclose personal information?
Subject to the exceptions set out in the Australian Privacy Principles (for example, the disclosure of personal information when allowed or required by law), Ampol will only use and/or disclose your personal information for:
(a) the primary purpose for which this personal information is collected; or
(b) a related purpose, where you would reasonably expect that this personal information would be used and/or disclosed without your further consent.
This means that generally Ampol will only disclose your personal information internally and/or to a third party contracted to provide services to Ampol and only if necessary for one of the purposes referred to above.
The third parties that may be used by Ampol vary depending on the particular circumstances in each case, but typically fall into the following categories:
- insurance companies
- trade promotion agencies
- insurance assessors
- billing and mailing houses
- delivery contractors
- IT service providers
- superannuation funds
- share registries
- professional legal and accounting advisors
- in relation to loyalty cards, loyalty card program operators
- platform providers or merchant facility providers
Will Ampol send you marketing material and what can you do to stop that?
A related purpose for which Ampol collects personal information may be marketing by Ampol of products or services. However, where this is not a related purpose to collection of personal information, in certain circumstances Ampol is entitled to send marketing material to you where you have consented to receiving this material or where Ampol provides you with an opportunity to stop or opt-out of receiving this material.
If you have received marketing material from Ampol and you wish to stop it, you can contact the Privacy Compliance Officer at the address set out below. Ampol will not charge you or in any way disadvantage you if you choose to opt out of receiving marketing material.
Ampol will not disclose your personal information to a third party for that third party to send you its marketing material unless Ampol has obtained your consent. Ampol may occasionally provide its marketing material to third parties to distribute on Ampol’s behalf to individuals who have consented to receiving that material.
Where you present a third party loyalty card that is accepted by a participating Ampol outlet, or you apply for a temporary card in relation to a third party loyalty card program, you consent to
- Ampol collecting your personal information,
- Ampol disclosing your personal information to the loyalty card operator,
- the loyalty card operator disclosing to Ampol your personal information relating to your use of that loyalty card, and
- Ampol collecting and using your personal information to send marketing material to you in relation to Ampol products or services, including by electronic direct messages such as email and SMS.
Any subsequent use or disclosure of your personal information by a third party card operator, including for other marketing purposes, will be governed by the terms of the loyalty program as in operation between you and the loyalty card operator.
Ampol temporary cards
If you apply for the issue of a Ampol temporary card in relation to a third party loyalty card program, we will collect personal information from you as solicited on the application form and then provide that personal information to the loyalty card operator together with details of your eligible purchases. You may then apply to join the loyalty card program by completing a membership application for that loyalty card program and submitting it to the third party card operator. If you are successful in applying for membership of the loyalty card program and you do so within 30 days from the date of the eligible purchases, the loyalty card operator should credit your eligible purchases within that 30 day period for points earned by you in that loyalty program.
When does Ampol share information?
Ampol generally will only disclose personal information to third parties without your consent if that disclosure is necessary for the purpose(s) for which that information was collected. Set out below are some examples of where it is necessary for Ampol to disclose personal information to third parties:
(a) In the employment context:
- Superannuation plan administration arrangements - Ampol provides employees' personal details (including, but not limited to, employees' names, addresses, tax file numbers, dependents, salaries) to the external administrator of the superannuation plan which is responsible for the day-to-day administration of plan business.
- Payroll arrangements - Ampol provides its external paymaster company with employees' personal details (including, but not limited to, employees' names, addresses, bank account details, tax file numbers) to ensure wages and salaries are properly paid in accordance with employees' directions.
- Insurance arrangements - Ampol advises disability and death insurers of employees' personal details (including, but not limited to, employees' names, addresses, medical reports) to enable those insurers to properly process disability and death claims.
- Recruitment systems - Ampol requires prospective employees to complete documentation and submit to pre-employment checks, including completing application forms, reference checking, pre-employment medicals, psychological and drug testing and criminal record checks which involves disclosure of personal information to various third parties.
- Video monitoring - external security advisers/contractors may view security tapes that have been recorded in the workplace.
- Medical - Ampol may, with the employee's consent, provide the company doctor or any medical specialists or allied health professionals retained by Ampol with employees' medical records for the purposes of their employment with Ampol.
- Worker's compensation - Ampol may disclose employees' records (including the employees' medical records) to its insurers and their agents for the purpose of processing claims.
- IT arrangements - Ampol may provide its external IT service providers with employees' personal details (limited to identifiers such as name, address, date of birth and employee identifier) to assist in ensuring the security of Ampol's computer network is maintained (see also security measures Ampol adopts to protect personal information).
(b) Generally and in a commercial context:
- Credit checks on new and existing individual customers - Ampol may provide necessary personal information to credit reporting agencies to ascertain an individual's financial position if the person is a new or an existing customer.
- Competitions - in some cases Ampol uses third parties to run its competitions. In these instances, unless otherwise disclosed to the contestant prior to, or at the time of, entering the competition (normally set out in the competition's terms and conditions), any personal information collected about a contestant will be returned to Ampol.
- Ampol may provide its external IT service providers with customers’ personal details (limited to identifiers such as name, address, date of birth and payment information) to assist in ensuring the security of Ampol's computer network, mobile applications and payment processing is maintained.
Does Ampol send your personal information overseas?
Ampol may transfer information about you between countries if required for a relevant purpose described above. Ampol may disclose your personal information to the following overseas recipients:
(a) other members of the Ampol Group (including those members located in Singapore);
(b) other companies or individuals who assist us in providing services or who perform functions on their behalf (such as third party service providers, specialist consultants), including those located in the United Kingdom, New Zealand, USA and Singapore;
(c) anyone else to whom you authorise us to disclose it; and
(d) anyone else where authorised by law
PART II - MANAGEMENT OF CREDIT REPORTING INFORMATION
What credit-related personal information does Ampol collect?
Ampol collects credit-related personal information in connection with applications for credit, which are predominantly applications for commercial credit for business purposes. Examples of the types of credit-related personal information Ampol may collect and hold include:
- identity particulars of individuals associated with the applicant for credit, including contact name, address, date of birth, phone numbers, employer and drivers licence number. This information is mainly collected about the directors, partners, trustees or principals of the business, but some personal information may also be collected about others in that business (such as the account management staff or a guarantor where deemed necessary by Ampol);
- financial information relating to directors, partners, trustees or sole traders, and any person who acts, or proposes to act, as a guarantor;
- historical insolvency information of directors, partners, trustees, sole traders or managers associated with a business applying for credit;
- consumer credit information of directors, partners, trustees or sole traders, anyone acting or proposing to act as a guarantor, or any individual applying for credit. This information is obtained from credit reporting bodies where Ampol believes it is necessary to assess the credit worthiness of individuals associated with the applicant for credit, including guarantors;
- a record that we have made a request with a credit reporting body for credit related information; and
- where an application for commercial credit is made by a sole trader or an application for consumer credit is made by an individual, and we have made a request with a credit reporting body in connection with such an application, the type and amount of credit that has been applied for
What does Ampol use credit-related personal information for?
Personal information provided to Ampol in connection with an application for credit is principally used to assess that application and for the ongoing management of a credit account in the name of the applicant (if the application is successful), and otherwise as permitted by law. This may involve one or more of the following:
- assessing the credit worthiness of the applicant, or individuals associated with the applicant (in the case of a business applying for commercial credit) where that is deemed necessary by Ampol, including obtaining both consumer and commercial credit reports from credit reporting bodies;
- disclosing personal information to credit reporting bodies before, during or after the granting of credit to the applicant, including but not limited to identity particulars (as outlined above), payment defaults of individuals and serious credit infringements (mainly in relation to guarantors);
- ·obtaining and verifying personal information from a motor vehicle or land title registry or from a business that provides credit worthiness information;
- providing to or exchanging personal information with any person whose name is given to Ampol in connection with an application for credit;
- exchanging personal information with another credit provider who is named in an application for credit or in a credit report issued by a credit reporting body, or a credit provider who proposes to provide credit to an applicant, principally for (but not limited to) the following purposes:
Ampol is required to obtain an individual's consent before being provided with consumer credit information about that individual from a credit reporting body. Ampol will typically do this by having the individual read and agree to a privacy agreement in Ampol's credit application form or otherwise accept the provisions of this policy.
Who is credit-related personal information disclosed to?
Ampol discloses credit-related personal information to third parties in the circumstances and for the purposes described above, including to credit reporting bodies. Credit reporting bodies may include credit-related personal information in reports provided to credit providers to assist them to assess an individual's credit worthiness.
Ampol shares credit-related personal information with the following credit reporting body:
PO Box 964
North Sydney NSW 2059
Phone: 1300 762 207
To obtain a copy of your credit file held by Veda Advantage, or to view a copy of Veda Advantage's policy about the management of credit-related personal information, please visit www.mycreditfile.com.au
What are your rights in relation to credit reporting bodies?
(a) Opting out of direct marketing pre-screenings - a credit reporting body may use your credit-related personal information to assist a credit provider to market to you by pre-screening you for direct marketing by the credit provider. You have the right under the Privacy Act to request a credit reporting body to exclude you from such a direct marketing pre-screening by contacting that credit reporting body.
(b) If you are a victim of fraud - if you reasonably believe you have been, or are likely to be, a victim of fraud (including identity fraud), you have a right to request a credit reporting body not to use or disclose any credit-related personal information held by that body about you for a minimum of 21 days (referred to as a "ban period"). Ampol reserves the right to delay or refuse any application for credit where it reasonably believes it requires credit-related personal information about an individual but is unable to obtain such information because a ban period is in effect for that individual.
PART III - PROTECTION, ACCESS, CORRECTION AND COMPLAINTS
In this Part III, the term 'personal information' includes credit-related personal information. Some sections deal specifically with the protection, access and correction of credit-related personal information.
How does Ampol protect personal information?
Ampol stores personal information in a range of paper-based and electronic forms:
(a) Paper Security - Where personal information is stored in physical form, Ampol may use a variety of mechanisms to protect the security and integrity of such information which might include:
- locking personal information in cabinets and only giving access to those employees who have a need to use it; and
- using other access control measures such as keyed access, security alarms and surveillance cameras to deter and detect unauthorised access.
(b) Computer and Network Security - Ampol adopts a number of security measures to protect information from unauthorised access to its computer systems which include:
- access control for authorised users such as user names and passwords;
- limiting access to shared network drives to authorised staff;
- ·virus checking; and
- specialised IT support to deal with security risks.
(c) Communications Security - Transmission of personal information may involve insecure telecommunications lines. Security of this personal information is enhanced by:
- checking facsimile numbers before sending personal information, and confirming receipt;
- PIN numbers and passwords required for some telephone and internet transmissions;
- identity checking before giving out any personal information; and
- encryption of data for high risk transmissions.
Personal information in Ampol's possession may be retained in archival storage. Generally Ampol will destroy personal information after a period of seven (7) years following its collection or an employee's separation from Ampol unless it is required, or may be required, to be kept for a longer period because of the purpose(s) for which it was originally collected.
How can you access to your personal information?
If you want access to your personal information held by Ampol, please put your request in writing and clearly identify the personal information you seek access to. This is important to ensure that the information can be retrieved quickly and cost effectively. All requests for access must be addressed to The Privacy Compliance Officer (see contact details below).
Depending on the circumstances, Ampol reserves the right to charge you a reasonable administrative fee. For example, Ampol's reasonable administrative costs might include:
- reasonable staff costs in locating and collating the information;
- reasonable reproduction or photocopying costs; and
- reasonable costs involved in having someone explain the information to you.
If a fee is charged for providing access, you will be advised of the likely cost in advance.
In some instances, Ampol may not release the personal information. For example, if the information reveals a formula or the details of a commercially sensitive decision-making process, then, in these instances, Ampol may decide to give you an explanation of the commercially-sensitive decision rather than direct access to the information.
What if your personal information is inaccurate?
Ampol will take reasonable steps to correct personal information that is inaccurate. You should contact Ampol if your personal information changes. If Ampol believes it is inappropriate to delete or alter the original information, it will discuss with you alternative ways of correcting the information that satisfies the needs of both parties.
Where a request to correct personal information relates to credit-related information, Ampol will notify the individual of its decision as to whether it agrees to correct that information in writing. Where Ampol does not agree to amend credit-related personal information held about you, Ampol will provide you with reasons for its decision and details of how you may make a complaint about Ampol's decision.
How do you make a complaint?
If you wish to make a complaint to Ampol about a possible breach of privacy, please provide full details of your complaint in writing and send it to the Privacy Compliance Officer (see contact details below).
Individuals inquiring about their rights and remedies for breaches of privacy can access detailed information at the Australian Privacy Commissioner's website.
If your complaint specifically concerns credit- related personal information and you believe Ampol has not complied with its obligations under the Privacy Act or the Credit Reporting Code of Conduct, Ampol will acknowledge any complaint within 7 days of receiving it, and aim to investigate and resolve complaints within 30 days. If that is not possible, we will seek to agree a longer period with you. Ampol will notify you of the outcome of its investigation in writing, including details of how you make a complaint if you are not satisfied with Ampol's decision.
How will changes to this policy be notified?
How to contact us?
If you would like more information concerning Ampol's approach to privacy or how Ampol handles your personal information you can write to:
The Privacy Compliance Officer
2 Market Street
SYDNEY NSW 2000
Updated: October 2020