Last amended 10 July 2016
1. Contact Details
Touch Holdings Limited
Phone: +61 (03) 9018 6800
2. About This Document
Touch is committed to complying with the Privacy Act 1988 (Cth) as amended from time to time (Privacy Act) and to protecting information from which the personal identity of its customers and website users is clear or easily determinable (Personal Information), and the personal information of their customers.
3. Touch is committed to the best-practice privacy standards
Touch operates under contract from its customers and those requirements that request enhancements to privacy provisions above the legal compliance requirements are incorporated into that customer’s solutions.
Touch is a Level 1 accredited PCI DSS (Payment Card Industry Data Security Standard) organisation. Accreditation is achieved on a yearly basis through the PCI DSS Council and is managed by an independent PCI Council approved auditor. PCI DSS has an impact on the personal data that incorporates Card Holder Data which may be stored, processed or transacted through Touch’s systems.
Touch is an accredited IRAPS Medicare Australia compliant organisation. Accreditation is achieved every two years under the accreditation program through the Department of Human Services (Australian Federal Government department) and is audited by an independent IRAPS approved auditor. The compliance process requires Touch to not store Personal Information in regards to Health transactions with Medicare.
4. Collection and holding of Personal Information
4.1 How Touch collects and holds Personal Information
Touch may be provided with information through customers entering details on the company's Electronic Service Delivery System (ESDS) when using particular services. In all cases, Touch shall only collect and retain information relevant to a customer’s use of the ESDS.
Information collected is stored on secure servers that are protected in controlled facilities, meeting the requirements of 2 separate compliance regimes: PCI DSS and IRAPS.
4.2 Kinds of Personal Information collected and held
Although the amount and type of information collected will vary depending on which services are used on Touch's ESDS, a comprehensive list of all of the various kinds of Personal Information that Touch may collect is as follows:
- Contact information, such as a person’s name, address, phone, email and other similar information.
- Detailed personal information such as a person’s date of birth.
- Tokenised financial information, such as the bank account numbers and credit card numbers.
- Details of Our Partner’s businesses, including location of their stores.
5. Purposes for collecting, using and disclosing Personal Information
5.1 Purposes for collecting, using and disclosing Personal Information
Touch recognises the confidence entrusted in it when its customers and website users provide Personal Information. In order to deliver a service Touch may sometimes share customers’ and users’ Personal Information with a provider of products and services distributed through the Touch ESDS.
The Personal Information which individuals provide Touch may be collected, held, used or disclosed for a number of purposes connected with Touch’s business operations, which include:
- processing an order placed by a customer;
- providing a customer with products and/or services requested;
- billing a customer or administering a customer’s account;
- dealing with requests, enquiries or complaints and other customer care related activities;
- carrying out market and product analysis and marketing Touch’s products and services generally;
- contacting a customer about Touch’s products and services;
- registering a customer’s details and allocating or offering the customer rewards, discounts or other benefits; and
- carrying out any activity in connection with a legal, governmental or regulatory requirement on Touch or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.
In addition, Touch may collect, hold, use or disclose a customer’s or user’s Personal Information for purposes related to those described above which would be reasonably expected by the customer or user.
Touch will not collect, hold, monitor or use any Personal Information about its customers and website users without their consent unless it is necessary:
- because it is required by law;
- to provide its customers with a service that they have requested;
- to implement its terms of service;
- to protect the rights or property of Touch, any Touch customer, or any member of the public; or
- to lessen a serious threat to a person's health or safety.
5.2 Disclosure to overseas recipients
Save for as otherwise set out in this policy, there will be no disclosure of Personal Information by Touch to recipients outside of Australia.
Most web browsers automatically accept Cookies. You can find information specific to your browser under the ‘help’ menu. You are free to decline our Cookies if your browser or browser add-on permits, unless our Cookies are required to prevent fraud or ensure the security of websites we control. However, declining our Cookies may interfere with your use of our websites and Touch Services.
7 Storage, security and behaviours regarding Personal Information
Touch will take all reasonable steps to ensure that Personal Information which it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification and disclosure. The Personal Information, if in digital format, is stored on secure servers that are protected in controlled facilities, meeting the requirements of 2 separate compliance regimes: PCI DSS and IRAPS. If in hardcopy format, the Personal Information is stored in locked areas in controlled facilities.
In some cases these facilities are overseas. Touch employees and data processors are obliged to respect the confidentiality of any Personal Information held by Touch. However, security of communications over the internet cannot be guaranteed, and therefore absolute assurance that information will be secure at all times cannot be given. Touch will not be held responsible for events arising from unauthorised access to Personal Information.
In addition, Touch's employees and data processors are obliged to respect the confidentiality of any Personal Information held by Touch, as well as undertaking continuing police reference checks to determine their suitability of employment. Touch employees and agents undergo a yearly education program regarding privacy to ensure an understanding by all staff as to the correct handling of personal data is understood.
Touch is independently (and separately) audited for Medicare IRAPS and PCI DSS on a regular basis. Touch is also audited for some specific products like MoneyGram to ensure data for their systems is similarly protected to personal data collected. Some of those product requirements request that no Personal Information is stored.
8 Individual’s right to access
Touch will respond to an individual’s request for access to his or her information within a period of seven (7) days. Touch will provide access to the information in the manner requested by the individual, so far as it is reasonable and practicable to do so.
8.2 Correction and updating
Touch will take all reasonable steps to ensure that the Personal Information it holds is accurate and will correct Personal Information within seven (7) days of a request from an individual. If Touch is unable to correct Personal Information held, Touch will provide an explanation in writing as to why the information cannot be corrected.
8.3 Complaints handling
Touch will deal with all complaints promptly and will endeavour to reach an amicable solution to the problem.
If you are not satisfied with the outcome of your complaint, you may make a complaint with the Privacy Commissioner at the Office of the Australian Information Commissioner (http://www.oaic.gov.au).
9 International application
Touch will comply with any applicable privacy laws of any jurisdiction which are binding on Touch.
10 Changes in policy
11 More information
For more information about privacy issues in Australia, visit the Office of the Australian Information Commissioner's website at http://www.oaic.gov.au.