MMG Limited (ARBN 31 150 889 151) and its subsidiaries (“MMG”, “we”, “our” or “us” in this Privacy Statement) is a global resources company which explores, develops and mines base metal deposits around the world. We are obliged by law to comply with the relevant privacy laws of the countries where we operate. This privacy statement is prepared in accordance with Australian privacy law because our head office is located in Australia. Where privacy laws in other countries apply, we comply with those as far as reasonably practical. This Privacy Statement explains how we collect, hold, use and disclose (“process”) personal information in the countries where we operate.
2. SCOPE AND APPLICATION
This privacy statement applies to all personal information that we process in the course of our business, in compliance with relevant laws and our risk management activities, including in relation to our internal operations (management, employees, temporary staff, contractors) and external operations (third parties such as business partners and service providers).
3. PERSONAL INFORMATION, PRIVACY AND EMPLOYEE RECORDS
In this privacy statement, “personal information” concerns information or an opinion about an identified individual or an individual that is reasonably identifiable. We make no distinction between employee records and other sources of personal information, nor between the format or veracity of personal information which we process. All personal information that we process is classified as being of high value and high sensitivity.
4. PRIVACY PRINCIPLES GOVERNING THE HANDLING OF PERSONAL INFORMATION
4.1 Open and Transparent Management of Personal Information
MMG is committed to managing personal information in an open and transparent way. To support this commitment, we have implemented internal practices, procedures and systems (“administrative controls”) to align our handling of personal information with principles derived from Australian and relevant international privacy laws, international standards and best practice.
4.2 Anonymity and Pseudonymity
Individuals can choose to remain anonymous or to use a pseudonym when dealing with us. In some circumstances, depending on the nature of an individual’s transaction with us, we may need to know the identity of the individual who we are dealing with in order to provide the service or information requested.
4.3 Collection of Solicited Personal information
We are committed to collecting personal information by lawful and fair means. Wherever possible, we only collect personal information directly from an individual and with their consent, and only do so where the personal information is reasonably necessary for one or more of our business activities. It is generally not necessary to collect sensitive personal information, except in relation to internal human resourcing activities, where the sensitive personal information is required (for employment reasons and/or by operation of relevant laws). In these circumstances, we will only collect sensitive personal information about an individual after having received the individual’s explicit consent to that collection. We may solicit or request personal information from a third party such as an employment agency or referee in the context of employment.
4.4 Dealing with Unsolicited Personal information
We do not actively seek to collect unsolicited personal information. However, if such unsolicited personal information is provided to us, we will assess whether the unsolicited personal information should be retained, de-identified or destroyed, and act accordingly.
4.5 Notification of the Collection of Personal Information
This privacy statement, legal notices published on our website and intranet and the administrative controls, collectively represent our method for ensuring that individuals know about the personal information that we
4.6 Use or Disclosure of Personal Information
Where we hold personal information about an individual that was collected for a particular purpose, we will not use or disclose that information for another purpose unless:
- Otherwise required or authorised by law; or
- The individual has consented to the use of that information for another purpose; or
- The individual would reasonably expect us to use or disclose that information for a related purpose.
We use and disclose personal information:
- For internal MMG business activities – name, date of birth, address (physical, postal, email and Internet Protocol address), telephone numbers, cookies, OHS and device-related information, such as a MAC address, geo-location and RFID proximity cards, next-of-kin, spouse or partner, fatigue, drug and alcohol usage, payroll, banking, tax, photo identity, trade union membership, religious beliefs, gender, cultural and ethnic identity, qualifications, training and the like. We do not collect biometric forms of personal information such as fingerprints, unless required to do so by relevant laws;
- For external MMG business activities – communicating and transacting with third parties and entering into legal relationships (JVs, M&A, outsourcing, engaging services and purchasing goods); and
- For record retention – when required for legal, business and evidential reasons.
4.7 Direct Marketing
We seldom engage in direct marketing. If we do, we ask for consent (express, tacit or implied) to communicate directly with the individuals concerned and we allow those individuals to opt-out of receiving direct communications and direct marketing notifications. We do not disclose, sell or share personal information to third parties for direct marketing purposes.
4.8 Cross-border Disclosure of Personal Information
MMG operates in various countries. To facilitate our global operations, we rely on various third party service providers, such as telecommunications and internet service providers based in the People’s Republic of China, Hong Kong, Laos, Democratic Republic of Congo, Peru, Canada, the United States and South Africa. These service providers may also have separate operations in other countries, which they use to provide the relevant telecommunications and internet services to us.
In light of our global information systems, personal information is located and disclosed in transit and in a static format in countries across the world. Individuals are cautioned to consider how their personal information is transferred through and stored on our global information systems, and accordingly make appropriate choices about their personal information. While the use of information technologies mean that there can be no reasonable expectation of privacy, MMG complies with relevant monitoring and surveillance laws, which seek to avoid unreasonable limitations on privacy.
4.9 Adoption, Use or Disclosure of Government Identifiers
We do not adopt, use or disclose individuals’ government identifiers as our own identifiers for those individuals. However, when required or authorised by law to do so, we use and disclose individuals’ government identifiers, including individuals’ Australian Tax File Numbers for human resource purposes.
4.10 Quality of Personal Information
We are committed to ensuring that all personal information which we process is accurate, up-to-date, complete and relevant. To do so, we provide various technical and other means for individuals to access, verify and update the personal information records that MMG holds about those individuals.
4.11 Security of Personal Information
We are committed to taking reasonable steps to protect all personal information that we hold from misuse, interference and loss. We are also committed to securing personal information from unauthorised access, modification and disclosure. To comply with relevant laws and manage associated risks, our administrative controls aim to protect the confidentiality, integrity and availability of our information systems, and the personal information that we process on those information systems.
Where there is no legal obligation to retain records and evidence of personal information, and in circumstances where we no longer require that personal information for our business activities, we will take steps to destroy or de-identify that personal information.
Our information security and privacy practices include circumstances where our data handling practices are outsourced to third parties. In these circumstances, we require that relevant third party service providers comply with our standards and relevant laws by entering into appropriate legal agreements with those third party service providers. Where possible, we also continue to monitor the third party service providers’ privacy and security practices, to ensure that they meet our standards.
4.12 Access to Personal Information
Where we (or any third parties on our behalf) process personal information, we will on request from the relevant individual, (or any third parties on our behalf) normally give that individual access to their own
personal information. In considering an individual’s request for access to their own personal information, and before deciding to grant or refuse access to that individual, we will require identification from the individual concerned. We reserve the right to refuse access where such a refusal is authorised by law, in cases of commercial sensitivity and/or where a third party may be negatively affected by giving the individual access to their personal information. We will provide reasons for all refusals of access. We will respond to an individual’s request for access to their own personal information within a reasonable time (generally within thirty (30) business days). No charge will generally apply to an individual’s request for
access to their own personal information, or upon MMG deciding to grant or refuse access. We do, however, reserve the right to charge a fee for the granting of access to an individual’s personal information, where we incur costs in granting such access.
4.13 Correction of Personal Information
Where we hold personal information, we take reasonable steps to ensure that the personal information is accurate, up-to-date, complete, relevant and not misleading. Where it is not, an individual may request that we correct their personal information. In considering a request for correction, we will require identification and we reserve the right not to effect the changes sought. We will provide reasons for all refusals to make corrections. We will respond to a request to correct personal information within a reasonable time (generally within sixty (60) business days), although giving effect to any associated corrections which are sought by an individual may take longer if we need to contact any third party organisations or notify other individuals about the request. No charge applies for the making of a request to correct personal information, upon MMG refusing to effect the corrections sought, or upon correction of any relevant personal information by or on behalf of MMG.
If and when MMG suspects or becomes aware of:
- A breach of its network or information systems, resulting in unauthorised access to or unauthorized disclosure of one or more individuals’ personal information, which is likely to result in serious harm to the relevant individual(s); or
- Personal information being lost, in circumstances which may result in unauthorised access to or unauthorised disclosure of one or more individuals’ personal information,
- Take remedial action;
- Where remedial action fails to adequately limit the risk, notify the relevant individual(s) and the Office of the Australian Information Commissioner (“Commissioner”); and
- Work with the relevant individual(s) concerned and the Commissioner to protect everyone and everything concerned.
Any person who suspects (or becomes aware of) a breach (or an impending breach) in relation to personal information held by MMG should contact MMG’s Privacy Officer as a matter of urgency in accordance with the Data Breach Response Procedure.
6. COMPLAINTS, ENQUIRIES AND REQUESTS FOR ACCESS OR CORRECTIONS TO PERSONAL INFORMATION
In most circumstances, the Commissioner will not investigate an individual’s complaint in relation to personal information held by MMG if the individual has not first raised the matter with us. For this reason, we ask that individuals submit all complaints relating to this privacy statement to MMG first, so that we have an opportunity to resolve complaints before they proceed to any relevant authority (including the Commissioner). Please direct all complaints, enquiries and requests for access or corrections to personal information to MMG’s
Privacy Officer at the contact details below:
- By post at: Level 23, 28 Freshwater Place, Southbank VIC 3006
- By email: email@example.com
- By phone: +61 3 9288 0888
If you are not satisfied with how your complaint is handled by us, then you can lodge a formal complaint with the Commissioner at:
- Telephone: 1300 363 992 (if calling from outside Australia including Norfolk Island please call: +61 2 9284 9749)
- National Relay Service:
− TTY users phone 133 677 then ask for 1300 363 992
− Speak and Listen users phone 1300 555 727 then ask for 1300 363 992
− Internet relay users connect to the National Relay Service then ask for 1300 363 992
- Post: Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001
- Fax: +61 2 9284 9666
- Email: firstname.lastname@example.org
- Website: https://www.oaic.gov.au/privacy/privacy-complaints/
7. SKILL, DILIGENCE, CARE
At all times, in processing personal information, MMG will exercise the reasonable skill, diligence and care that may reasonably be expected of a similar global resources company.