SAS Australia Privacy Policy

SAS Institute Australia Pty Ltd ABN 13 002 287 247 ("SAS")

SAS' adoption of the Australian Privacy Principles ("APP") as required by the Privacy Act 1988 as amended is set out in this policy.

1. Australian Privacy Principle 1—open and transparent management of personal information

1.1 SAS will ensure that it manages personal information in an open and transparent way in accordance with this policy and legislation.

1.2 SAS will take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to SAS' functions or activities that:

(a) will ensure that SAS complies with the Australian Privacy Principles and a registered APP code (if any) that binds SAS; and

(b) will enable SAS to deal with inquiries or complaints from individuals about SAS' compliance with the Australian Privacy Principles or such a code.

SAS will have key staff working with personal information across the business in Australia undertake the ADMA DataPass certification.

1.3 SAS will have a clearly expressed and up to date APP privacy policy about the management of personal information by SAS.

1.4 Without limiting subclause 1.3, the APP privacy policy of SAS will contain the following information:

(a) The kinds of personal information that SAS collects and holds is information to enable the purpose of collection in (b) below;

(b) SAS will collect an individual's personal information either directly from the individual, or via vendor events, from our partners, or via marketing lists. SAS will hold the individual's personal information on our customer relationship management and marketing databases. SAS may also collect an individual's personal information submitted to SAS by an individual or a third party authorised by the individual for recruitment purposes.

(c) The purposes for which SAS collects, holds, uses and discloses personal information is for the marketing and distribution of SAS software products and services, and associated services and training.

(d) An individual may access personal information about the individual that is held by SAS or seek the correction of such information by contacting the SAS Privacy Officer via Tel. (02) 9428 0428, via the website or via the email address: info@oz.sas.com;

(e) an individual may complain to SAS about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds SAS by contacting the SAS Privacy Officer via Tel. (02) 9428 0428, via the website or via the email address: info@oz.sas.com and SAS will take reasonable steps to promptly and fairly deal with such a complaint;

(f) SAS is likely to disclose personal information to overseas recipients for the purposes of SAS technical support or for SAS software, services training or education or marketing purposes

(g) The countries in which such recipients are located are in SAS technical support centers under “follow the sun” escalation, and to the SAS headquarters in Cary, North Carolina in the USA and to SAS offices in the Philippines and in New Zealand;

1.5 SAS will take such steps as are reasonable in the circumstances to make its APP privacy policy available:

(a) free of charge; and

(b) in such form as is appropriate.

If a person or body requests a copy of the APP privacy policy of SAS in a particular form, SAS will take such steps as are reasonable in the circumstances to give the person or body a copy in that form. This policy is available to the individual as a download from this website without any charge by SAS, and for reasonable postage or other charges on reasonable request in a particular form as well.

2. Australian Privacy Principle 2—anonymity and pseudonymity

2.1 Individuals have the option of not identifying themselves, or of using a pseudonym, when dealing with SAS in relation to a particular matter. SAS takes reasonable steps to procure the individual's personal information in an anonymised or encrypted form unless this is impractical.

2.2 Subclause 2.1 does not apply if, in relation to that matter:

(a) SAS is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or

(b) it is impracticable for SAS to deal with individuals who have not identified themselves or who have used a pseudonym.

2.3 SAS will use personal information where the individual's personal information is required to contact or identify the individual in the normal course of business.

2.4 An individual may contact or deal with SAS without revealing the individual's identity in anonymity or using a pseudonym only if this is reasonable and practical in the normal course of business.

3. Australian Privacy Principle 3—collection of solicited personal information

3.1 SAS will not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of SAS' functions or activities.

3.2 SAS will not collect sensitive information about an individual unless:

(a) the individual consents to the collection of the information and the information is reasonably necessary for one or more of SAS' functions or activities; or

(b) subclause 3.4 applies in relation to the information.

3.3 This subclause applies in relation to sensitive information about an individual if:

(a) the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(b) a permitted general situation exists in relation to the collection of the information by SAS; or

(c) a permitted health situation exists in relation to the collection of the information by SAS;

3.4 SAS will collect personal information only by lawful and fair means.

3.5 SAS will collect personal information about an individual only from the individual unless:

(a) the individual consents to the collection of the information from someone other than the individual; or

(b) SAS is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or

(c) it is unreasonable or impracticable to do so.

3.6 This principle applies to the collection of personal information that is solicited by SAS, and SAS will only collect an individual's personal information that is reasonably necessary for, or directly related to, our functions or activities.

1. Australian Privacy Principle 4—dealing with unsolicited personal information

4.1 If:

(a) SAS receives personal information; and

(b) SAS did not solicit the information;

SAS will, within a reasonable period after receiving the information, determine whether or not SAS could have collected the information under Australian Privacy Principle 3 if SAS had solicited the information.

4.2 SAS may use or disclose the personal information for the purposes of making the determination under subclause 4.1.

4.3 If:

(a) SAS determines that SAS could not have collected the personal information; and

(b) the information is not contained in a Commonwealth record;

SAS will, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified as promptly as is practicable.

4.4 If subclause 4.3 does not apply in relation to the personal information, Australian Privacy Principles 5 to 13 apply in relation to the information as if SAS had collected the information under Australian Privacy Principle 3.

5. Australian Privacy Principle 5—notification of the collection of personal information

5.1 At or before the time or, if that is not practicable, as soon as practicable after, SAS collects personal information about an individual, SAS must take such steps (if any) as are reasonable in the circumstances:

(a) to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or

(b) to otherwise ensure that the individual is aware of any such matters.

5.2 The matters for the purposes of subclause 5.1 are as follows:

(a) the identity and contact details of SAS;

(b) if:

(i) SAS collects the personal information from someone other than the individual; or

(ii) the individual may not be aware that SAS has collected the personal information;

(iii) the fact that SAS so collects, or has collected, the information and the circumstances of that collection;

(c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order — the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection);

(d) the purposes for which SAS collects the personal information;

(e) the main consequences (if any) for the individual if all or some of the personal information is not collected by SAS;

(f) any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which SAS usually discloses personal information of the kind collected by SAS;

(g) that the APP privacy policy of SAS contains information about how the individual may access the personal information about the individual that is held by SAS and seek the correction of such information;

(h) that the APP privacy policy of SAS contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds SAS, and how SAS will deal with such a complaint;

(i) whether SAS is likely to disclose the personal information to overseas recipients;

(j) if SAS is likely to disclose the personal information to overseas recipients — the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.

1. Australian Privacy Principle 6—use or disclosure of personal information

6.1 If SAS holds personal information about an individual that was collected for a particular purpose (the primary purpose), SAS will not use or disclose the information for another purpose (the secondary purpose) unless:

(a) the individual have consented to the use or disclosure of the information; or

(b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.

6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if:

(a) the individual would reasonably expect SAS to use or disclose the information for the secondary purpose and the secondary purpose is:

(i) if the information is sensitive information — directly related to the primary purpose; or

(ii) if the information is not sensitive information — related to the primary purpose; or

(b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(c) a permitted general situation exists in relation to the use or disclosure of the information by SAS; or

(d) SAS is SAS and a permitted health situation exists in relation to the use or disclosure of the information by SAS; or

(e) SAS reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

6.3 If:

(a) SAS is the first organisation collecting the information; and

(b) subsection 16B(2) applied in relation to the collection of the personal information by SAS;

SAS will take such steps as are reasonable in the circumstances to ensure that the information is de-identified before SAS discloses it in accordance with subclause 6.1 or 6.2.

6.4 If SAS uses or discloses personal information in accordance with paragraph 6.2(e), SAS must make a written note of the use or disclosure.

7. Australian Privacy Principle 7—direct marketing

7.1 If SAS holds personal information about an individual, SAS will not use or disclose the information for the purpose of direct marketing.

7.2 Despite subclause 7.1, SAS may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

(a) SAS collected the information from the individual; and

(b) the individual would reasonably expect SAS to use or disclose the information for that purpose; and

(c) SAS provides a simple means by which the individual may easily request not to receive direct marketing communications from SAS (the Opt Out option); and

(d) the individual have not made such a request to SAS.

7.3 Despite subclause 7.1, SAS may use or disclose personal information (other than sensitive information) about the individual for the purpose of direct marketing if:

(a) SAS collected the information from:

(i) the individual and the individual would not reasonably expect SAS to use or disclose the information for that purpose; or

(ii) someone other than the individual; and

(b) either:

(i) the individual have consented to the use or disclosure of the information for that purpose; or

(ii) it is impracticable to obtain that consent; and

(c) SAS provides a simple means by which the individual may easily request not to receive direct marketing communications from SAS (via an Opt-Out function, for example); and

(d) in each direct marketing communication with the individual:

(i) SAS includes a prominent statement that the individual may make such a request; or

(ii)SAS otherwise draws the individual’s attention to the fact that the individual may make such a request; and

(e) the individual have not made such a request to SAS.

7.4 Despite subclause 7.1, SAS may use or disclose sensitive information about the individual for the purpose of direct marketing if the individual have consented to the use or disclosure of the information for that purpose.

7.5 Despite subclause 7.1, SAS may use or disclose personal information for the purpose of direct marketing if:

(a) SAS is a contracted service provider for a Commonwealth contract; and

(b) SAS collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and

(c) the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

7.6 If SAS uses or discloses personal information about the individual:

(a) for the purpose of direct marketing by SAS; or

(b) for the purpose of facilitating direct marketing by other organisations;

(c) the individual may:

(d) if paragraph (a) applies — request not to receive direct marketing communications from SAS; and

(e) if paragraph (b) applies — request SAS not to use or disclose the information for the purpose referred to in that paragraph; and

(f) request SAS to provide its source of the information.

7.7 If the individual make a request under subclause 7.6, SAS will not charge the individual for the making of, or to give effect to, the request and:

(a) if the request is of a kind referred to in paragraph 7.6(c) or (d) —SAS will give effect to the request within a reasonable period after the request is made; and

(b) if the request is of a kind referred to in paragraph 7.6(e) — SAS will, within a reasonable period after the request is made, notify the individual of its source unless it is impracticable or unreasonable to do so.

7.8 This principle does not apply to the extent that any of the following apply:

(a) the Do Not Call Register Act 2006;

(b) the Spam Act 2003;

(c) any other Act of the Commonwealth, or a Norfolk Island enactment, prescribed by the regulations.

8. Australian Privacy Principle 8—cross-border disclosure of personal information

8.1 Before SAS discloses personal information about an individual to a person (the overseas recipient):

(a) who is not in Australia or an external Territory; and

(b) who is not SAS or the individual;

SAS must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by SAS and to be a breach of the Australian Privacy Principles.

8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by SAS to the overseas recipient if:

(a) SAS reasonably believes that:

(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or

(b) both of the following apply:

(i) SAS expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;

(ii) after being so informed, the individual consents to the disclosure; or

(c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by SAS;

8.3 Individuals who submit their personal information to SAS (including via a recruitment agent) for recruitment purposes consent to:

(a) SAS storing that personal information on its human resources databases located on overseas servers in the countries in which SAS conducts its business and maintained by other companies in the SAS company group; and

(b) SAS disclosing that personal information to human resources personnel of other companies in the SAS company group and located outside Australia; and

on that basis they consent to such disclosure and storage of personal information and SAS will no longer be required to take steps as are reasonable in the circumstances to ensure the overseas recipients do not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to that personal information.

9. Australian Privacy Principle 9—adoption, use or disclosure of government related identifiers

9.1 SAS will not adopt a government related identifier of an individual as its own identifier of the individual unless:

(a) the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order; or

(b) subclause 9.3 applies in relation to the adoption.

9.2 SAS will not use or disclose a government related identifier of an individual unless:

(a) the use or disclosure of the identifier is reasonably necessary for SAS to verify the identity of the individual for the purposes of SAS's activities or functions; or

(b) the use or disclosure of the identifier is reasonably necessary for SAS to fulfil its obligations to an agency or a State or Territory authority; or

(c) the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or

(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier; or

(e) SAS reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

(f) subclause 9.3 applies in relation to the use or disclosure.

9.3 This subclause applies in relation to the adoption, use or disclosure by SAS of a government related identifier of an individual if:

(a) the identifier is prescribed by the regulations; and

(b) SAS is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations; and

(c) the adoption, use or disclosure occurs in the circumstances prescribed by the regulations.

10. Australian Privacy Principle 10—quality of personal information

10.1 SAS will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that SAS collects is accurate, up-to-date and complete.

10.2 SAS will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that SAS uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.

11. Australian Privacy Principle 11—security of personal information

An individual's personal information will be held in SAS customer relationship management and marketing databases, and SAS will take all reasonable steps to hold and process this information securely.

11.1 If SAS holds personal information, SAS will take such steps as are reasonable in the circumstances to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure.

11.2 If:

(a) SAS holds personal information about an individual; and

(b) SAS no longer needs the information for any purpose for which the information may be used or disclosed by SAS under this Schedule; and

(c) the information is not contained in a Commonwealth record; and

(d) SAS is not required by or under an Australian law, or a court/tribunal order, to retain the information;

SAS must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

12. Australian Privacy Principle 12—access to personal information

12.1 If SAS holds personal information about an individual, SAS will, on request by the individual, give the individual access to the information.

12.3 As SAS is an organisation then, despite subclause 12.1, SAS is not required to give the individual access to the personal information to the extent that:

(a) SAS reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or

(b) giving access would have an unreasonable impact on the privacy of other individuals; or

(c) the request for access is frivolous or vexatious; or

(d) the information relates to existing or anticipated legal proceedings between SAS and the individual, and would not be accessible by the process of discovery in those proceedings; or

(e) giving access would reveal the intentions of SAS in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(f) giving access would be unlawful; or

(g) denying access is required or authorised by or under an Australian law or a court/tribunal order; or

(h) both of the following apply:

(i) SAS has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to SAS's functions or activities has been, is being or may be engaged in;

(ii) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or

(i) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

(j) giving access would reveal evaluative information generated within SAS in connection with a commercially sensitive decision-making process.

12.4 SAS will:

(a) respond to the request for access to the personal information within a reasonable period after the request is made; and

(b) give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.

12.5 If SAS refuses:

(a) to give access to the personal information because of subclause 12.2 or 12.3; or

(b) to give access in the manner requested by the individual; SAS will take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of SAS and the individual.

12.6 Without limiting subclause 12.3, access may be given through the use of a mutually agreed intermediary.

12.8 SAS may charges the individual for giving access to the personal information, but the charge will not be excessive and will not apply to the making of the request.

12.9 If SAS refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, SAS must give the individual a written notice that sets out:

(a) the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and

(b) the mechanisms available to complain about the refusal; and

(c) any other matter prescribed by the regulations.

12.10 If SAS refuses to give access to the personal information because of paragraph 12.2(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.

13. Australian Privacy Principle 13—correction of personal information

12.1 If:

(a) SAS holds personal information about an individual; and

(b) either:

(i) SAS is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or

(ii) the individual requests SAS to correct the information;

SAS will take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.

13.2 If:

(a) SAS corrects personal information about an individual that SAS previously disclosed to another APP entity; and

(b) the individual requests SAS to notify the other APP entity of the correction;

SAS will take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.

13.3 If SAS refuses to correct the personal information as requested by the individual, SAS will give the individual a written notice that sets out:

(a) the reasons for the refusal except to the extent that it would be unreasonable to do so; and

(b) the mechanisms available to complain about the refusal; and

(c) any other matter prescribed by the regulations.

13.4 If:

(a) SAS refuses to correct the personal information as requested by the individual; and

(b) the individual requests SAS to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading;

SAS will take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

13.5 If a request is made under subclause 13.1 or 13.4, SAS:

(a) will respond to the request within a reasonable period after the request is made; and

(b) will not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).

 

If you have any queries relating to your personal information or how SAS deals with your Privacy you may contact the SAS Privacy Officer via Tel. (02) 9428 0428, via the website, or via the email address: info@oz.sas.com.

Regional Statements


Back to Top