1. Privacy Policy Summary

1.1 Customs House Cafe Pty Ltd (Café Sydney, we, us, our) take privacy very seriously.

1.2 Our Privacy Policy outlines the types of personal information that we collect, why we collect

it and how we handle it.

1.3 We collect different types of personal information depending upon how we engage with you.

It is collected from various different sources including directly from you (e.g. when you book

to dine with us or apply to work with us) and from outside sources and third parties (e.g.

when we contact a referee).

1.4 The primary purpose for which we collect personal information from you is to best manage

our relationship with you and/or provide you with our goods and services. We may also

collect your personal information for reasons associated with these primary purposes. We

will only use your personal information if we have a lawful reason to do so.

1.5 The security of your personal information is very important to us and we have systems in

place to protect the personal information we hold. We securely store the personal

information that we collect.

1.6 This is a summary only. For more detail about how we manage your personal information,

please see the complete policy below.

1.7 To access or update your personal information or make a complaint in relation to Café

Sydney’s Privacy Practices, please contact the Chief Executive Officer via

jan@cafesydney.com

2. Commencement of this Policy

2.1 This Privacy Policy (Policy) applies from 29 September 2021.

3. Scope of this Policy

3.1 This Policy applies to all Café Sydney’s prospective, current, and former employees,

volunteers and contractors and its customers.

3.2 It does not form part of any person’s contract of employment or contract for goods or

services.

4. Purpose of this Policy

4.1 The Privacy Act 1988 (Cth) (Privacy Act) requires us to have a privacy policy.

4.2 We use all reasonable efforts to protect the privacy of individuals’ personal information and

to comply with the obligations imposed by the Privacy Act and the Australian Privacy

Principles (APP).

4.3 The purpose of this policy is to:

(a) provide for the fair collection and handling of Personal Information;

(b) ensure that Personal Information we collect is used and disclosed for fair and lawful

purposes only;

(c) protect the confidentiality of Personal Information through appropriate storage and

security;

(d) regulate access to and correction of Personal Information.

5. Collection of Personal Information

5.1 ‘Personal Information’ is defined as information or an opinion about a person from which an

individual’s identity can reasonably be ascertained. This includes any personal information orPage 2 of 4

opinions about the person, whether true or not, no matter how the information or opinions

are recorded.

5.2 The main way that we collect Personal Information is when we ask a person to give it to us.

5.3 We only collect Personal Information by fair and lawful means and only if the collection is

necessary for a purpose related to the proper operation of our business, a person’s

interaction with Café Sydney or a person’s employment.

5.4 Examples of the types of Personal Information that we may collect include:

(a) general identification information such as name, occupation, date of birth, gender;

(b) contact details such as address, email address, mobile phone number;

(c) educational qualifications, employment history, referee report;

(d) financial information such as credit card and bank account details;

(e) visa or work permit status and related information;

(f) communications between us and you.

5.5 ‘Sensitive Information’ is a subset of Personal Information and includes information about a

person’s health (e.g. COVID-19 vaccination status or medical exemption information), race or

ethnic origin, political or religious beliefs, membership of a trade union or association, sexual

preference or criminal record.

5.6 It may be necessary in some circumstances for us to collect some forms of Sensitive

Information if collecting it is reasonably necessary for or directly related to one or more of

our functions.

5.7 We will only collect and use Sensitive Information with your consent or where required or

authorised by or under an Australian law or in a de-identified manner.

5.8 Examples of the types of Sensitive Information that we may collect and store include health

information (e.g. COVID-19 vaccination status or medical exemption information). We do not

anticipate collection of other types of Sensitive Information.

5.9 Where Personal Information is collected from an entity, we consider it is that entity’s

responsibility to ensure they are entitled to disclose that information for our perusal in

accordance with our Privacy Policy, without us taking any additional steps.

5.10 If we receive Personal Information that we have not solicited and we could not have

obtained the information by lawful means, we will destroy or de-identify the information as

soon as practicable and in accordance with the law.

6. Use and Disclosure of Personal Information

6.1 We only use Personal Information (including Sensitive Information) for reasons related to the

proper operation of our business, a person’s interaction with Café Sydney or a person’s

employment. Reasons include:

(a) to provide services to our customers;

(b) to comply with legal and work, health and safety requirements including Public Health

Orders and our own requirements in relation to COVID-19 vaccinations;

(c) to maintain contact with our customers and other contacts and keep them informed of

or services or other events;

(d) for administrative purposes including processing payment transactions, charging and

billing and identifying breaches of our terms and conditions of engagement;

(e) for purposes relating to the employment of our staff and engagement of contractors,

including recruitment processes such as contacting referees, assessment of suitability,

background checks, and workforce management;

(f) for governance and compliance purposes including meeting any legal requirements;Page 3 of 4

(g) for other purposes relating to our business.

6.2 We do not use or disclose Personal Information for a purpose other than the primary

purpose of collection (secondary purpose), unless one of the following applies:

(a) you have consented to our using or disclosing your personal information for a secondary

purpose;

(b) the secondary purpose is related (or directly related for Sensitive Information) to the

primary purpose and you would reasonably expect disclosure of the information for the

secondary purpose;

(c) we believe on reasonable grounds that the disclosure is necessary to prevent or lessen a

serious and imminent threat to an individual’s life, health or safety or a serious threat to

public health or public safety;

(d) the use or disclosure is otherwise required or authorised by law.

6.3 We will not disclose personal information for the purpose of direct marketing by other

organisations.

6.4 We are unlikely to disclose Personal Information to overseas recipients.

7. Security of Personal Information

7.1 Café Sydney is committed to keeping your Personal Information secure. Café Sydney will take

all reasonable steps to ensure the Personal Information it holds is protected from misuse,

interference, loss, unauthorised access, modification or disclosure.

7.2 We store emails and personal information with third-party data service providers. We ensure

that these service providers comply with the Privacy Act or are subject to laws or schemes

that provide similar standards and protections.

7.3 Café Sydney keeps records relating to its employees and contractors in a secure storage area.

Records of previous employees or contractors are archived and stored in a locked service

away from general use.

7.4 Our security measures include, but are not limited to:

(a) training our staff on their obligations with respect to your Personal Information;

(b) using passwords when accessing our data storage system; and

(c) using firewalls and virus scanning tools to protect against unauthorised interference and

access.

8. Access to Personal Information

8.1 You may request access to any Personal Information we hold about you. Any such requests

must be made in writing.

8.2 We will consider any requests, but may refuse to provide access in circumstances where we

entitled to refuse access under the Privacy Act.

9. Correcting Personal Information

9.1 Café Sydney will take reasonable steps to correct Personal Information if we are satisfied that

it is inaccurate, out-of-date, incomplete, irrelevant, or misleading; or if the individual asks us

to correct the information.

10. Questions, Concerns or Complaints

10.1 If you wish to make a complaint about the way we have managed your Personal Information

you may make that complaint in writing by setting out the details of your complaint to the:

Chief Executive Officer by email: jan@cafesydney.com

10.2 The complaint will be investigated by us in accordance with our internal procedures and

processes.Page 4 of 4

10.3 You will be provided with a response to your complaint within a reasonable timeframe after

completion of any investigation. This response will be in writing and will include the outcome

of the investigation, any proposed action and details of the right to lodge a complaint with

any relevant external organisations.

10.4 We expect our procedures will deal fairly and promptly with your complaint. However, if you

remain dissatisfied you can contact the Australian Information Commissioner:

Complaints must be made in writing.

Office of the Australian Information Commissioner

GPO Box 5218

Sydney NSW 2001

1300 363 992

11. Privacy Officer

11.1 We have appointed a Privacy Officer to manage and administer all matters relating to this

Privacy Policy.

11.2 The Privacy Officer can be contacted if you wish to obtain more information about any aspect

of this policy or about the way in which we protect the privacy of Personal Information.

11.3 As stated above, complaints may also be made to the Privacy Officer if you suspect we have

breached this Privacy Policy.

12. Amendments of this Policy

12.1 Café Sydney reserves the right to vary, replace or terminate this policy from time to time.

Policy version and revision information

Policy Authorised by: Jan McKenzie

Title: Chief Executive Officer

Original issue: 29/09/2021

Policy Maintained by: Alex Bolam

Title: Director of Operations

Version: 1

Review date: 01/12/2024