Lexer Pty Limited ABN 59 146 105 320 (Lexer) is a data analytics, consumer insights and information strategy business operating globally from a head office in Melbourne, Australia.
We support leading global and national businesses in the management and analysis of data, including personal information, that those businesses collect about customers and prospective customers for their products and users of their services.
Lexer Pty Limited is an Australian corporation and conducts its Australian operations in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) which form part of that Privacy Act.
Those businesses then entrust that data, including personal information, to us as their sub-contractor for analysis of that data. The data may then be combined with other data, including personal information, that we collect from publicly available sources about individuals to whom that data relates, for data analysis by Lexer Group to support our customers in the conduct of their businesses.
To the extent that relevant national privacy laws permit:
Personal information may be either collected directly by us or provided (disclosed) to us by someone else.
Relevant national privacy laws are privacy and data protection laws however described that apply in particular nations to either:
- collection by Lexer Group companies (or collection by other persons including businesses that then disclose to Lexer Group companies) personal information about individuals within those nations; or
- activities of Lexer Group companies (whether use or other handling or processing or disclosure) within those nations.
Relevant laws affecting Lexer Group operations use different definitions of ‘personal information’, ‘personally identifying information’, ‘personal data’ and like terms.
Pursuant to the Australian Privacy Act, ‘personal information’ is information or an opinion about an individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in material form or not. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
Pursuant to the Singapore Personal Data Protection Act 2012, ‘personal data’ means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
‘Personal data’, ‘special categories of data’, ‘process’, ‘processing’, ‘controller’, ‘processor’, ‘Data Subject’ and ‘Supervisory Authority’ are defined in relation to member nations of the European Union by Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘the Directive’).
Where the meaning of ‘personal information’ as used in the Australian Privacy Act differs from the meaning of the corresponding term under a relevant national privacy law, references to ‘personal information’ should be read as references to the corresponding term as defined and used in a relevant national privacy law.
There is a type of personal information variously called ‘sensitive information’ or ‘special categories of data’ that is subject to more stringent obligations under some relevant national privacy laws. Such information variously includes information about an individual’s health (including predictive genetic information), racial or ethnic origin, political opinions, membership of a political association, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, biometric information that is to be used for certain purposes and biometric templates. We do not knowingly collect, hold or use such information. If we become aware that such information has inadvertently been inadvertently collected or is inadvertently held by us, we will destroy it.
3. COLLECTION AND USE OF PERSONAL INFORMATION BY US
- Lexer Group companies each conduct business as a data analysis services provider. This business involves analysis, use and disclosure of data, including personal information about identifiable individuals, in accordance with an agreement between a Lexer Group company and its customer.
- Sometimes our activities involve combination of data, including personal information, collected by our customer and disclosed to Lexer that relates to a purchaser of goods or services supplied by our customer with other personal information about the same identifiable individual, as collected by a Lexer Group company from publicly available sources, and provision by the relevant Lexer Group company to that customer of results of analysis of that combination of data. The agreement between a relevant Lexer Group company and its customer will usually regulate the manner of subsequent permitted use, handling and disclosure by the customer or anyone else to whom that may be permitted to on-provide relevant results.
- Where a Lexer Group company is receiving personal information for the purposes of providing services to a customer, the personal information we receive will depend on the information provided by a customer and the purpose for relevant results are required by that customer. Such information may include photos, names, postcodes, addresses, date of birth, email addresses, membership numbers and other information directly related to our clients’ products and services being offered to our clients’ customers.
- We directly collect personal information from social networking sites and services by the use of interfaces and feeds made available by providers of social networking sites, including Twitter, Facebook and Instagram. In some cases we may match and combine personal information collected by us from social networking sites by the use of interfaces and feeds made available by providers of social networking sites with personal information provided to us by a business.We collect this personal information on the basis that individuals posting to pages or on feeds that are generally available expect collection, use and disclosure of their posts, including for data analytics conducted about those posts and the individual making such posts.
- Each Lexer Group company that collects and uses personal information about any identifiable individual from a publicly available source assesses whether the collection and use is made a manner both reasonably contemplated and permitted by the provider of that publicly available source. Where the collection and use is made a manner both reasonably contemplated and permitted by the provider of that publicly available source, each Lexer Group company relies upon that provider to:
- comply with relevant national privacy laws applying to the provider’s activities; and
- to provide the necessary notices as required by relevant national privacy laws to that identifiable individual and to obtain the necessary consents from that individual to permit collection and disclosure by the provider of that publicly available source of that personal information, including disclosure in a manner reasonably contemplated and permitted by the provider of that publicly available source.
- Where we directly collect personal information from social networking sites we do so only through the use of interfaces and feeds as made available by providers of social networking sites. We will not disclose any personal information about an identifiable individual derived from those analytics to any third party that may use that personal information for any other purpose except where that third party has itself given fair and transparent notice to an affected individual of that use and we believe that this third party is operating in compliance with relevant national privacy laws.
- Some relevant national privacy laws (such as Australian Privacy Principle APP 3.6) provide that business such as Lexer Pty Limited that collects personal information about an identifiable individual must do so only directly from that particular relevant individual, unless it is unreasonable or impracticable for the business to collect personal information only directly from the individual. Whether it is ‘unreasonable or impracticable’ to collect personal information only from the individual concerned depend on the circumstances of the particular case, including whether the individual would reasonably expect personal information about them to be collected directly from them or from another source, the sensitivity of the personal information being collected, any privacy risk if the information is collected from another source and the time and cost involved of collecting directly from the individual. It is not reasonable or practicable for a Lexer Group company to verify that each individual in relation to whom personal information (not being sensitive information) is provided to us by a customer for which Lexer acts as a sub-contractor is actually aware that personal information will be provided by that customer to the relevant Lexer Group company or as to uses (including matching and combination) and disclosures that may then be made of that personal information by Lexer. We will take all reasonable steps to verify that our customer is permitted use and disclose personal information they collect and hold as to identifiable individuals, in the manner described below.
- Each Lexer Group company that collects and uses personal information about an identifiable individual from a customer of that Lexer Group company relies upon the customer that collects and discloses personal information about any identifiable individual to that Lexer Group company to provide the necessary notices to that individual and to obtain the necessary consents from that individual to permit and enable the business to disclose that data, including personal information, to the relevant Lexer Group company as the data analytics services provider for business activities carried out for the customer, including analysis, use and disclosure of personal information about an identifiable individual that is a customer of that business.
- For example, Lexer Pty Limited, as an Australian corporation generally requires each customer dealing with Lexer Pty Limited to undertake in writing that the customer has provided the privacy statement and privacy notices and obtained the necessary privacy consents to enable that customer to disclose personal information about any identifiable individual to Lexer Pty Limited to enable Lexer to undertake its data analysis activities for that customer, including any combination of personal information, in compliance with the Privacy Act 1988 (C’th), including the Australian Privacy Principles (APPs), and all other Australian privacy and data protection laws, mandatory codes and other mandatory requirements of Australian law. We endeavour to verify such undertakings by reviewing the privacy statement, relevant privacy notices and relevant privacy consents which that customer informs us are in general use by that customer.
- Each Lexer Group company will also require prompt remedy of any non-compliance with relevant national privacy laws by any customer with whom a Lexer Group company deals where that Lexer Group company becomes aware that this customer is not in fact operating in compliance with relevant national privacy laws.
- We may disclose personal information to a third party where:
- that third party is a contractor engaged to provide products or services to us. This may include disclosure to contractors outside of Australia. Our agreement with such contractors will require that they keep personal information confidential and that they only use or disclose any personal information that we provide to them for the purposes of providing those goods or services to us;
- this disclosure is in connection with the sale of some or all of the business or assets of a Lexer Group company; or
- this disclosure is authorised by relevant national privacy laws, including to lessen or prevent a serious threat to life or health, to protect the personal safety of the public, if authorised or required by other laws, if we have reason to suspect that unlawful activity has been, is being or may be engaged in, to enforce the law or where necessary to investigate a suspected unlawful activity, or an individual would reasonably expect or has been informed that their personal information will be used or disclosed to third parties in a particular way.
- Each Lexer Group company will not use or disclose any personal information of an identifiable individual for a purpose other than as above described unless:
- an individual would reasonably expect that the Lexer Group company would use or disclose the personal information for that secondary purpose and that purpose is related to the primary purposes for which it was provided to the Lexer Group company. For example we may use personal information received from our customers for the purposes of providing services above described for responding to billing enquires by our customers;
- that individual has consented to the use of that personal information for the secondary purpose; or
- the secondary use or purpose is required or permitted under relevant laws.
4. ANONYMITY AND PSEUDONYMITY
- we are required or authorised by or under law, or court / tribunal order, to deal with an individual who has identified himself / herself; or
- it is impractical for us to deal with an individual who has not identified themselves or who has used a pseudonym (in a job application for example)
5. DIRECT MARKETING
We will comply with laws relating to direct selling, distance selling, direct marketing and spam, including APP 7 and the Australian Spam Act 2003 (Cth), in relation to any activity by a Lexer Group company that is regulated in relation to that activity, including:
- allowing an individual to opt out of receiving any further direct marketing from us; and
- in each written communication from us, setting out our business address, telephone number and, if the communication with that individual is made by fax, telex or other electronic means, a number or address at which we can be directly contacted electronically.
Where we use personal information for the purposes of business to business direct marketing, we rely on relevant exceptions in national privacy laws to do so.
- A cookie is a small file containing information specific to a user, passed through an internet protocol such as a web browser and stored on a device.
- We may also be provided with:
- Cookies data or other anonymous identifiers, if provided by clients and relating to use by other persons of our client’s websites. We receive this information as part of the information required to deliver products and services to our clients. We use this information to conduct analytics for our clients and to analyse trends and identify audiences and customers for our clients.
- Cookies data, anonymous identifier data, device information, log information and other information, if provided by ad serving services or advertising networks and relating to use by other persons of third party websites serviced by those ad serving services or advertising networks. We receive this information to provide products and services to our clients, including for the conduct of analytics for our clients and to analyse trends and identify audiences and customers for our clients.
- Many browsers and internet access devices are set by default to accept cookies. However, if you do not wish to receive any cookies you may set your browser or configure your internet access device to either prompt you whether you wish to accept cookies on a particular site, or by default reject cookies. Please note that rejecting cookies may mean that some or all of the features and functionality of particular websites or internet services will not be available to you.
7. QUALITY OF YOUR PERSONAL INFORMATION
- Where we collect personal information from an individual directly, we take steps to ensure that the personal information we collect, use and disclose is accurate, up to date and complete. These steps include maintaining and updating any personal information when we are advised by an individual that their information has changed.
- Where we collect personal information about an individual from a third party, we rely on that third party to ensure that information it collects is accurate, up to date and complete.
8. ACCESS AND CORRECTION OF YOUR PERSONAL INFORMATION
- An individual may request access to their personal information held by us. Subject to any permitted exception under the Privacy Laws, we shall give that individual access to that information. If an individual notifies us that the information we hold about them is not accurate, we will take reasonable steps to correct that information. To the extent that we have received any personal information indirectly (for example, from a business for whom we act as sub-contractor), we will notify that business that it has received a request from an individual to access or correct the personal information it has provided to us.
- If you require access to your personal information, please email Lexer at firstname.lastname@example.org. Before we provide you with access to your personal information we will require some proof of identity.
- For most requests, your information will be provided free of charge, however, we may charge a reasonable fee if your request requires a substantial effort on our part.
- If we refuse to provide you with access to the information, we will provide you with reasons for the refusal and inform you of any exceptions relied upon under the APPs (unless it would be unreasonable to do so).
- We take reasonable steps to ensure that your personal information is accurate, complete, and up-to-date whenever we collect or use it. If the personal information we hold about you is inaccurate, incomplete, irrelevant or out-of-date, please contact us and we will take reasonable steps to either correct this information, or if necessary, discuss alternative action with you.
9. RETENTION OF PERSONAL INFORMATION
We retain personal information after we have used the personal information for the purposes for which we collected or received it.
If we retain such personal information, it will only be used for the following purposes:
- as required by or under Australian law, or a court / tribunal order;
- as required for professional indemnity insurance; and
- in accordance with our back-up archive policy.
When no longer required, Lexer uses its best endeavours to ensure that all such information will be destroyed in a secure manner and in a reasonable time frame.
10. HOW WE HOLD AND SECURE YOUR PERSONAL INFORMATION
The security of your personal information is important to us.
We take reasonable steps to prevent the personal information we hold about you from misuse, interference or loss, and from unauthorised access, modification or disclosure. This includes the use of technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of your personal information.
11. LINKS TO OTHER WEBSITES
Sometimes our Website contains links to other websites. When you access a website other than our Website, we are not responsible for the privacy practices of that site. We recommend that you review the privacy policies of each website you visit.
12. HOW TO CONTACT US
If an individual:
- would like to access or inquire about any personal information we hold about that individual;
- would like to make a complaint about out handling of an individual’s personal information,
please contact us using the details below:
A: 86 Inkerman Street, St Kilda, VIC, 3182, Australia
T: +61 3 8658 8840
If you wish to make a complaint about an alleged breach of the Privacy Laws, we ask that you send us your complaint in writing to the email address listed above. We endeavour to respond to complaints within a reasonable period (usually 30 days). If you are not satisfied with our response, you may make a complaint to the relevant privacy regulator.
For Australia, complaints may be made to the Office of the Australian Information Commissioner by phoning 1300 363 992 or by email at email@example.com.