How we collect personal information
ScanPlan provides near field communications devices and associated services for use in transport management, location-based tracking (of scan device), data management and reporting. Our customers include educational institutions, bus and other transport companies, and event and facilities managers.
We collect personal information about individuals that use our services and the services we support, being for example students and their families, bus drivers, teachers, and employees and service providers of our customers. We also collect personal information about others we deal with, such as our service providers and contractors. This Policy applies to all such individuals (you).
Points at which we collect personal information include when a client, service provider or user:
- enters into an agreement with us to provide or receive a service;
- uses our services;
- activates or uses a device or an app that we provided, or that we use to provide our services;
- provides us with information such as lists of names, addresses and contact details
- makes an inquiry or deals with us over the telephone, by letter or by email; or
- visits our website, uses a ScanPlan online or app-based service, or logs on to a RollCall online or mobile account.
The information we collect may include your name, physical location, address, educational or other institution, telephone numbers, cheque and Email address.
There may be occasions when we source personal information about you from a third party (for example a credit reporting agency, your employer, a marketing company or your school).
ScanPlan may also obtain non-personally identifying information about you, such as browser type, version and language, operating system, pages viewed while browsing the Site, page access times and referring website address.
How we use personal information
The primary purpose of collecting any relevant personal information is to be able to provide goods and services, including by passing information between a school and transportation company (and vice versa), for example. Names and addresses of our customers may also be provided to a mailing house to mail account statements to each customer, and to debt collection agencies to collect outstanding debts.
We may also use or disclose personal information for other purposes such as:
- helping us to identify products and services that may interest you and provide you with relevant information about them (but you may unsubscribe from our marketing list at any time);
- in developing and planning our business; and
- helping us to improve our services using marketing data and analytics.
ScanPlan discloses personal information to various contractors and third party suppliers, as well as our client schools and transportation companies, in order to supply our services. Our contractors, suppliers and clients are also subject to privacy laws and should have in place similar protections as we have ourselves.
We do not directly send personal information outside Australia, but some of the service providers, platforms, app providers or app stores that we use to provide our services may store or process data including personal information, outside Australia.
If we do not have access to personal information, we may be limited in the extent to which we are able to provide ScanPlan services, and our customers in turn may be unable to provide services to you.
Protection of personal information
All personal information is held securely on ScanPlan’s physical files, computer systems or databases that we control ourselves or manage through third party IT suppliers. Information is only available to our staff and suppliers on a need-to-know basis, and is protected by firewalls, SSL encryption, secure passwords and authorisation protocols. We have adopted internal policies covering data security and information management, that all staff are familiar with and required to comply with.
To provide our services, we need to share information over the internet and to cloud service providers. Information will be encrypted and the providers we use have protections in place, but security is not guaranteed due to the nature of the internet.
To meet the requirements of the Privacy Act in relation to notifying affected individuals of a data breach should one occur, we have adopted and will follow a Data Breach Notification Policy.
Keeping Information up to date
We will take reasonable steps to ensure the personal information we collect and hold is accurate. If you believe that any information we hold about you is inaccurate, we will correct it if you let us know.
You can request details about your personal information
Please contact us if you wish to find out about the personal information we hold about you. We will need to verify your identity before giving you access. If your request is complex, we will ask you to put it in writing and will usually deal with such a request within 14 to 30 days.
Except as authorised under our service terms or by the individual, as required by law, or as otherwise provided in this policy, ScanPlan will not give out personal information to any third party.
We may not be able to tell you what personal information we hold about you in certain circumstances including where the information relates to anticipated legal proceedings or where the information would reveal commercially sensitive information.
GDPR and UK-GDPR
Application of the General Data Protection Regulations
Principles of processing your Personal Data
We process your Personal Data (as defined in the General Data Protection Regulation and United Kingdom General Data Protection Regulation) in accordance with the principles of data processing set out in the GDPR and UK-GDPR including, but not limited to, processing your Personal Data:
(1) in a manner that is lawful, fair and transparent;
(2) for specified, explicit and legitimate purposes;
(3) to the extent that it is adequate, relevant and necessary for the specified legitimate purposes;
(4) in a manner that maintains the accuracy of the Personal Data;
(5) for no longer than is necessary;
(6) in a secure and safe fashion; and
(7) with accountability.
Purposes for processing Your Personal Data
(2) In the event that we intend to process your Personal Data for any other purpose, we will obtain your consent for the processing of your Personal Data for that new purpose or otherwise rely on another lawful basis to process your Personal Data.
Lawful basis for processing your Personal Data
(2) You have the right to withdraw your consent to the processing of your Personal Data at any time.
(a) To perform or enter into any contract we have with you.
(b) To comply with a legal obligation to which we are subject.
(c) To protect your vital interests or that of another person.
(d) Our legitimate interests in providing our services to you.
You may exercise the following rights (if applicable) on the terms permitted by the GDPR or UK-GDPR:
(1) The right to be informed about information in relation to your Personal Data.
(2) The right to access your Personal Data.
(3) The right to rectify inaccurate Personal Data.
(4) The right to have your Personal Data erased.
(5) The right to restrict the processing of your Personal Data.
(6) The right to receive your Personal Data and to have it transmitted to a third party.
(7) The right to object to your Personal Data being processed.
(8) The right to object to automated decision making.
(1) We will advise the relevant supervisory authority of a data breach within seventy-two (72) hours of becoming aware, unless the breach is unlikely to result in a high risk to your rights and freedoms.
(2) In the event that the data breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.