M2 GROUP OF COMPANIES
Privacy laws that apply to M2
M2 is required to comply with the Privacy Act 1988 (Cth) and is bound by the Australian Privacy Principles ('APPs') set out in that Act. The APPs establish minimum standards for the collection, use, disclosure and handling of personal information. They apply to personal information in any form, including electronic and digital form. The APPs can be accessed at the website of the office of the Australian Information Commissioner: www.privacy.gov.au.
M2 is also subject to other laws relating to the protection of personal information. In certain circumstances, M2 may be subject to privacy obligations under the Telecommunications Act 1997 (Cth). M2's direct marketing activities must also comply with the Do Not Call Register Act 2006 (Cth) and the Spam Act 2010 (Cth). If M2 collects health information, it may be required to comply with statutory requirements relating to health records.
- 'Privacy Law' refers to any legislative or other legal requirement that applies to M2's collection, use, disclosure or handling of personal information.
- 'Personal information' means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in material form or not. Personal information includes sensitive information.
- 'Sensitive information' means personal information about an individual's racial or ethnic origin, political opinions or memberships, religious beliefs or affiliations, philosophical beliefs, professional or trade association/union memberships, sexual preferences and practices or criminal record.
Why does M2 collect personal information?
M2 collects personal information in order to:
- manage and administer the products and services we provide;
- inform customers about changes and improvements in M2 products and services;
- market products and services of the M2 Group Companies to current and prospective customers;
- market third party products and services to current and prospective customers; and
- comply with our legal obligations.
M2 needs to be able to collect personal information for most of its business activities, although the information we require depends on the particular circumstances. If we are unable to collect the personal information we need, we may be unable to meet the expectations of our customers or provide the products and services they wish to receive.
Whose personal information does M2 collect?M2 collects or holds personal information about individuals who are:
- Prospective customers. This includes people we think may be interested in our products and services as well as people who have expressed interest in obtaining or learning more about those products and services.
- Current customers. This includes people who purchase a product or service from any of the M2 Group Companies.
- Past customers. These are people who have purchased products or services from any of the M2 Group Companies but do not currently hold any active accounts with any of the M2 Group Companies.
M2 may treat current and past customers as prospective customers for other M2 products and services.
M2 may collect personal information about associates of its customers, such as family members, employees or agents. For example, M2 may collect personal information about nominated or authorised representatives, the holder of a credit card that is used to pay a customer's account, a person who acts as a secondary account holder, a person who acts as guarantor for a credit contract, the landlord of a tenanted property or the nominated contact on a business account.
M2 may in rare circumstances collect personal information from people who are under the age of 18. If M2 does this, M2 may also collect personal information about the parent or guardian of that person.
M2 also collects personal information about all the individuals who are involved in providing M2 products and services. This includes:
- staff of M2 Group entities and other companies in the M2 group; and
- service providers and suppliers, agents and affiliates, and their staff.
Can you deal with M2 without identifying yourself?
In some limited situations customers and other individuals may be able to deal with M2 anonymously or using a pseudonym. For example, if you make a general inquiry to one of our call centres, or want to make a complaint or log a service fault unless the inquiry or complaint relates to a particular account.
However, if you do not wish to be identified we may not be able to provide the information or assistance you require.
What personal information does M2 usually collect?
M2 collects a wide range of personal information about its customers, but the type and amount of information collected depends on the particular business context. However, M2 seeks at all times to ensure that it only collects the personal information that is necessary for the purposes of its business activities.
M2 needs to collect basic identifying and contact information for all customers, including prospective customers. This will usually include name, date of birth, email address, telephone number(s) and residential address.
M2 also collects information about purchasing patterns, consumer preferences and attitudes from prospective and current customers for marketing purposes, including to analyse markets, develop marketing strategies and to identify and develop products and services that may be of interest to its customers.
When you become, or apply to become, a customer of any of the M2 Group Companies, you will be redirected to the relevant website operated by the M2 Group Companies. Once redirected, the member of the M2 Group Companies may collect a range of other information that that it needs so that it can assess your application and manage your account(s). This includes:
- Proof of identity information, including passport number, driver licence number or other government identifiers. M2 Group Companies need this information to ensure our customer records are accurate and up-to-date. They also may be required to obtain proof of identity information by law. For example, members of the M2 Group Companies we are required under the Telecommunications Act 1997 to obtain specified proof of identity information before providing certain mobile telephone services.
- Financial and credit information, including credit history, employment history, remuneration details, bank account and credit card information, information about assets and income and details of relevant court judgments and bankruptcies. Members of the M2 Group Companies require this information to assess creditworthiness and financial suitability of current and prospective customers.
- Information about medical conditions and concession entitlement. M2 Group Companies need this information as they are required to assess eligibility for concessions or other benefits that may be available with M2 Group Companies products or services.
- Information relating to occupancy. M2 Group Companies may need information as they are required to establish that a customer has rights to occupy the property to which they provide services, and for this purpose may require copies of tenancy agreements, mortgage records or utility bills or supply records.
- Integrated Public Number Database (IPND). In providing telecommunications services, members of the M2 Group Companies are required by law to collect certain personal information about you, including your name, address, telephone service number and other public number customer details, and to provide it to the operator of the IPND) for inclusion in the IPND. Information in the IPND is used to develop directories and to assist emergency service organisations. If your phone number is unlisted, your information will be marked accordingly in the IPND and its use and disclosure will be strictly controlled.
We also collect information about the way our customers use products and services of the M2 Group Companies. This includes information about:
- service usage (including consumption patterns, use of communications services, internet usages);
- responses to offers made and/or promotions run by M2 or its affiliates;
- payment patterns and history; and
- inquiries and complaints.
We collect information about our employees and prospective employees for the purpose of making employment decisions and managing our staff. We also collect information about suppliers, service providers, agents and affiliates, and their staff, for the purposes of conducting our day-to-day business activities.
How does M2 collect personal information?
We collect personal information by various means and via various media, depending on the particular business context.
We collect information about prospective customers both directly and via our agents, service providers and affiliates. We may collect this information:
- through our call centres;
- through M2 websites, or websites operated by M2's affiliates;
- through social media platforms such as Twitter and Facebook; and
- through the purchase of marketing lists, databases and data aggregation services.
M2 receives unsolicited personal information from time to time. In accordance with its obligations under Privacy Law, M2 will decide whether it would have been permitted to solicit and collect that information and if it would not have been, will destroy or de-identify the information (provided it is lawful to do so).
What information will M2 give you when it collects personal information?
M2 is required by Privacy Law to take reasonable steps to ensure that you are made aware of certain information when it collects personal information about you. For example, we are required to:
- tell you which M2 entity you are dealing with and how to contact it;
- make sure you are aware that we have collected the information (if we collect it from a third party without your knowledge);
- identify any law that authorises or requires collection of the information;
- let you know the purposes for which we collect the information, the entities that the information is likely to be disclosed to and whether the information will be transferred outside Australia; and
- When personal information is collected via the M2 website or any affiliate website that M2 may advertise on, a statement is displayed or a link provided to a statement that sets out the information we are required to provide.
- A statement containing the required information is printed on the sign-up page of most of the standard forms we use to collect personal information.
- When you deal with us on the telephone, this information is given to you by the operator or via a recorded message.
If we collect personal information about you from a third party, we take reasonable steps to ensure you receive the information we are required to provide. However, we may do this by requiring the third party to provide the information, rather than us providing the information to you directly.
We may also include information about our collection of personal information in welcome packs, customer account statements, update bulletins, notices and other documents we give to our customers.
M2's use and disclosure of personal information
Where M2 collects personal information for a particular purpose, it may use and disclose the information for that purpose or another purpose that is related to that purpose (or that is directly related to that purpose in the case of sensitive information). For example:
- Personal information collected from you for the purpose of establishing or managing an account may be used and disclosed for related purposes such as supplying this information to members of the M2 Group Companies for identity verification, credit checking, assessing entitlement to concessions, supplying and servicing a product, connecting and administering a service, billing and collection in relation to the service and investigating and rectifying complaints or faults.
- Personal information collected for the purpose of establishing or managing an account may also be used for the purpose marketing of other M2 products and services. M2 may contact prospective, current or past customers about products and services (including products not related to a product or service previously supplied).
M2 may use personal information about prospective, current and past customers for the purpose of direct marketing of M2 products and services or those of other organisations. Direct marketing communications may be sent via post, e-mail, telephone, door to door canvassing, social media sites or other means. However:
- M2 will not use sensitive information for direct marketing purposes without your consent.
- Unless you have provided consent, or we think it is impracticable to obtain your consent, M2 will not use your personal information for direct marketing purposes where we have obtained the personal information from a third party, or we have collected it directly from you but believe that you would not reasonably expect the information to be used for direct marketing.
- Whenever we communicate with you for direct marketing purposes, we will give you the opportunity to opt out of receiving further direct marketing communications from M2.
- You may opt out of receiving direct marketing communications from M2 at any time by contacting us at firstname.lastname@example.org or calling 1300 765 499.
- If we use your personal information to facilitate direct marketing by other organisations on behalf of other organisations, you can ask us to provide the source of the information by contacting us at customerservice@M2.com or calling 1300 765 499.
Personal information about M2 staff, agents, affiliates and service providers is used and may be disclosed for the purpose of managing the relationship with the staff member or other entity.
M2 Group Companies may disclose personal information about customers to a range of third parties. For example, depending on the type of product or service, M2 may disclose customer information to a wholesaler or other third party who provides or assists to provide the service. Personal Information may also be disclosed to the Telecommunications Industry Ombudsman (for complaint management purposes).
Personal information may also be disclosed to third party agents and service providers who M2 engages to assist in the provision of products and services. These include:
- sales agents and representatives;
- printers, mail distributors, couriers and dispatch centres;
- call centres operated by entities outside the M2 Group;
- IT service providers and data managers;
- legal, accounting, insurance and business advisory consultants services
M2 may also disclose personal information without consent as authorised by privacy law for a range of other purposes, including:
- where necessary to prevent or lessen a serious threat to health or safety;
- for law enforcement or crime prevention purposes;
- for the investigation of unlawful activity;
- for location of missing persons; and
- for use in legal proceedings or dispute resolution.
In situations other than those described above, M2 will not disclose personal information without the customer's consent (although consent may be implied).
Is personal information disclosed outside Australia?M2 discloses some personal information to persons or organisations that are outside Australia.
- M2's customer service and marketing call centre operations are based in Manila, Philippines. Personal information about prospective, current and past customers is accessed by our Manila based staff for the purpose of sales and marketing, customer service, correspondence, provisioning, fault management and technical support activities.
- Database and webhosting services provided to M2 involve personal information being transferred to IT service providers based in India, Philippines, Singapore, New Zealand, the United Kingdom, Canada and the United States of America.
How does M2 protect your personal information?
M2 recognises the importance of protecting your personal information and of ensuring that it is complete, accurate, up-to-date and relevant.
While some of the personal information we collect is held in hardcopy form, most personal information is stored in electronic databases.
We have extensive processes in place to ensure that our information systems and files are kept secure from unauthorised access and interference. These include:
- System access is controlled by logins and different security levels. Access to customer information for all staff (including agents in our Manila call centre) is centrally controlled. Access requests must be supported by a request from senior management.
- Access authorisation is layered and access authorisations are specific to the job function of each staff member. Staff are only trained in areas of the system specific to the function of their job.
- Functional restrictions apply. Remote access is only available to selected senior staff members. Measures are taken to prevent printing, copying or recording of customer information that can be accessed electronically. For example, call centre team members work in a paperless environment, cannot print information and are not permitted to have mobile phones or cameras on the call centre floor.
- Account and system access and modification is logged to enable access or modification of any customer record by any staff member to be identified. Audits of access logs are conducted periodically.
- Our employees undergo privacy and information security training on induction and are required to sign acknowledgements of their obligations in relation information security and appropriate use of our IT systems.
- We have contractual arrangements in place with our agents, service providers and affiliates that require them to have comply with applicable privacy laws and M2 privacy policies. Our contractual arrangements with third parties who are outside Australia are designed to ensure that personal information transferred to those parties is afforded the same level of protection as would apply to the information in Australia.
Can you access or correct personal information M2 holds about you?
You have a right to access personal information we hold about you. If your request is particularly complex or requires detailed searching of our records, there may be a cost to you in order for us to provide you with this information.
If you believe there are errors in the information we hold about you, you have a right to ask us to correct the information.
However, we are not required to provide access where we believe doing so would:
- prejudice law enforcement or crime prevention activities;
- pose a serious threat to health or safety;
- have an unreasonable impact on the privacy of other individuals;
- prejudice M2 in legal proceedings or negotiations with you;
- reveal information connected with a commercially sensitive decision making process; or
- be contrary to law.
If you wish to have access to information M2 holds about you, you should contact M2 Customer Service.
Dealing with M2 on-line
We store the Internet Protocol (IP) address of your computer when you visit our site. This information is used only to create broad demographic summaries of where our users come from. Our use of these IP addresses, however, does not go so far as to identify the actual users of the site.
We collect personal information about the other websites that are visited by computers that are used to visit our site. This information may be aggregated to provide us with information about the types of webpages and websites, or particular webpages and websites, visited by computers that use our site.
Complaints and further information
If you believe your privacy has been interfered with and wish to make a complaint, please contact our Privacy Officer. The Privacy Officer will investigate your complaint and notify you of the outcome.
If it appears from your complaint that there has been an interference with privacy by a person other than M2, the Privacy Officer may discuss the complaint with that person in an attempt to resolve it.
If you are dissatisfied with the outcome of your complaint, or you do not receive a response to your complaint within 30 days, you may make a complaint to the Office of the Australian Information Commissioner (OAIC). Complaints to the OAIC must be made in writing. Where possible, complaints to the OAIC should be made through the online Privacy Complaint form, available at www.oaic.gov.au/privacy/making-a-privacy-complaint.
Attention: The Privacy Officer
Address: Level 10, 452 Flinders Street, Melbourne Victoria 3000