Keyton Holding Pty Limited as trustee for Keyton Trust ABN 44 349 706 307 (Keyton, we, our, us) is a leading owner, operator and developer of retirement living villages in Australia. We recognise and respect the importance of your privacy and that you have a right to control how your Personal Information is collected and used by us.
1. Key definitions
APPs means the Australian Privacy Principles under the Privacy Act which govern the standards, rights and obligations around the collection, use and disclosure of Personal Information, privacy governance and accountability, integrity and correction of Personal Information and the rights of individuals to access their Personal Information.
Online Platforms means the online platforms including any applications or apps we operate and any of our other websites or social media pages (including Facebook, Instagram and LinkedIn) managed by us.
Personal Information has the meaning given to it under the Privacy Act.
Privacy Act means the Privacy Act 1988 (Cth), as amended from time to time.
Privacy Officer means our first point of contact for all privacy related inquiries and matters, who can be contacted using the details set out in section 16 below.
Sensitive Information has the meaning given to it under the Privacy Act.
Services means the retirement living and related services provided by us to individuals including real estate, housing, hospitality, entertainment, property and garden maintenance, exercise and wellness services.
2. What is Personal Information?
Personal Information is defined in the Privacy Act as information or opinion about an identified individual (or an individual who is reasonably identifiable) whether the information or opinion is true or not and whether the information or opinion is recorded in material form or not.
Sensitive Information is a subset of Personal Information that is afforded higher levels of protection under the Privacy Act. It includes information or opinion about an individual's racial or ethnic origin, political opinion, religious beliefs, sexual orientation, criminal record or health information.
3. Types of Personal Information we collect
In order to provide you with our Services, we often need to collect your Personal Information. If we do not collect the Personal Information or if any of the Personal Information you provide is incomplete or inaccurate, we may not be able to perform some of our essential functions, such as managing a retirement living village, or assist you in case of an emergency.
Depending on the nature of the Services we provide to you, the Personal Information we collect may include:
(a) contact details (such as your name, gender, date of birth, address, email and phone details);
(b) contact details for any prescribed next of kin or medical professional;
(c) any pets you may have or acquire while living at a Keyton retirement village;
(d) health information, such as your medical history and mobility capabilities;
(e) information required for you to do business with us including bank account details, credit card information and any other relevant financial information;
(f) information concerning any relevant attorneys or other decision makers authorised to act on your behalf;
(g) registration numbers for government services such as Medicare, the Department of Veteran Affairs and a pension card;
(h) health fund details, if applicable;
(i) driver’s licence details and vehicle registration details;
(j) information on prior dealings with us;
(k) images including photographs and video recording; and
(l) any other Personal Information relevant to the Services we provide.
4. How we collect Personal Information
To provide our tailored and personalised Services, we collect Personal Information and Sensitive Information from you in various ways. Our general policy is to collect information from you directly and not from third parties. If it is unreasonable or impracticable to collect Personal Information from you directly, we may collect this information from a family member or someone nominated by you on your Resident Personal and Sensitive Information Form (ie, emergency contacts).
By providing us with your information (including Sensitive Information such as health information) or nominating someone else to provide it, you consent to us collecting your information.
We may also sometimes collect Personal Information through:
(a) our Online Platforms (including your interactions with us on our social media platforms and apps managed by us);
(b) forms (hardcopy and electronic) filled out by you when acquiring our Services;
(c) third party service providers, including health and wellness providers at our retirement villages;
(d) requests to join our mailing or distribution lists or to be contacted for further information about our products and/or Services;
(e) information provided by you when attending our events, promotions, functions or other social activities;
(f) provision of customer service and support;
(g) referrals from existing residents at our retirement villages;
(h) debt collection agencies if you default in a payment to us;
(i) family members or attorneys authorised to act on your behalf; and
(j) responses to surveys or research conducted by us or on our behalf.
Please note that we will primarily collect Sensitive Information (including health information) directly from you and with your consent except in permitted general situations under the Privacy Act where it is unreasonable or impracticable to do so.
5. Use of Personal Information
Our main purposes for collecting, holding, using and disclosing Personal Information are the following:
(a) to supply products or Services to our customers;
(b) to notify our customers about our new or existing products and Services;
(c) to notify you about our upcoming occasions, promotions, and village open days;
(d) to distribute material and general information relating to our Services;
(e) to obtain products and services from our suppliers;
(f) to respond to enquiries from existing or prospective customers seeking information about our products or Services;
(g) to enforce agreements between you and us;
(h) to undertake research and surveys and analyse statistical information;
(i) to comply with contractual, legislative and policy requirements including in relation to occupational health and safety and environmental matters;
(j) to improve our Services and products; and
(k) as otherwise permitted or required by law.
6. Disclosure of Personal Information
We will generally only use or disclose your Personal Information for the purpose for which it was collected (known as the "primary purpose"). For example, this might be to manage the retirement village according to the terms of your residence contract. We may, however, also use or disclose Personal Information for another purpose related to the primary purpose where you would reasonably expect it to be used or disclosed for such related purpose (known as the "secondary purpose") or with your consent (which may be express or implied). For example, this might include publishing your contact details in the Village Residents Directory or contacting your doctor or person granted Power of Attorney if necessary.
Sometimes, we may be required to disclose your Personal Information to third parties in certain circumstances including:
(a) where disclosure is required or permitted by law;
(b) to our related entities, in accordance with the Privacy Act;
(c) if disclosure will prevent or lessen a serious or imminent threat to someone's life or health; or
(d) where it is reasonably necessary for an enforcement related activity.
In regards to Sensitive Information (which includes your health information), we will only ever use or disclosure your Sensitive Information with your consent, for the primary purpose for which it was collected or for another purpose directly related to the primary purpose where you would reasonably expect it to be used or disclosed for such a directly related purpose.
Unless we notify you otherwise, we do not make cross border disclosures to entities outside Australia, although some of the data servers where our electronic information and files are stored may be located overseas.
7. Storage and security
We take security of your Personal Information seriously. Your Personal Information is stored in a manner that strives to protect it from misuse and loss and from unauthorised access, modification or disclosure. Our people are aware of the importance we place on protecting your privacy and their role in helping us to do so.
When the Personal Information that we collect is no longer required, we will remove or de-identify the Personal Information as soon as reasonably possible. We may, however, retain Personal Information for as long as is necessary to comply with any applicable law, for the prevention of fraud, for insurance and governance purposes, in our IT back-up, for the collection of any monies owed and to resolve disputes.
Here are some examples of the things we do to protect your information.
Staff obligations and training
Service providers and overseas transfers
We use a mix of access cards, alarms, cameras, and other controls to protect our offices, villages and buildings.
Our websites and apps
When you log into our Online Platforms, we encrypt data sent from your computer or device to our system so no-one else can access it.
Destroying or de-identifying data when no longer required
8. Access to and correction of Personal Information
You are always welcome to request that we provide you with access to the Personal Information we hold about you by contacting us using the details listed in section 16 below. Generally, we will provide you with access to the information unless applicable laws allow us to refuse, or prevent us from giving you, access to the Personal Information we hold about you. We will never unreasonably refuse requests to access Personal Information.
Where we agree to provide you with access to your Personal Information, sometimes we may make this conditional on us recovering our reasonable costs of doing so. No fee will be incurred for requesting access, but if your request for access is accepted, you will be notified of the fee payable (if any) for providing access if you choose to proceed with your access request.
You may also lodge a request to correct Personal Information we hold about you if you believe it is inaccurate, incomplete, irrelevant, misleading or out of date. There is no fee for doing this. To do so, please contact us at the contact details listed in section 16 below.
9. Direct marketing
Like most businesses, marketing is important to our continued success and viability. We may use Personal Information we hold about you, from time to time, to send marketing materials to you. Generally, we only do so where you consent or where allowed by applicable laws. Our communications to you may be sent in various forms such as by post or by electronic means (including email and SMS).
If you wish to cease receiving this marketing information, please contact us directly on the contact details listed in section 16 below asking to be removed from our mailing lists, or use the "unsubscribe" or "update your preferences" facilities included in all our marketing communications.
Please be assured that we will never use your Sensitive Information for direct marketing purposes.
10. Our Online Platforms
We may also collect statistical information regarding the use of our Online Platforms via tools such as Google Analytics 4, including the domains and device types from which website users visit, IP addresses, the dates and times of visits, activities undertaken on our Online Platforms and other clickstream data. In addition, we sometimes use web beacon technology to monitor internet activity on our websites. A web beacon is a clear-pixel image that generates an anonymous de-identified notice of a website’s visit when viewed. A web beacon usually works in conjunction with a cookie.
11. Third parties
12. Employment and recruitment
If you send us an application to be considered for an advertised position (or unsolicited), this information may be used to assess your application or suitability for employment with us. This information may be disclosed to our related bodies corporate and service providers for purposes such as aptitude and psychological testing or other human resources management activities.
As part of the application process, you may be asked for your consent to the use and disclosure of certain Personal Information about pre-employment testing. We may also ask you to consent to the disclosure of your Personal Information to those people who you nominated to provide references. A refusal to provide any of this information, or to consent to its proposed disclosure, may affect the success of the application.
For information about our practices relating to employee records, please contact us at the contact details listed in section 16 below.
13. Notifiable data breaches
A notifiable data breach scheme is currently in place in Australia. We are committed to adhering to this scheme as an important step in preventing and managing serious privacy breaches.
A "data breach" means unauthorised access to, or disclosure, alteration, loss, or destruction of, Personal Information—or, an action that prevents us from accessing Personal Information on either a temporary or permanent basis. An "eligible data breach", in accordance with the Privacy Act, occurs when there is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates and we are unable to prevent the likely risk of serious harm with remedial action.
We, including all our people, take breaches of privacy very seriously. If we suspect a privacy breach has occurred, our priority is to contain and assess the suspected breach. In doing so, we will:
(a) take any necessary immediate action to contain the breach and reduce the risk of harm;
(b) determine the cause and extent of the breach;
(c) consider the types of information involved, including whether the personal information is sensitive in nature;
(d) analyse the nature of the harm that may be caused to affected individuals;
(e) consider the person or body that has obtained or may obtain personal information as a result of the breach (if known); and
(f) determine whether the Personal Information is protected by a security measure.
If we believe an eligible data breach has occurred we will, as soon as practicable, notify the Commissioner and all affected individuals or, if it is not possible to notify affected individuals, provide public notice of the breach (in a manner that protects the identity of affected individuals).
14. General Data Protection Regulation
We welcome the European Union General Data Protection Regulation (EU-GDPR) and the United Kingdom General Data Protection (UK-GDPR) as important steps forward in encouraging high standards of personal data security. Australian businesses of any size may need to comply if they have an establishment in the European Union (EU) or the United Kingdom (UK), if they offer goods and services in these regions (irrespective of whether a payment is required), or if they monitor the behaviour of individuals in these regions (where that behaviour takes place in the EU or the UK). From time to time, residents of the EU or the UK may utilise our Online Platforms.
Under the EU-GDPR and UK-GDPR, we may have some additional obligations with respect to the processing of "personal data" collected from residents of the EU and the UK. The meaning of personal data is similar to Personal Information—however, it is broader as it includes any information relating to an identified or identifiable natural personal.
Where required, we will take appropriate steps to ensure that the personal data of EU and UK Residents is:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for legitimate purposes;
(c) accurate and up to date;
(d) kept for no longer than is necessary for the purposes for which it was collected; and
(e) secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
We will comply with all obligations imposed on data importers under both the EU-GDPR and UK-GDPR with respect to the personal data of residents from these regions. To the extent that either regulations scheme applies to our relationships with third parties, we will adopt the applicable Standard Contractual Clauses for international transfers.
Under the EU-GDPR and UK-GDPR, residents from these regions have the right to access personal data we hold about them and to request that personal data be corrected, updated, deleted or transferred to another organisation. EU and UK residents are also able to request that the processing of their personal data be restricted or objected to their personal data being processed. To make any of these requests, please contact our Privacy Officer.
15. Contacting us
Attention: Privacy Officer
Level 45, Bourke Place
600 Bourke Street
Melbourne VIC 3000
We will endeavour to assess and respond to your query within 30 days. More information about your rights and our obligations in respect to privacy and information on making a privacy complaint are available from the Office of the Australian Information Commissioner at:
Post: GPO Box 5218 Sydney NSW 2001