Personal information is any information or opinion relating to an identified or identifiable individual (such as current, former or prospective employees, contractors and business contacts). This information can include names, addresses, job applications, employment information, performance records, health and safety information, location data, opinions and correspondences to and from an individual.
What this means for you
Follow our standards and procedures on handling personal information and protecting privacy and only collect, use, disclose, retain or process personal information that is necessary to meet business requirements, as permitted by law in places where we operate.
Always treat the personal information and privacy of others with respect.
• Have a legal, legitimate and specific BHP business purpose for collecting, sharing, using or handling personal information and do not use it for any other purpose. If you are unsure about the purposes for which you are entitled to collect, share, use or handle personal information, seek advice from Legal.
• Collect the minimum amount of personal information legitimately necessary for the specific business purpose.
• Maintain the accuracy of your personal information as well as any personal information that you handle or process.
• Retain personal information for the minimum amount of time necessary and securely dispose of it when it is no longer required as detailed in the Our Requirements for Information Governance and Controlled Documents standard.
• Notify individuals why their personal information is required and how it will be used and allow them to exercise their legal rights in relation to their personal information.
• Adequately safeguard personal information against unauthorised or unlawful handling, access, use, modification, sharing, loss, interference, destruction or damage.
• Check and comply with the country-specific legal requirements for handling personal information, as applicable from time to time.
• Follow the Our Requirements for Information Governance and Controlled Documents standard when creating, capturing or managing information including records, non-records, personal information and controlled documents.
• Follow the Privacy by Design Checklist when designing a new or changed processing activity that involves personal information.
• Immediately report any actual or suspected unauthorised access to, modification or disclosure of, or loss, misuse or interference of personal information to your line leader and firstname.lastname@example.org.
• Access or use or share personal information without specific authorisation from your line leader or a clear business requirement.
• Retain personal information for longer than legally required or necessary for the purpose it was collected (or any other purpose permitted by law).
• Collect or process sensitive personal information unless explicit consent has been obtained from the individual or it is permitted by applicable laws and regulations.
• Store files without adequate protection and access restrictions if they contain sensitive personal information, such as health data or payroll information.
Q: I suspect the payroll details of an employee may have been mistakenly shared with an incorrect recipient. Should I wait until they confirm they have received the data to report the potential breach?
Q: I’ve recently changed my address and phone number but haven’t informed anyone at BHP. Is this a problem?A: We are required by law to keep your personal information accurate and up to date to ensure that you or your next of kin can be contacted in an emergency. It is your responsibility to inform us of any changes to your personal information as soon as possible. You can do this online (via the Digital Workspace) or by providing the information to your line leader or 2Up leader.
Q: I have been requested to create a report that involves payroll details of individuals at a site. What are the requirements I need to be aware of while storing and sharing this report?
You must ensure:
- only the minimum amount of data necessary for the report is collected and used
- the report is stored securely and proper access rights are administered to prevent unauthorised personnel from accessing the report
- the file is password protected or encrypted prior to being shared with others.
View more hypothetical scenarios
How to speak up
If you have questions about Our Code, speak to your line leader, 2Up leader, Ethics and Investigations, Compliance, Legal, Employee Relations advisor, HR Business Partner or contact EthicsPoint. Anyone who works with us, on our behalf, or is associated with us, can also access EthicsPoint.
Online: EthicsPoint online
Phone: EthicsPoint Telephone