March

Respect personal information and privacy

We respect your personal information and privacy and expect you to respect the personal information and privacy of others.

Personal information is any information or opinion relating to an identified or identifiable individual (such as current, former or prospective employees, contractors and business contacts). This information can include names, addresses, job applications, employment information, performance records, health and safety information, location data, opinions and correspondences to and from an individual.

More information on how we collect and process personal information, and the rights a person has in relation to the personal information we hold about them is in our Global Privacy Notice for BHP Workers (for those who work for BHP) and Privacy Policy (for all other individuals who provide personal information to BHP).

 

Respect personal information and privacy

  • What this means for you

    Follow our standards and procedures on handling personal information and protecting privacy and only collect, use, disclose, retain or process personal information that is necessary to meet business requirements, as permitted by law in places where we operate.

     

    Always treat the personal information and privacy of others with respect.

     
Worker on site

Always

• Have a legal, legitimate and specific BHP business purpose for collecting, sharing, using or handling personal information and do not use it for any other purpose. If you are unsure about the purposes for which you are entitled to collect, share, use or handle personal information, seek advice from Legal.

• Collect the minimum amount of personal information legitimately necessary for the specific business purpose.

• Maintain the accuracy of your personal information as well as any personal information that you handle or process.

• Retain personal information for the minimum amount of time necessary and securely dispose of it when it is no longer required as detailed in the Data Global Standard.

• Notify individuals why their personal information is required and how it will be used and allow them to exercise their legal rights in relation to their personal information.

• Adequately safeguard personal information against unauthorised or unlawful handling, access, use, modification, sharing, loss, interference, destruction or damage.

• Check and comply with the country-specific legal requirements for handling personal information, as applicable from time to time.

• Follow the Data Global Standard when creating, capturing or managing information including records, non-records, personal information and controlled documents.

• Follow the Privacy by Design Checklist when designing a new or changed processing activity that involves personal information.

• Immediately report any actual or suspected unauthorised access to, modification or disclosure of, or loss, misuse or interference of personal information to your line leader and cybersecurity@bhp.com.

Never

• Access or use or share personal information without specific authorisation from your line leader or a clear business requirement.

• Retain personal information for longer than legally required or necessary for the purpose it was collected (or any other purpose permitted by law).

• Collect or process sensitive personal information unless explicit consent has been obtained from the individual or it is permitted by applicable laws and regulations.

• Store files without adequate protection and access restrictions if they contain sensitive personal information, such as health data or payroll information.

Hypothetical scenarios

  • Q: I suspect the payroll details of an employee may have been mistakenly shared with an incorrect recipient. Should I wait until they confirm they have received the data to report the potential breach?
    A: No, you must immediately report all suspected and confirmed data breaches to your line leader and cybersecurity@bhp.com.
  • Q: I’ve recently changed my address and phone number but haven’t informed anyone at BHP. Is this a problem?
    A: We are required by law to keep your personal information accurate and up to date to ensure that you or your next of kin can be contacted in an emergency. It is your responsibility to inform us of any changes to your personal information as soon as possible. You can do this online (via the Digital Workspace) or by providing the information to your line leader or 2Up leader.

     

  • Q: I have been requested to create a report that involves payroll details of individuals at a site. What are the requirements I need to be aware of while storing and sharing this report?

    You must ensure:

    • only the minimum amount of data necessary for the report is collected and used
    • the report is stored securely and proper access rights are administered to prevent unauthorised personnel from accessing the report
    • the file is password protected or encrypted prior to being shared with others.
  • Q: While engaging with a potential candidate for an upcoming role, they discussed sensitive information regarding a pre-existing medical condition. Can I keep a detailed record of everything the candidate has shared with me?
    A: No. You must first consider whether it is necessary for you to record all this information, as it may not be necessary for a legitimate BHP business purpose and the candidate may not have intended for BHP to have it on record. You must also consider whether the candidate has been made aware of BHP’s Privacy Policy (which explains what types of information BHP collects and why), and has provided their consent to the collection of their sensitive information (including their health information).
  • View more hypothetical scenarios

How to speak up

If you have questions about Our Code, speak to your line leader, 2Up leader, Ethics and Investigations, Compliance, or Legal. Employee Relations or a HR Business Partner can direct you to the relevant reporting options available. You can also seek further information and resources via BHP’s RespectChat.  Anyone who works with us, on our behalf, or is associated with us, can also raise misconduct concerns via Integrity@BHP or the BHP Protected Disclosure Reporting Channel.

Online: Make a report in either Integrity@BHP or the BHP Protected Disclosure Reporting Channel

Phone: You can also contact the BHP Protected Disclosure Reporting Channel by phone