Privacy Policy

1. PURPOSE

Zig Zag Railway Co-operative Limited ABN 96 139 641 108 (Zig Zag Railway) is committed to protecting the privacy of all individuals’ Personal Information, Sensitive Information and Health Information that it may collect and hold.

The purpose of this Privacy Policy is to inform individuals about Zig Zag Railway’s obligations to manage Personal Information in accordance with:

  • Privacy Act 1988 (Cth)
  • The Australian Privacy Principles (APPs)
  • Health Records and Information Privacy Act 2002 (NSW)

This Policy should be read in conjunction with Zig Zag Railway’s Safety Management System.

Zig Zag Railway is committed to:

  • The responsible collection and management of Personal Information
  • Providing individuals with the right to access the Personal Information held about them
  • Providing individuals with the right to correct their Personal Information
  • Appropriately handling privacy queries and complaints
  • Only sharing Personal Information when permitted by law
  • Ensuring staff, volunteers and contractors understand their privacy obligations

2. DEFINITIONS

Term
Meaning
Personal Information
Information or an opinion about an identifiable individual
Sensitive Information
Includes racial origin, beliefs, union membership, criminal record, etc.
Health Information
Information about physical or mental health, disability, medical needs

Unless otherwise stated, references to Personal Information include Sensitive and Health Information.

3. POLICY STATEMENT

Zig Zag Railway collects and holds a range of Personal Information necessary to manage and administer its railway operations, visitor services, volunteer programs, events, retail and café services, governance obligations, and regulatory compliance.

Zig Zag Railway collects Personal Information from:

  • Employees
  • Volunteers
  • Contractors
  • Passengers and guests
  • Members
  • Tour operators and group booking partners
  • Suppliers
  • Job and volunteer applicants
  • Event attendees

This may include:

  • Full name
  • Address, phone number and email
  • Date of birth
  • Identification documents (for employment/volunteering)
  • Payment details (ticketing, retail, café, events)
  • Emergency contact details
  • Dietary or accessibility requirements for catered events
  • Rail Safety Worker and medical assessment information (where required)

Sensitive or Health Information is generally only collected from employees and volunteers, or where required for safety, catering, accessibility, or legal compliance.

Parental or caregiver consent is obtained for individuals under 18.

4. COLLECTION OF PERSONAL INFORMATION

When collecting Personal Information, Zig Zag Railway will:

  • Only collect information necessary for its functions and activities
  • Inform individuals of the purpose of collection
  • Advise who information may be disclosed to
  • Advise how to contact Zig Zag Railway
  • Take reasonable steps to ensure accuracy and relevance

5. WEBSITE, COOKIES AND DIGITAL INTERACTIONS

When collecting Personal Information, Zig Zag Railway will:

  • Only collect information necessary for its functions and activities
  • Inform individuals of the purpose of collection
  • Advise who information may be disclosed to
  • Advise how to contact Zig Zag Railway
  • Take reasonable steps to ensure accuracy and relevance

6. PURPOSES FOR COLLECTION

Zig Zag Railway collects Personal Information for purposes including:

  • Recruitment and management of workers
  • Ticket sales and bookings (including tour operators and group travel)
  • Retail, café, dining experiences and events
  • Memberships, fundraising and donations
  • Surveys, feedback and visitor engagement
  • Safety, incident reporting, and regulatory compliance
  • Child Safety and wellbeing reporting obligations
  • Marketing, newsletters and visitor communications

Individuals may opt out of marketing communications at any time.

Information may be disclosed to authorities where required, including NSW Police, SafeWork NSW, Transport for NSW, and/or child protection agencies.

7. USE AND DISCLOSURE OF PERSONAL INFORMATION

Zig Zag Railway will not use or disclose Personal Information for purposes other than for which it was collected unless:

  • Required by law
  • Required for safety or regulatory compliance
  • Reasonably expected by the individual
  • Consent has been provided

Information may be disclosed to NSW Police, SafeWork NSW, Transport for NSW, and/or child protection authorities.

8. DATA SECURITY

Personal Information may be stored:

  • In secure hard copy files
  • Within secure digital systems and cloud software used by Zig Zag Railway
  • In ticketing, POS, finance and worker management systems

Security measures include:

  • Confidentiality requirements for workers
  • Controlled access to offices and systems
  • Password protection and multi-factor authentication
  • Secure storage and disposal of documents
  • Secure website protections

Personal Information may be stored:

  • In secure hard copy files
  • Within secure digital systems and cloud software used by Zig Zag Railway
  • In ticketing, POS, finance and worker management systems

Security measures include:

  • Confidentiality requirements for workers
  • Controlled access to offices and systems
  • Password protection and multi-factor authentication
  • Secure storage and disposal of documents
  • Secure website protections

9. CCTV AND SURVEILLANCE

Zig Zag Railway operates closed circuit television (CCTV) surveillance cameras across its stations, platforms, public precincts, buildings, car parks, retail and café areas for the purposes of:

  • Safety and security of visitors and workers
  • Protection of railway assets and heritage infrastructure
  • Assisting with the investigation of incidents, accidents, complaints or unlawful activity
  • Supporting compliance with rail safety and child safety obligations

CCTV cameras are installed only in public and operational areas. Cameras are not installed in bathrooms, change rooms, or private spaces.

Clear signage is displayed across Zig Zag Railway premises advising visitors that CCTV surveillance is in operation.

CCTV footage is considered Personal Information under privacy legislation and is:

  • Stored securely
  • Accessible only by authorised personnel
  • Retained for a limited period before being automatically overwritten, unless required for investigation
  • Provided to NSW Police or other authorities where required by law

CCTV footage is not used for staff performance management.

Zig Zag Railway’s CCTV system has the technical capability to record audio; however, audio recording is disabled. Zig Zag Railway does not record conversations or sound in any location. Surveillance is limited to video footage only.

10. RECORDING OF COMMUNICATIONS

Phone calls

Inbound and outbound landline phone calls to Zig Zag Railway may be recorded. Callers are notified via an automated message prior to speaking with a staff member for externally initiated calls.

These recordings are used for:

  • Training and quality assurance
  • Resolving customer enquiries or disputes
  • Safety and incident investigation
  • Operational record keeping

Online meetings and video conferencing

Some online meetings conducted by Zig Zag Railway may be recorded, including:

  • Video
  • Audio
  • Automated transcripts

Participants are notified when a recording is in progress by the meeting platform.

Recordings may be used for:

  • Internal training
  • Meeting minutes and record keeping
  • Project and operational documentation
  • Governance and compliance purposes

Storage and access

Audio, video and transcript records are:

  • Stored securely within Zig Zag Railway’s systems
  • Accessible only to authorised personnel
  • Retained only as long as reasonably required

These recordings are considered Personal Information and are managed in accordance with this Privacy Policy.

11. OPERATIONAL RADIO COMMUNICATIONS

Zig Zag Railway utilises two-way radio communications for the safe operation of trains and coordination of rail activities across the railway precinct.

All operational radio communications are automatically recorded as part of Zig Zag Railway’s rail safety and incident management systems.

These recordings are used for:

  • Rail safety and operational monitoring
  • Incident investigation and review
  • Training and compliance purposes
  • Supporting regulatory and safety obligations

Radio recordings may incidentally capture background voices of visitors or members of the public within the vicinity of railway operations.

These recordings are:

  • Stored securely within authorised systems
  • Accessible only by authorised personnel
  • Retained only as long as reasonably required for safety, operational or compliance purposes

Radio recordings are considered Personal Information and are managed in accordance with this Privacy Policy.

12. NETWORK, LAN/WAN AND GUEST WI-FI MONITORING

Zig Zag Railway provides guest Wi-Fi access for visitors, and manages its internal LAN/WAN infrastructure to support operational, retail, administrative and visitor services.

When individuals use Zig Zag Railway’s guest Wi-Fi network or other network services, certain technical information may be collected and logged, including but not limited to:

  • Device identifiers (e.g. MAC addresses)
  • IP addresses
  • Connection timestamps and duration
  • Data usage and traffic patterns

This information is collected for the purposes of:

  • Securing the network and preventing unauthorised access
  • Managing service performance
  • Detecting and preventing misuse or harmful activity
  • Supporting complaint handling, investigations and cybersecurity compliance

Logged network information is considered Personal Information where it can be associated with an identifiable individual and is managed in accordance with this Privacy Policy and applicable privacy law. Users are advised that guest Wi-Fi is a shared public network, and they should exercise caution when accessing sensitive services while connected. Users must agree to any terms and conditions presented at the point of Wi-Fi login.

Network traffic on the secure LAN/WAN used for operational, administrative and business systems is managed, monitored and logged for performance, security and compliance, with access restricted to authorised personnel and systems.

13. DESTRUCTION AND DE-IDENTIFICATION

Personal Information is retained only as long as required for operational, legal, safety, child protection, and/or historical record purposes.

When no longer required, information is:

  • Securely shredded (paper records)
  • Permanently deleted or de-identified (digital records)

Some records may be archived in accordance with NSW records and child safety retention requirements.

14. DISCLOSURE OUTSIDE NSW OR AUSTRALIA

Some Zig Zag Railway systems and software providers may store data outside NSW or Australia.

Where this occurs, Zig Zag Railway takes reasonable steps to ensure the provider complies with privacy laws equivalent to the Australian Privacy Principles.

15. ACCESS AND CORRECTION

Individuals may request access to or correction of their Personal Information at any time.

Requests should be made in writing to the CEO.

If access or correction is refused, written reasons will be provided.

16. COMPLAINTS AND ENQUIRIES

Internal privacy concerns (workers)

Privacy concerns may be raised with the People & Purpose Manager.

External privacy concerns (customers, visitors, partners)

All privacy enquiries should be directed to the Chief Executive Officer, who acts as the Privacy Officer.

Zig Zag Railway will treat the complaint confidentially, and will aim to resolve the complaint in a timely and appropriate manner.

Privacy Officer
Zig Zag Railway Co-operative Limited
840 Chifley Road, Clarence NSW 2790
Email: ceo@zigzagrailway.com.au

If an individual is dissatisfied with the response received, they may make a complaint to the Office of the Australian Information Commissioner:

Office of the Australian Information Commissioner (OAIC)
Website: https://www.oaic.gov.au

17. POLICY REVIEW

This policy will be reviewed periodically to ensure ongoing compliance.