“Personal Information” is any sort of information or opinion about an individual, whether true or not.
AC3 is committed to ensuring the proper, open and transparent management and use of all Personal Information it collects and handles in accordance with applicable privacy laws, including the Australian Privacy Principles.
All our employees and contractors have responsibilities in respect of this Information Privacy and this policy, which will be regularly communicated.
The policy reflects and operates within the context of our values:
Our people are our brand; their passion, skill and smarts are what drive our business forward. We find a little fun in everyday because we love what we do.
We’re disruptive by nature and always evolving. We challenge norms and refuse conventions. We always deliver: we’re do-ers, not talkers.
Our relationships are everything. We connect with customers by really understanding their needs; and we connect with each other in a warm, genuine way.
Technology drives change. We make sure it’s change that’s good for our customers, good for our people, good for society, and good for the galaxy*.
*As best we can.
We reserve the right to vary or rescind this policy at any time.
2. Management of Personal Information
- the kinds of Personal Information that AC3 collects and holds
- how, and the purposes for which, AC3 collects, holds and uses Personal Information
- who AC3 discloses Personal Information to
- how an individual may access Personal Information about the individual that is held by AC3 and seek the correction of such information
- how an individual may complain about a privacy issue or alleged breach of the Australian Privacy Principles and how AC3 will deal with such a complaint
- whether AC3 is likely to disclose Personal Information to overseas recipients.
3. Collection and Storage
AC3 will only collect Personal Information that is necessary for its functions and activities. It will only collect Personal Information by lawful and fair means and not in an obtrusive way.
AC3 collects and holds different categories of information depending on the services being provided. The following types of Personal Information may be collected:
3.1 Employees, Contractors and Suppliers
AC3 collects Personal Information, directly from our employees, contractors and suppliers, about them. This Personal Information may include their name and contact details so that we can contact them. For employees and contractors we may also collect certain sensitive information, such as tax file number, next of kin, banking and superannuation details, remuneration details, employment checks (reference checks, Police Checks, Working with Children Checks, etc), injuries and attendance records.
The purpose of collecting such information is so we can meet our employer obligations (such as payroll and making superannuation contributions), to contact next of kin in an emergency, and to ensure that our people (employees and contractors) have the skills, experience, qualifications and clearances required to perform services for our AC3 and our customers.
All Personal Information about employees and contractors will be held securely, in locked filing cabinets with restricted access and/or in password protected files.
We may also collect feedback and information from third parties relating to our employees, contractors and suppliers’ performance of services for AC3. This information is collected for the purposes of monitoring our contractors and suppliers’ performance of services and to ensure that we are able to provide the highest quality products and services to our customers.
3.2 Job Applicants
If you apply for a position at AC3 we may collect your name, contact details and any information that you have provided us as part of your job application. This may include information contained in your CV, your driver’s license and/or passport. We may also collect Personal Information relating to you from third parties you have identified as referees or references in your job application. We may also require you to undertake criminal record check (“Police Check”), Working with Children Check and/or other pre-employment checks that are required for either ours or our customer requirements. This information is solely used for the purposes of determining your suitability for the role that you have applied for.
3.3 Customers and their employees
When you become a customer we may collect Personal Information from you such as your name, contact details and bank account details.
All customer Personal Information collected by AC3 is solely used for our business functions and activities. It may be used for the following purposes:
- for billing purposes (e.g. credit checking, invoicing) and order fulfilment
- to contact you in relation to our provision of services to you
- to respond to your requests, enquires, complaints and/or other customer service related activities
- to maintain your account details
- to provide technical support – for example, account creation, password reset
- to provide you with information in relation to our products, services or other information that you may have requested
- to streamline and personalise your experience while dealing with AC3
- to undertake customer satisfaction surveys and to tailor AC3 information, services or products in order to improve and enhance those services and products provided to the customer.
AC3 may also collect from its customer’s Personal Information relating to its employees and customers; for example, payroll information. This Personal Information is solely used so that we can facilitate provision of the services our customers have requested.
AC3 may use de-identified Personal Information derived from our customers and our customers’ employees and customers use of our products and services in order to provide AC3 with anonymous demographic and customer usage information. AC3 will then use this anonymous, aggregated information to develop new and or more appropriate services and products to offer to our customers.
4. Quality of Personal Information
AC3 will ensure, to the extent reasonably possible, that Personal Information collected, used or disclosed is accurate, up-to-date, complete and relevant. If AC3 becomes aware that any of the Personal Information it holds is inaccurate it will take prompt steps to update its records so that those records are correct.
5. Data Security
AC3 takes active measures to ensure the security of Personal Information it holds against misuse, interference, loss and unauthorised access, modification or disclosure.
All Personal Information is stored at secure premises. Electronic Personal Information is stored using the highest quality data management tools and IT security systems and controls including passwords and firewalls.
When we no longer require Personal Information it is securely destroyed and disposed of.
Our security systems are regularly reviewed and internally and externally audited so that we can identify any potential security weaknesses and take steps to promptly rectify them. AC3 is certified to ISO 27001 Information Security Management Systems standard.
5.1 Access to Restricted Information
AC3 employees and/or contractors, during the course of their employment or engagement, may have access to Restricted Personal Information about our Customers in the course of working on our Customers’ IT Systems.
Restricted Personal Information includes but is not limited to:
- Personal Information our Customers hold about their customers and/or clients;
- Criminal Records, such as criminal convictions, spent criminal convictions, and other corrective services records;
- Personal Information about children and children-at-risk; and/or
- Personal Information which is protected at law by the Privacy Act and/or other legislation.
Prior to being granted access to IT Systems that contain such Restricted Personal Information, AC3 requires relevant employees to undergo Police Checks and other Checks (such as a Working with Children Check) to ensure there is not a prohibited reason that prevents them from being in contact with such Restricted Personal Information.
Under no circumstance is such Restricted Personal Information permitted to be used, disclosed, collected, stored or illegally accessed by AC3 employees. Nothing in this policy gives permission to employees to breach the privacy of such Restricted Personal Information.
Breaches or suspected breaches of such information privacy is viewed very seriously by AC3, as not just a breach of this policy but as a breach of relevant legislation. As a result, any breach or suspected breach of policy and/or legislation will be treated as such, with immediate referral to relevant law enforcement authority(ies) for investigation, and/or disciplinary action, up to and including termination of employment may result.
6. Direct Marketing
AC3 will only engage in direct marketing practices in accordance with the law. At any time an individual or organisation may contact firstname.lastname@example.org to request that it no longer receives any marketing material or information from AC3.
7. Disclosure and Retention of Personal Information
As part of providing our services, AC3 may disclose Personal Information to third party suppliers and contractors of services, banks or other financial institutions, and to customers. In these cases, AC3 expects these organisations to protect the privacy of that Personal Information.
In particular, if a customer requires us to provide Personal Information about our staff (employees and contractors) who will be providing services to our customers (for example, Police Clearance Certificates, Working with Children Checks, professional experience/qualifications), this Personal Information is subject to the relevant customer signing a Non-Disclosure Agreement about the collection, use, storage and retention of such Personal Information.
Other than in the cases outlined above, AC3 will not disclose Personal Information to any other third party unless it has reasonable grounds to believe:
- The individual has authorised the disclosure, OR
- The safety of the individual, or the safety of others in the community is at risk, OR
- AC3 is required or permitted by law to do so (includes responsibilities related to statutory reporting and preventing breaches of the law)
As a provider and user of cloud services, AC3 retains Personal Information on servers within NSW, Australia. Contractor payroll information may also be located on servers in London, England.
AC3 will take all reasonable steps to ensure that no person or entity, including any overseas entity, breaches any privacy laws applicable either locally, or in the country where the entity is located.
AC3 only retains Personal Information for as long as required by law and needed for our business functions and activities. It is then securely destroyed and disposed of.
8. Website Browsing
Accessing AC3’s websites will result in some information being logged including the time of access, your IP address and the pages that have been viewed or accessed.
AC3’s websites may contain links to external websites. AC3 is not responsible for the content or privacy policies that govern such external websites.
9. Access and Correction of Personal Information
Subject to verification of your identity, if we hold Personal Information about you, you may make a request to access, update or correct this Personal Information.
Access and correction requests should be made in writing to one of the contact addresses below.
We will endeavour to respond to written requests for access and correction of Personal Information within 10 business days after a request is received by us, unless extenuating circumstances exist.
AC3 will take all reasonable steps to ensure that Personal Information is accessed by employees/contractors only to the extent necessary for AC3 to undertake its business activities.
9.1 BYOD Policy
As part of AC3’s Bring Your Own Device (BYOD) Policy, we may use a Mobile Device Management (MDM) solution which may install software onto employees’ Personal Electronic Devices to enforce the BYOD policy and make management of company confidential data easier and keep personal data separate from work-related data.
We take our employee’s privacy seriously, therefore any MDM solution we select will, as far as reasonably practical, prevent us from accessing your personal data (including personal: messages, photos, emails, internet usage, phone calls and other personal data contained on your Personal Electronic Device), and where not reasonably practicable to prevent us from accessing your personal data on your Personal Electronic Device, our policy is that we will not access your personal data, and any breach of our policy will be treated as such.
All complaints relating to the handling and management of Personal Information by AC3 or any breach of the applicable privacy laws, including the Australian Privacy Principles should be addressed to one of the contact addresses below.
In order to deal with complaints appropriately, please include the information listed below together with your complaint:
- A summary of the privacy concern or alleged breach
- Any action, or inaction, AC3 has taken, or failed to take, regarding the matter
- Copies of any relevant documentation in connection with the complaint, including any communications that AC3 has had with you.
AC3’s Privacy Officer will investigate the complaint, and, if necessary, may refer the complaint to the relevant department at AC3 that the complaint relates to or refer the complaint to an external investigator contracted by AC3. AC3 will endeavour to respond to complaints within 20 business days unless extenuating circumstances exist.
AC3 will take immediate steps to redress proven privacy concerns or breaches.
If you are not satisfied with AC3’s response and your complaint relates to a privacy concern or alleged breach, you may take your complaint to the Office of the Australian Information Privacy Commission (Telephone: 1300 363 992).
11. Access to this Policy
This policy can be viewed at our website at www.ac3.com.au
You can also request a copy of this policy from one of the contact addresses below.
12. Contact Information
The Privacy Officer
PO Box 156
Alexandria NSW 1435
13. Further Information
This Policy is subject to regular review, at least every 2 years from the last review. It was last reviewed on 12 October 2015.