1.2 We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) and the EU General Data Protection Regulation 2016/679 (GDPR).
2. Our provision of the managed information technology products and services
2.1 We provide a range of information technology products and services such as managed hardware and software resale services, equipment hosting services and technical support services (collectively, the services).
2.2 We only enter into a contract with you for your subscription, license or use of one or more of our services. We do not enter into contracts with any of your end users.
2.3 The functionality, technical specifications and products that we provide to you depend on the particular requirements set out in the contract that we have with you.
2.4 Some of our services provide functionality that can be used by you to collect, process and disclose personal information about your end users.
3. Your responsibility for end user privacy
3.1 You are required to comply with all applicable privacy laws.
3.2 We rely on you to obtain all relevant privacy consents and authorisations from your end users required by law, in order for the personal information that is entered and/or transmitted via our services to be collected, disclosed and otherwise processed by us. We also rely on you to ensure that all of your end users’ personal information held by us is accurate, up to date, complete, relevant and not misleading.
4. The types of personal information we collect and hold
4.1 We collect the following types of personal information:
(a) Content entered into and/or transmitted via our services about end users: All information, including personal information, that is entered into and/or transmitted via our services (either by end users or otherwise) is stored in systems owned by third party vendors which is managed by us on your behalf. The types of personal information collected may include names, contact details as well as any other personal information entered into and/or transmitted via the services by, about or on behalf of an end user. In the course of providing our services we may host your databases or content. These databases and content may include personal information of your end users.
(b) Information about your personnel: We collect contact details of your personnel, such as names, contact information and billing information, including credit card details. Credit card details are not held by us, but are held by payment gateway providers that we use. Other than the last 4 digits of a credit card, all such credit card information is not accessible by us. For your personnel who are end users, we also collect the information about them referred to in paragraph (a).
(c) Information about our suppliers and contractors: We collect personal about our suppliers and contractors in the course of engaging their services. The types of personal information we collect about them include names, contact details, addresses, medical information, occupation as well as any other information provided to us.
(d) Information required for the support, maintenance and security of our services: In order to support and maintain the services that we provide to you, we collect and process end user information including IP addresses, email addresses, user access logs, usernames, passwords and any personal information included in technical support tickets and error messages.
(e) Managed services technical data: When providing our services, we may monitor or access you or your end users’ computers, networks and other equipment remotely or on site. In the course of doing so, we will collect and process information about that equipment and any software and data processed by that equipment. This information includes IP addresses, server names and addresses, database names, network names, serial numbers, WiFi passwords, computer names, application names, browser history, user access logs, usernames, passwords, technical support log tickets, bandwidth capabilities, error messages, social media handles, FTP server addresses, hostnames, subnet masks, router names, hosting account usernames and passwords and software subscription details.
(f) Computer and network usage data of our employees and contractors: As part of our recruitment and management of personnel and contractors, we collect and process all of the following personal information: names, phone numbers, ABN details, business and company names, residential addresses, professional references, information included on resumes, academic transcripts, employment history, skills and qualifications, national police checks and criminal history records, bank account details, tax file numbers, superannuation details and relevant identification documents (such as driver’s licence and passports for visa and working permits). We also collect employee medical information, emergency contact details, dates of birth and next of kin details. Subject to applicable laws, we may carry out electronic surveillance of our personnel when they use our computer equipment, smartphone devices and networks (such as IP addresses, usage patterns, access logs and usernames, computer names, traffic firewalls and websites visited).
(g) Telecommunications Data: As an internet service provider, we are required to retain data about communications under Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). This information is retained for 2 years from the date that we create it. We are also required under the TIA Act to retain subscriber information for 2 years from the date the relevant account is closed. The data that we retain in accordance with our obligations under the TIA Act may be disclosed to law enforcement agencies. For further information about the specific types of personal information that we may be required to collect and retain under the TIA Act, please contact us.
5. How we collect personal information
5.1 Our policy is to be completely transparent about how and why we collect personal information and not to collect personal information by means that are unfair or unreasonably intrusive. We only collect personal information that is necessary to provide the services and to otherwise operate our business.
5.2 We collect personal information about your personnel in one or more of the following ways:
(a) when they contact us with enquiries about our services, whether by email, via our website or via telephone;
(b) during the preparation, negotiation and finalisation of the contract for the provision of services and for billing purposes; or
(c) when it is voluntarily disclosed to us (including, but not limited to via telephone, e-mail and online forms).
5.3 We will collect personal information about your end users in one or more of the following ways:
(a) when end users enter personal information into or via our services;
(b) when you provide personal information to us about your end users;
(c) in the course of providing our services; or
(d) when it is voluntarily disclosed to us (including, but not limited to via telephone, e-mail and online forms).
5.4 We will collect personal information about our employees, suppliers and contractors in one or more of the following ways:
(a) when we carry out background checks during the recruitment process or otherwise;
(b) when they respond to employment or contractor opportunities that we make available, enquire about available positions within our company, and when we conduct reference checks;
(c) when we trade business details with our suppliers and contractors;
(d) for workplace health and safety reasons;
(e) during the preparation, negotiation and finalisation of a contract that we enter into and for billing purposes thereafter; or
(f) when it is otherwise voluntarily provided to us;
6. How we use personal information
6.1 We use personal information about you, your end users and our suppliers and contractors to enforce our legal rights, comply with our legal obligations and as otherwise set out in the following table:
|Category||How we use and process that personal information||Our reason for collecting the personal information|
|Personal information about your personnel||
|Personal information about end users||
|Personal information about our employees, suppliers and contractors||
7. Analytics data
7.1 We also collect information about your end users known as analytics data, such as user location, information about devices accessing our services, the amount of time an end user spends and in which parts of it, and the path navigated through it. However, all such information is de-identified data and not collected in a form that could reasonably be expected to identify an individual. In any event, we only use analytics data for the following internal business purposes:
(a) to help us review, enhance and improve our services; and
(b) to develop case studies and marketing material without identifying any end user.
8. How we hold and secure personal information
8.1 We hold and store personal information that we collect in our offices, computer systems and third party owned and operated hosting facilities. In particular:
(a) we use hosting facilities operated by reputable hosting providers (currently Zettagrid);
(b) personal information that is provided to us via email is held on our servers or those of our cloud-based email providers which have restricted access security protocols;
(c) we use third party owned cloud-based customer relationship management (CRM) and marketing platform providers to hold personal information about current and prospective customers;
(d) personal information is held on computers and other electronic devices in our offices and at the premises of our personnel; and
(e) we hold personal information that is provided to us in hard copy in files and folders in secure locations.
8.2 We take reasonable steps to protect personal information that we hold using such security safeguards as are reasonable in the circumstances to take against loss, unauthorised access, modification and disclosure and other misuse and to implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.
8.3 For example, we:
(a) perform security testing and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management and firewalls;
(b) carry out security audits of our systems which seek to find and eliminate potential security risks in our electronic and physical infrastructure as soon as possible;
(c) maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of information systems (electronic or otherwise);
(d) require all of our employees, agents and contractors to comply with privacy and confidentiality provisions in their employment contracts and subcontractor agreements that we enter into with them;
(e) continuously monitor, log analysis, and audit our devices, storage and channels. This may be performed by our suppliers and contractors;
(f) have data backup archiving, data breach response plans and disaster recovery processes in place;
(g) implement passwords and access control procedures into our computer systems; and
(h) with respect to personal information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such personal information is securely de-identified (where permitted by law) or destroyed.
9. Disclosure of personal information
9.1. We only disclose personal information that we collect to third parties as follows:
(a) in order to provide the services to you;
(b) when performing contracts, we may outsource certain obligations to third party contractors in accordance with our contractual rights (such as hosting, consulting and other professional services). Professional services carried out by them may require access to an individual’s personal information. We ensure that all staff and contractors are aware of their information security responsibilities, are appropriately trained to meet those responsibilities and have entered into agreements which require them to comply with privacy and confidentiality obligations that apply to personal information that we provide to them;
(c) when we engage third parties to make marketing calls, to provide customer satisfaction surveys or send marketing emails. All individuals will be given the opportunity to ‘opt out’ of any direct marketing calls or emails;
(d) when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we request their representation in relation to a legal dispute;
(e) where a person provides written consent to the disclosure of their personal information;
(f) where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person;
(g) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation);
(h) when we de-identify personal information and then use it for our or third party research purposes;
(i) where required in connection with a merger, sale or corporate reorganisation;
(k) when required to disclose personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements, or to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas; or
(l) where required by law.
10. Third party websites
10.1. Our website may include links to third party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third party website operator complies with applicable data protection laws. You and your end users should consider the privacy policies of any relevant third party website prior to sending personal information to them.
11. Interacting with us without disclosing personal information
11.2. Any person has the option of not identifying themselves or using a pseudonym when contacting us to enquire about our services.
12. Offshore disclosure
12.1. As a supplier of information technology services, including cloud services, we retain personal information on servers that may be located in a number of overseas countries. We may disclose personal information to our offshore service providers and personnel who assist us with providing our services and to assist us with the operation of our businesses generally. We will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles in relation to personal information.
13. How to access and correct personal information held by us
13.1 Subject to verification of your identity, you can contact us directly to access and correct personal information that we hold about you.
13.2 End users who have access to the services can amend personal information contained in their accounts, or delete their accounts, at any time, by logging into their accounts but only where such functionality is available or by contacting you, in the first instance. Once an account is deleted, we may still be required to retain the data in accordance with our contractual obligations or where required by law. End users who wish to make enquiries about the personal information held by them, should contact you in the first instance.
13.3 We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law.
14. Retention and de-identification of personal information
14.1 For the purposes of the Privacy Act 1988 (Cth), we may take such steps as are reasonable in the circumstances to de-identify the personal information that we hold about an individual where we no longer need it for any purpose for which it was collected and/or used, if the information is not contained in a Commonwealth record and we are not required by Australian law (or a court or tribunal order) to retain it.
15. Opt-out for direct marketing
15.1 You may opt out at any time from the use of your personal information for direct marketing purposes by emailing the instructions to firstname.lastname@example.org or by clicking on the “Unsubscribe” link located on the bottom of any of our marketing emails. Please allow us a reasonable time to process your request. You cannot opt out of receiving transactional e-mails related to the services.
16. Contact details
16.1 Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or to make a privacy complaint, may contact us using the following details:
Privacy Representative and Data Protection Officer
Level 1, 1 Chandos Street, St Leonards NSW 2065
+61 2 8338 3444
16.2 We will use our best endeavours to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis or otherwise resolving the complaint.
16.3 If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the Australian Privacy Principles, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:
Office of the Australian Information Commissioner
Telephone: 1300 363 992
Address: GPO Box 5218, Sydney NSW 2001
17. Personal Data
18. Collection of personal data
19. Purpose of processing personal data and our legal basis for doing so
19.1 The table in paragraph 6.1 above sets out the legal basis under which we process personal data for the purposes of Article 6(1) of the GDPR.
20. Who will receive personal data
20.1 Detailed information about who we disclose personal information to is set out in paragraph 9 above. This applies equally to personal data governed by the GDPR.
21. International transfers
21.1 We only transfer personal data internationally as set out in paragraph 12 above in compliance with the GDPR. We have legally binding agreements in place that govern the receipt and processing of personal data transferred offshore. Information about other appropriate or suitable safeguards is available, on request.
22. Retention of personal data
22.2 Where you require personal data to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.
23. Requirement to provide personal data to us
23.1 Please see paragraph 11 above for information about the requirement to provide personal information to us and the limitations that apply where personal information is not provided. Those requirements and limitations apply equivalently to personal data governed by the GDPR.
24. Further processing activities by us
25. Rights under the GDPR
25.1 Under the GDPR, data subjects have a number of rights, including:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object to processing
25.2 You and your end users also have the right to lodge a complaint with the relevant supervisory authority.
25.3 End Users are encouraged to contact you in the first instance, if they wish to exercise any of their applicable rights under the GDPR.