On 12 March 2014 the Australian Privacy Principles (the Principles) entered into force. The Principles are found in Schedule 1 of the Privacy Act 1988 (Cth) (the Act). The Principles establish requirements for the way organisations collect, store and use an individual’s personal information. SECTARA is subject to the Principles and, to the extent applicable, the EU General Data Protection Regulation (GDPR) and is committed to safeguarding the privacy of its customers and website visitors.
“Personal information” is information which SECTARA holds which is identifiable as being about you. This includes information such as your name, email address, identification number or any other time of information that can reasonably identify an individual, either directly or indirectly.
The Policy applies to personal information that individuals provide to SECTARA or which SECTARA otherwise obtains, whether that information is provided under any agreement, at SECTARA’s offices, through its website, or through email, telephone or other communication with SECTARA’s employees or agents.
1. Collection of Information
Collection of Personal Information
SECTARA will, from time to time, receive and store personal information you enter onto SECTARA’s website, provided to SECTARA directly or given to SECTARA in other forms.
SECTARA may collect the following kinds of personal information from clients, a client’s representative(s) or otherwise from users of SECTARA’s website:
- full name;
- employer and role; and
- contact details, including a postal and a work address, email address and telephone number(s).
SECTARA may also collect additional information at other times, including but not limited to, when you provide feedback including via the SECTARA “knowledge base”, when you provide information about your personal or business affairs, change your content or email preferences, respond to surveys and/or promotions, provide financial or credit card information, or communicate with SECTARA’s customer support.
Additionally, SECTARA may also collect any other information you provide while interacting with SECTARA.
By providing SECTARA with personal information, you consent to the supply of that information subject to the terms of this Policy.
SECTARA will only collect personal information by lawful and fair means and where that information is reasonably necessary for one or more of the SECTARA’s functions or activities, as identified in SECTARA’s Purposes at clause 3 of the Policy.
SECTARA collects personal information from clients and users with their consent in a variety of ways, including when they interact with SECTARA electronically or in person, when they access the SECTARA website and when SECTARA provides services. SECTARA may also receive personal information from third parties. SECTARA will only collect personal information from a third party where it is unreasonable or impractical to collect the information directly from the client or user. Such third parties include organisations that maintain publicly accessible or fee-for-access records. Where SECTARA receives personal information from third parties, SECTARA will protect it as set out in this Policy.
Collection of Sensitive Information
Sensitive information is defined in the Act as information about an individual’s ethnic origin, beliefs (whether political, religious or philosophical), sexual orientation, criminal history, health, genetics and membership of political or trade associations. SECTARA is not in the business of collecting such information and will not collect or request any such information.
2. Storage of, and Access to, Personal Information
Storage and Security of Personal Information
SECTARA strives to provide an environment which ensures that personal information is stored in a secure and confidential manner.
SECTARA employs a two-fold system for the storage of personal information. Personal information is securely stored in cloud-based business systems (discussed further below), and if held as hard copy documents, in secure, physical file(s) at SECTARA’s offices. SECTARA has suitable physical, electronic and managerial procedures and systems in place for the security of both its computer network and business premises.
SECTARA will take such steps as are reasonable in the circumstances to protect the personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
SECTARA’s cloud computing systems are hosted by Amazon Web Services in Australia. Amazon Web Services holds Australian Government certification as an accredited Unclassified DLM. SECTARA deems the following client personal information to be “sensitive data” (not to be confused with “sensitive information” under the Act, discussed above):
- organisation name;
- business unit name;
- external context;
- internal context;
- security risk context;
- risk control efficiency ratings;
- risk control comments;
- risk descriptions; and
- recommended treatments.
Any sensitive data “at rest” is encrypted using Amazon Web Services’ cloud front. All other personal information is unencrypted but otherwise subject to SECTARA’s security processes and procedures. Any sensitive data “in transit” is encrypted whilst in transit via transport layer security.
Where SECTARA employs data processors to process personal information on SECTARA’s behalf, SECTARA only does so on the basis that such data processors comply with the requirements under the GDPR and that have adequate technical measures in place to protect personal information against unauthorised use, loss and theft.
Notwithstanding the above, the transmission and exchange of information is carried out at your own risk. SECTARA cannot guarantee the security of any information that you transmit to SECTARA or receive from SECTARA. Although we take all reasonable measures to safeguard against unauthorised disclosures of information, SECTARA cannot assure you that personal information that SECTARA collects will not be disclosed in a manner that is inconsistent with this Policy.
In circumstances where SECTARA is no longer actively working with a client and no longer needs the information for any of its Purposes, those files are securely stored for a period of seven (7) years. Only authorised SECTARA employees and third parties specifically authorised by SECTARA are permitted to access these storage facilities.
Destruction of Personal Information
SECTARA ensures that personal information that has not been used or disclosed for a period of seven (7) years is depersonalised and securely destroyed.
Access to, and Correction of, Personal Information
An individual is entitled to request access to the personal information that SECTARA holds about them by making a request to SECTARA’s Privacy Officer, using the contact details specified at clause 6.
SECTARA will respond to the request and provide access to the information within a reasonable time. There will be no charges associated with the making of such a request or the subsequent provision of information.
SECTARA reserves the right to refuse to provide personal information that SECTARA holds, in certain circumstances set out in the Act.
Where an individual requests SECTARA to correct the personal information that SECTARA holds about that individual, SECTARA will take such steps (if any) as are reasonable in the circumstances to correct the information. SECTARA is entitled to refuse to correct the personal information in certain circumstances set out in the Act, provided SECTARA gives the individual a written notice containing the reasons for the refusal.
Where SECTARA is satisfied that the personal information it holds about an individual is inaccurate, out-of-date, incomplete, irrelevant or misleading, SECTARA will take such steps (if any) as are reasonable in the circumstances to correct the personal information.
3. The Purposes for which Personal Information is Collected
SECTARA collects personal information only to the extent that such information is reasonably necessary for, or directly related to, one or more of the SECTARA’s Purposes.
SECTARA’s “Purposes” include (but are not limited to) the following functions and activities:
- the supply of services, including the supply of software on a subscription basis to clients and the provision of SECTARA’s “knowledge base” service;
- the provision of information and updates to clients and users (including with respect to existing and new products, services and opportunities);
- making existing clients, potential clients and users aware of new and additional products, services and opportunities;
- to consider making offers of employment or to maintain details of SECTARA’s existing employees;
- the receipt of services by an organisation or its employees;
- the provision of information on security risk matters, whether through periodic SECTARA’s marketing correspondence, seminars or other marketing events;
- to improve SECTARA’s products and services and better understand the needs of clients and users;
- administering SECTARA’s business activities;
- managing, researching and developing SECTARA’s products and services; and
- investigating any complaints.
SECTARA may contact clients and users by a variety of measures including, but not limited to telephone, email, sms or mail.
4. Disclosure of Personal Information
Disclosure of Information within Australia
SECTARA may disclose your personal information to any of SECTARA’s employees, officers, insurers, professional advisors, agents, suppliers or subcontractors insofar as reasonably necessary for the Purposes set out in this Policy.
For SECTARA to carry out any one or more of the Purposes, it may be necessary for SECTARA to disclose personal information to third parties who play a part in facilitation of services to a client and/or their representative(s).
SECTARA may, from time to time, need to disclose personal information to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, in the course of a legal proceeding or in response to a law enforcement agency request.
SECTARA may also use your personal information to protect the copyright, trademarks, legal property, property or safety of SECTARA, its clients or third parties.
If there is a change of control in SECTARA or a sale or transfer of business assets, SECTARA reserves the right to transfer to the extent permissible at law its user databases and client databases, together with any personal information and non-personal information contained in those databases. This information may be disclosed to a potential purchaser under an agreement to maintain confidentiality.
SECTARA will only use or disclose personal information for the Purpose or Purposes for which it was collected. SECTARA will not use or disclose personal information for any other purpose (a secondary purpose) unless:
- the relevant individual consents to that use or disclosure of the information;
- the individual would reasonably expect SECTARA to use or disclose the information for the secondary purpose and the secondary purpose is related to one or more of the Purposes; or
- the use or disclosure of the information is required or authorised by or under an Australian Law.
SECTARA will only disclose information in good faith and where required by any of the above circumstances.
By providing SECTARA with personal information, you consent to the terms of this Policy and the types of disclosure covered by this Policy. Where SECTARA discloses your personal information to third parties, SECTARA will request that the third party follow this Policy regarding the handling of personal information.
Disclosure of Information outside Australia
Information that SECTARA collects may from time to time be stored, processed in or transferred between parties located in countries outside of Australia.
SECTARA may disclose personal information to a person or entity that is not in Australia (the Overseas Recipient). SECTARA will only disclose personal information to an Overseas Recipient where:
- SECTARA reasonably believes that the Overseas Recipient is subject to a law that affords protection of personal information that is substantially similar to the protection afforded under the Act and that SECTARA can enforce such protection under the overseas law; or
- SECTARA takes reasonable steps to ensure that the Overseas Recipient acts in accordance with the Principles in relation to the storage, use and disclosure of the personal information.
You acknowledge that personal information that you submit for publication through the SECTARA website or services may be available via the internet around the world. SECTARA cannot prevent the use (or misuse) of such personal information by others.
5. Direct Marketing
Direct marketing occurs where entities use the personal information that they collect to market related or other goods and services to the individual who provided the information. A common example is where an organisation emails an individual a monthly newsletter.
SECTARA may use or disclose personal information for direct marketing only where SECTARA collected the personal information from the individual, the individual would reasonably expect the SECTARA to use or disclose the information for that purpose and the individual has not made a “opt out” request pursuant to the below paragraph.
Requests not to receive Direct Marketing
An individual is entitled to request not to receive direct marketing communications from SECTARA by contacting SECTARA’s Privacy Officer, using the contact details specified at clause 6.
SECTARA will give immediate effect to any such request. Options to unsubscribe (“opt out”) from such communications will also be available in the footer of each element of such correspondence.
Please note that individuals will not be permitted to unsubscribe or opt-out of SECTARA service announcements.
6. Contact Details
Should you have any queries about the Policy, or the Principles, or wish to lodge a complaint about a potential breach of the Principles by SECTARA, please contact SECTARA’s Privacy Officer using the contact details listed below.
SECTARA Pty Ltd
Level 40 Northpoint Tower
NORTH SYDNEY NSW 2060
Phone: +61 (0)2 9048 9181
Email: [email protected]
SECTARA will endeavour to respond to an individual communication within thirty (30) days. Should SECTARA fail to respond within a thirty-day period, an individual may contact the Office of the Australian Information Commissioner, which can investigate queries or complaints in relation to a potential breach of the Principles.
Please be aware that the Policy may be updated from time to time by SECTARA. SECTARA may modify this Policy at any time, in SECTARA’s sole discretion and all modifications will be effective immediately upon SECTARA’s posting of the modifications on the SECTARA website or notice board. Please check back from time to time to review this Policy.
When you visit the SECTARA website (https://sectara.com) SECTARA may collect certain information such as browser type, operating system, website visited immediately before coming to the SECTARA site, etc. This information is used in an aggregated manner to analyse how people use SECTARA’s site, such that SECTARA can improve its service.
SECTARA’s website may, from time to time, have links to other websites not owned or controlled by SECTARA. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Please be aware that SECTARA is not responsible for the privacy practises of other such websites. SECTARA encourages its users to be aware, when they leave the SECTARA website, to read the privacy statements of each and every website that collects personal identifiable information.
8. GDPR for the European Union (EU)
SECTARA will comply with the principles of data protection set out in the GDPR for the purpose of fairness, transparency and lawful data collection and use. SECTARA processes your personal information as a processor and/or to the extent that we are a controller as defined in the GDPR.
SECTARA must establish a lawful basis for processing your personal information. The legal basis for which SECTARA collects your personal information depends on the data that SECTARA collects and how SECTARA uses it. SECTARA will only collect your personal information with your express consent for a specific purpose and any data collected will be to the extent necessary and not excessive for its purpose. SECTARA will keep your data safe and secure.
SECTARA will also process your personal information if it is necessary for SECTARA’s legitimate interests, or to fulfil a contractual or legal obligation. SECTARA processes your personal information if it is necessary to protect your life or in a medical situation, it is necessary to carry out a public function, a task of public interest or if the function has a clear basis in law.
SECTARA does not collect or process any personal information from you that is considered “Sensitive Personal Information” under the GDPR, such as personal information relating to your sexual orientation or ethnic origin unless we have obtained your explicit consent, or if it is being collected subject to and in accordance with the GDPR.
You must not provide SECTARA with your personal information if you are under the age of 16 without the consent of your parent or someone who has parental authority for you. SECTARA does not knowingly collect or process the personal information of children.
If you are an individual residing in the EU, you have certain rights as to how your personal information is obtained and used. SECTARA complies with your rights under the GDPR as to how your personal information is used and controlled if you are an individual residing in the EU. To this end, except as otherwise provided in the GDPR, you have the following rights:
- to be informed how your personal information is being used;
- access your personal information (SECTARA will provide you with a free copy of it);
- to correct your personal information if it is inaccurate or incomplete;
- to delete your personal information (also known as “the right to be forgotten”);
- to restrict processing of your personal information;
- to retain and reuse your personal information for your own purposes;
- to object to your personal information being used; and
- to object against automated decision making and profiling.
Please contact SECTARA at any time (via the contact details in clause 6 above) to exercise your rights under the GDPR. Please note that SECTARA may ask you to verify your identity before acting on any of your requests.