Convergence Security Consulting Privacy Policy

 

Overview

 

Convergence Security Consulting’s (CSC’s) Privacy Policy is designed to inform individuals about the way CSC collects, stores, uses and discloses personal information.

 

This Privacy Policy also sets out how you can access or seek correction of your personal information held by CSC.

 

The Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Privacy Act), regulate how CSC handles your personal information.

 

More information on the APPs can be found on the Office of the Australian Information Commissioner’s (OAIC) website.

 

In this Privacy Policy:

 

• Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable

• Sensitive information is a subset of personal information and includes information or an opinion about your racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, sexual orientation, criminal record, health information, biometric information and genetic information.

 

CSC’s Privacy Policy is reviewed annually to ensure the information it contains is accurate, complete, relevant and up to date.

 

Who should read this Privacy Policy?

You should read this Privacy Policy if you:

• Are an individual whose personal information is, has been, or will be, handled by CSC

• Are, or are considering becoming an employee of CSC

• Are or considering becoming an outsourced service provider, supplier, business partner, contractor, or consultant to CSC

• A client or potential client of CSC The kinds of personal information we collect and hold We may collect personal information about you when it’s reasonably necessary for, or directly related to, our functions or activities.

 

We may also collect sensitive information where collection is allowed under the Privacy Act (e.g. where you consent). The nature and extent of personal information CSC collects and holds will vary depending on an individual's particular relationship and interaction with CSC.

 

The kinds of personal and sensitive information collected and held by CSC may include:

• Information about you (e.g. name, address and contact details)

• Information about your interactions with us (e.g. services we provide, products/goods/services we purchase or receive, applications you’ve made, complaints and feedback, how you use our online services)

• Information about your circumstances (e.g. family circumstances, financial situation, employment, health and welfare)

• Information to verify your identity (e.g. tax file numbers, biometric information).

 

How we collect personal information

CSC collects personal information through a variety of channels.

 

This includes information provided in forms you fill out, applications you make, correspondence you provide, in person, over the telephone, via CSC’s website, and through our digital tools and networks.

 

Due to the scope and nature of CSC activities, and your interaction purpose with CSC, it is not always possible to collect personal information directly from you.

 

CSC may collect personal information about you indirectly from a range of other sources including, but not limited to:

 

• Publicly available sources

• Your access to CSC websites, or information and communications networks and systems

• Your family members

• Past and present employers and character referees

• Health practitioners

• Government agencies and organisations

• Managers and supervisors

• Specialist service providers.

 

CSC may also generate personal information about you while undertaking its functions or activities.

 

When your personal information is collected from a third party, we will only do so in accordance with the Privacy Act and any other applicable laws (e.g. secrecy provisions in other legislation).

 

How we hold personal information

 

We take reasonable steps to protect your personal information against misuse, interference and loss, and from unauthorised access, modification or disclosure.

 

CSC regularly conducts system audits to ensure that it adheres to its established protective and information security practices.

 

Protective measures include password protections, access privileges, secure cabinets/containers and physical access restrictions.

 

Documents containing personal information also carry the 'Sensitive: Personal' information marking and may also include a warning notation of ‘Health Information’, where appropriate.

 

Access to personal information about you is restricted to CSC employees who have a need to access the information for purposes which are directly related to or reasonably necessary for their duties in support of CSC’s functions or activities.

 

CSC employees are also required to undertake mandatory annual protective and information security training. In addition to the statutory and other measures for the protection of personal information, in CSC’s Privacy Policy, reasonable steps must be taken to ensure that the information is protected.

 

CSC will only destroy personal information in accordance with statutory requirements, including the Archives Act 1983 and in consultation with relevant authorities authorised to destroy the information.

 

Our company Standard Operating Policies (SOPs) and procedures also contains policy on the retention and destruction of documents.

 

CSC’s records must be retained and accessible for as long as they are legally required. CSC stores personal information about you as hardcopy documents or as electronic data within its record management or information technology systems.

 

CSC protects personal information about you in accordance with the policy provided for in the Defence Security Principles Framework, the Commonwealth Protective Security Policy Framework, and the Privacy Act 1988.

 

This is in addition to CSC’s own policies which require reasonable steps to protect that information against loss, unauthorised access, use and disclosure, modification and misuse. Why we collect, hold, use and disclose your personal information CSC will only collect personal information that is reasonably necessary for, or directly related to, its functions or activities. These functions and activities are detailed in our contracts, agreements, and SOPs.

 

To satisfy these responsibilities and CSC’s responsibilities under legislation, CSC collects personal information for various purposes depending on the individual's relationship with CSC.

 

Generally, CSC collects personal information for the following purposes:

 

• The recruitment, appointment, management, administration, and for the health and wellbeing of our employees

• The onboarding, evaluation, contracting, and business with our suppliers, business partners, and external service providers

• The conduct of CSC’s business operations

• Community engagement, including charitable and social responsibility programs

• The conduct of CSC business activities with an individual (such as visitors)

• Maintaining historical records

• Compiling diagnostic information

• Conducting approved research

• Identifying potential conflicts of interest

• Performing security functions associated with information management, which includes website and email access

• Legislative and regulatory purposes that require the grant of a licence, permit or approval and the consideration thereof

• CSCs obligations under international law or an international treaty or agreement. Use of consultants, contractors and outsourced service providers CSC uses consultants, contractors and outsourced service providers to undertake certain business functions as approved by our clients prior to undertaking any work on a contract.

 

Personal information about you may be collected by or provided to a CSC consultant, employee, contractor or outsourced service provider when necessary.

 

In situations where personal information about you is provided to a consultant, employee, contractor or outsourced service provider, CSC will generally retain effective control of the information and require privacy requirements (such as compliance with the Australian Privacy Principles (APPs), information security, data breach response, training and auditing) are met in its terms of contract with the third party.

 

Disclosure of your personal information

Generally, CSC will use and disclose your personal information for the same purpose as collected. CSC may use and disclose your personal information for a secondary purpose if you consent or another provision in the Privacy Act allows it.

 

CSC may disclose personal information about you to other APP entities, including:

 

• Government Agencies as required by regulation or law

• Other Defence-related agencies, regulatory bodies, and organisations where required by regulation of law

• In the case of our security services, the Australian Security Intelligence Organisation to facilitate audits of access to their information via the Outreach program in the event of any audits or investigations

• The Department of Home Affairs, Law enforcement agencies such as the Australian Federal Police, State and Territory Policing agencies, federal, state and territory courts and tribunals, other Australian Government Departments and agencies for legislative, regulatory and administrative purposes

• Overseas recipients for legislative, regulatory and reporting purposes to meet Australia’s national security and international obligations

• CSC may disclose personal information about members who are attending training to other training providers or educational institutions as per your consent

• CSC does not disclose personal health information to any other person, including next of kin, unless the individual about whom the information relates has given express consent, or the disclosure is required or authorised by or under Australian law, or in circumstance where it is unreasonable to obtain the individual's consent and the disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or to public health and safety

• If it is necessary for the acquisition or use of CSC equipment and capability, CSC may also disclose the personal information of those involved directly, or indirectly, to recipients in the countries where the recipients are located or the activities or functions are performed.

 

Overseas use and disclosures CSC may disclose personal information about you to a person who is not in Australia or an external territory (overseas recipient) where it relates to CSC activities or functions with individual and contracted entity consent.

 

Personal information about you may be disclosed in the country where the recipient is ordinarily located, or in a country where the recipient is or, is soon to be, undertaking work related activities.

 

For example, where CSC is undertaking or participating in customer led activities or contractual engagements; personal information may be disclosed to 'overseas recipients' in the countries where the activity is being undertaken for administration in accordance with the performance of our services. Exemptions from the Privacy Act CSC is not exempt from the requirements of the Privacy Act.

 

However, some of CSCs clients may be and those exemptions apply on a project and contract basis. Access to and correction of personal information You have a right to request:

 

• Access to personal information that we hold about you

• Correction to the personal information we hold about you.

 

CSC will provide you with access to the personal information we hold about you in the manner requested if it is reasonable and practicable to do so. We will also take reasonable steps to correct personal information we hold about you if we consider it is inaccurate, out-of-date, incomplete, irrelevant or misleading. If we refuse to provide you with access, or correct, your personal information, we will notify you in writing and explain our reasons.

 

You should be aware that CSC’s ability to correct or amend personal information may be limited in some circumstances, such as if the refusal is required or authorised by law.

 

To make an access or correction request:

 

• Email subject: Privacy

• To info@convergencesc.com.au However, certain internal individuals (such as employees) are to seek access to their personal information by following CSC’s Standard Operating Procedures or processes outlined in our contracts and agreements.

 

Concerns about how personal information about you is handled If you have questions about how personal information about you will be, or has been, handled by CSC, you should contact CSC.

 

Your concerns may be forwarded to the relevant area within CSC for consideration and action, if appropriate.

 

CSC is committed to quick and fair resolution of privacy complaints. However, some cases may require more detailed inquiry.

 

CSC undertakes to keep you informed of the progress of your complaint.

 

If you are dissatisfied with the way CSC handles your privacy-related complaint, you may contact the Office of the Australian Information Commissioner at:

 

• Phone: 1300 363 992

• Web: http://www.oaic.gov.au/privacy

• Email: enquiries@oaic.gov.au

• Post: GPO Box 5218 Sydney NSW 2001

 

Contact details for the CSC Privacy Officer:

• Email: info@convergencescc.com.au