Exdia Pty Ltd Privacy & Data Breach Policy
The purpose of this policy is to outline our open and transparent way of handling personal information and what we do if there is ever an issue or unauthorised disclosure of your information.
What personal information do we collect?
We collect personal information including but not limited to names, contact telephone numbers, contact details, email addresses, payment details, financial information, insurance details, tax file numbers, accounting records, credit card details and/or bank account details, account records and any other relevant information.
How personal information is collected
Information is usually collected directly from you or a representative of your company who is authorised to provide this information. This information can be collected in the following ways:
- Having face-to-face meetings and telephone discussions with you;
- Asking you to complete questionnaires;
- Your correspondences with us; and
- Through documents that you have provided to us.
You warrant that the personal information you provide is accurate, up to date and complete. If you become aware that personal information we hold about you is incomplete, inaccurate, irrelevant, or not up-to-date, please contact us and we will take reasonable steps to correct the information. By engaging our Services you consent to the handling of personal information.
We endeavour to maintain a high standard of records, including the accuracy and completeness of client’s information. To ensure this, we may contact our clients to ensure that their records are up to date. If your details have changed, kindly notify us.
How personal information is held
The information is held in both paper and electronic form for seven years and is backed up on our internal computers and/or the cloud. We currently use third party platforms (such as Dropbox and/or Microsoft Sharepoint) for the storage of data. You acknowledge that our use of these services may vary without notice.
If we receive unsolicited information that is irrelevant and/or we would not have access to if solicited, and is not public information, we will, as soon as is reasonably practicable, destroy or de-identify the information.
Purposes for the collection, holding, use and disclosure of the personal information
We collect personal information when it is reasonably required for business purposes, which are consistent with our Service Proposal and Terms and Conditions.
Other reasons we collect personal information includes:
- For internal use; or
- For debt collection purposes.
Your personal information may be shared internally or with third parties. We may disclose any or all of your personal information to:
- Parties which we work with (e.g. subcontractors, other customers);
- A debt collection agency;
- Third party suppliers and service providers in order to provide our services;
- The Australian Taxation Office (ATO) to meet ongoing compliance;
- Credit Providers;
- Solicitors; and
- Any other third parties required for legal obligations and other privacy exceptions.
Disclosing personal information to overseas recipients
Some of our contractors and/or employees may be located offshore and as a result, we may be required to provide them with your personal information. By providing us with your personal information, you warrant that you consent for your information to be provided to any offshore contractors and/or employees, including but not limited to, those located in the Philippines and India. The locations of our contractors and/or employees may vary from time to time on a temporary or ongoing basis.
We take all reasonable steps to protect the security of your personal information. We hold personal information for a period of seven years from the completion of any service. Once this time has passed, at your request we ensure your personal information is destroyed or de-identified.
How an individual can access and correct their personal information
You can view your personal information by contacting us by any of the means listed below. We will allow you to access your personal information without excessive delay or expense. We will allow you to update, correct or amend your personal information where necessary.
How we respond to Data Breaches
A data breach is unauthorised access to or disclosure of personal information which is held by an organisation. We take great care to ensure that personal information held on behalf of our clients is protected. However, it is possible that personal information may be lost, accessed or disclosed without authorisation by an external third party. In these rare circumstances we will endeavour to do the following:
- Ascertain whether a breach has or is likely to have occurred. This will involve reporting the incident to our internal cyber security officer;
- We will contain the data breach by taking steps to prevent the access or disclosure of personal information. This may involve temporarily shutting down the system to allow us to assess all available evidence in relation to the data breach;
- Ascertain what personal information is at risk; and
- Assess the risk of harm to you and Exdia.
In any circumstance, but especially where the access or disclosure of this information would be likely to result in serious harm to you or Exdia, we will:
- Notify you or any individuals who are at risk as soon as reasonably practical so that you may mitigate any potential loss. This may involve you taking necessary steps to protect your personal information, such as changing your account passwords and being alert to possible scams arising from the breach;
- Report the data breach to the Office of the Australian Information Commissioner; and
- Take reasonable steps to prevent further breaches. This may involve the following:
- Thoroughly investigating the cause of the breach
- Developing and updating our data breach prevention plan and conducting audits to ensure the plan is adhered to and implemented correctly.
- Reviewing the health of our cyber security systems; and
- Revising employee training practices and procedures.
How you can complain if the Australian Privacy Principles are breached
If you have a complaint regarding the way we have handled your information, believe a breach of the Australian Privacy Principles has occurred, or have any questions please contact us immediately by any of the following means:
Phone: 1300 139 342
Post: PO Box 568, Plumpton NSW 2761
We will endeavour to resolve your issue as soon as practicable.
Otherwise, a complaint may be lodged with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.