Purpose of the Policy
The Red Fox Group (the Organisation) is committed to protecting the privacy of all client data it is provided with to carry out the services for which it is engaged to perform.
The Organisation’s policies are designed to comply with all state and national legislation, in particular the Australian Privacy Principles (APP).
The Organisation commits to:
- only collecting data from clients and individuals in accordance with the APPs;
- being fair and open in the way it collects the data, and only collect data actually required in the course of providing its clients with services;
- retaining clients’ data in a secure environment;
- only providing essential information to its agents or service providers for the purpose of conducting client business;
- binding all staff, agents and service providers to its confidentiality agreements and its Privacy Policies;
- not sharing or selling client data to any third party for marketing purposes and not releasing information unless required by law to do so;
- allowing clients access to their client data held and inviting clients to advise the Organisation if any information is incomplete, inaccurate or out-of-date;
- where possible, amending any data that clients may consider incomplete, inaccurate or out-of-date;
- explaining the reasons for collecting data, how it is used and the consequences of not having the data required.
The Organisation only collects client data which is necessary to enable it to carry out the functions or activities (the “primary purpose”) for which a client engages the Organisation to provide.
The types of client data the Organisation collects may vary, depending on the services it provides. The Organisation does not normally collect clients’ sensitive data. If it does ever need to collect sensitive data which is reasonably necessary for the operation of its business functions or activities, it will obtain clients consent to do so.
Employees may view and access client data to perform their duties and provide client services.
The Organisation may also disclose client data to:
- contractors with whom it has a commercial relationship for business where it relates to the services it provides to clients;
- with clients consent for any organisation for an authorised purpose.
Except as set out above, the organisation will only disclose client data if this is required by law or as required or permitted under the Privacy Act.
Data Storage and Security
The Organisation takes all reasonable precautions to ensure that client data is protected from misuse, interference, loss, unauthorised access, modification or disclosure using a combination of physical, administrative and technical safeguards.
The Organisation commits to the following:
- Store client data in a manner that ensures security against unauthorised access, alteration or deletion, at a level commensurate with its sensitivity.
- Store client data only in jurisdictions where data protections are at least equivalent to those required under the Australian Privacy Act guidelines.
- Only transmit client data in a manner that ensures security against unauthorised access, alteration or deletion, at a level commensurate with its sensitivity.
- Implement appropriate measures to ensure security of client data against inappropriate behaviour by employees and contractors. These include:
- training for staff in relation to privacy;
- access control, to limit access to client data to those staff and contractors who have legitimate reasons to access it;
- particularly in the case of sensitive data, audit trails of accesses, including the identities of staff and contractors accessing the data;
- reminders to staff and contractors from time to time about the importance of data privacy, and the consequences of inappropriate behaviour;
- processes to audit, to investigate and to impose sanctions.
The Organisation is required to timely report any data breach or eligible data breach to the Office of the Australian Information Commissioner (OAIC), under the Notifiable Data Breaches amendment to the Privacy Act.
Employees have an obligation to promptly report, in confidence, all data or eligible breaches to the CEO. This will allow the Organisation to initiate the appropriate procedures and processes in line with its compliance obligations.
If a breach is found to have occurred, that person/s will be provided with an opportunity to explain their conduct. If their explanation is deemed unsatisfactory, they will be the subject of disciplinary action. This may include a warning, suspension, transfer, demotion or termination of employment. Even non-intentional or “one-off” breaches may result in the full range of disciplinary action.
Data Retention and Destruction
Subject to the qualifications immediately below, the Organisation undertakes:
- to retain client data only as long as it is required and is consistent with its purpose; and
- to destroy client data when its purpose has expired, and to do so in such a manner that client data is not subsequently capable of being recovered.
- This undertaking is qualified as follows:
- Client data may be retained in logs, backups and audit trails for a 12-month period following the completion of a project to allow for follow up queries and additional requests from the client;
- Client data may be retained beyond the expiry of this purpose if that is required by law, or for the proper running of a software solution provided to the client by the Organisation.
- In these circumstances, the organisation:
- will take any reasonable steps available to communicate to its clients that its data is being retained, unless precluded from doing so by law; and
- will only retain client data while that provision is current and will then destroy client data.
- Information about Data-Handling Practices
The Organisation will make information available to clients about the manner in which it handles client data in more specific terms on request. The Organisation undertakes to ensure that the information provided is meaningful and addresses client concerns.
The Organisation takes seriously any complaint about its data handling practices. If a client wishes to lodge a complaint about the way the Organisation has handled its data, they may do so by contacting the CEO.
The Organisation will respond in writing within 30 days of receiving the complaint, setting out what action it will take as a result of the complaint or alternatively providing an explanation to the client if there has been no breach of the law.