1.  Policy Statement

1.1. Purpose

The Privacy Act 1988 requires entities bound by the Australian Privacy Principles to have a privacy policy. This Privacy Policy outlines the personal information handling practices of CTRL Security Pty Ltd (ctrl:cyber or Ctrl).

1.2. Scope

The scope of the Policy encompasses all functions, business units and employees of Ctrl. This includes all information created and received by Ctrl as well as third party systems that are bound by contractual agreement with Ctrl.

2.  Overview

We collect, hold, use and disclose personal information to carry out functions or activities under the Australian Information Commissioner Act 2010 (AIC Act), and the Privacy Act 1988 (Privacy Act).

These functions and activities include:

• establishing, managing and maintaining our business relationships,
• conducting administrative and business functions,
• responding to enquiries and requests from individuals and businesses,
• considering a potential contractor’s engagement with us,
• opening and administering our client accounts during sales and/or delivery cycle,
• managing marketing and sales initiatives, such as information about our product offerings,
• developing, providing, and improving our services and solutions,
• consulting with stakeholders, for example, contractors and regulators,
• responding to access and correction to information requests,
• communicating with the public, stakeholders and the media including through websites and social media
• assessing suitable candidates for career opportunities within Ctrl
• processing and responding to privacy questions, concerns and complaints, and
• undertaking any other purpose related to or ancillary to any of the above.

3.  Collection of your personal information

3.1. Types of information we collect

The types of personal information we collect, and hold include name, contact details, identification, affiliations, dealings and transactions with us, including by phone, email and online.

If you apply to work with us, we also collect information about your education, experience, character and background checks including eligibility to work, vocational suitability, identity, reference, directorship, financial probity, and criminal record checks.

In addition, if you join us, we collect information about your employment or engagement including information about your performance, conduct, use of our IT resources and payroll matters.

3.2. Collecting sensitive information

Sometimes we may need to collect sensitive information about you, for example, to handle a complaint. This might include information about your health, racial or ethnic origin, political opinions, association memberships, sexual orientation, or criminal history.

3.3. How we collect personal information

At all times we try to only collect the information we need for the particular function or activity we are carrying out.

The main way we collect personal information about you is when you give it to us. For example, we collect personal information such as contact details and complaint, review, and details when:

• we conduct our administrative and business functions,
• you purchase our services,
• we process your orders and payment transactions,
• we respond to your enquiries and requests,
• you apply for a job vacancy at Ctrl,
• we obtain your feedback about our products,
• you ask for access to information the Ctrl holds about you, or
• you notify the Ctrl about a data breach.

3.4. Indirect collection

In the course of conducting our business, handling and resolving a complaint, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties, such as our customers or partners, or other third-party companies such as law enforcement agencies, recruitment companies.

3.5. Collecting through our website

Ctrl’s public website is hosted in Australia.

As you navigate our website, certain information may be collected passively, including your Internet protocol address, browser type, domain names, times, and operating system. We do not intentionally gather personal information about visitors who are minors.

3.5.1.    Cookies

Our website may use ‘cookies’ from time to time. Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to enhance functionality on the website. The cookie allows us to maintain the continuity of your browsing session and remember your details and preferences when you return.

If you do not wish to have cookies placed on your computer, you can configure your web browser application to reject cookies however some parts of our website may not function fully as a result.

3.6. Email lists

We use a third party provider to manage our mailing lists. Analytics are performed when you click on links in the email, or when you download the images in the email. They include which emails you open, which links you click, your mail client (e.g. ‘Outlook’ or ‘iPhone’), if your action occurred on ‘mobile’ or ‘desktop’, and the country geolocation of your IP address (the IP address itself is not stored).

3.7. Social networking services

We use social networking services such as Facebook, Instagram and LinkedIn to communicate with the public about our work. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Facebook, Instagram and LinkedIn on their websites.

4.  Use and Disclosure

We only use and disclose personal information for the purposes for which it was given to us that are directly related to one of our functions and activities. Common situations in which we disclose information are detailed below.

• When clients ask to be on an email or mailing list so that we can send them information about our products.
• When customers ask to respond to quote to be emailed or posted with contact information.
• If you are a contact person for one of our clients or suppliers, personal information about you may be used by us in our dealings with the customer or supplier you represent.
• We may exchange your personal information with third parties including your organisation, providers that host our website servers, manage our IT and manage our human resources information, government authorities, and our advisors and contractors.
• If you apply to work with us, we may exchange your personal information with background checking services, recruiters, law enforcement agencies, referees and your current and previous employers. If you join us, we may exchange your personal information with other employers seeking a reference about you, providers of payroll, superannuation, banking, and training services.

4.1. Disclosure to service providers

Ctrl uses a number of service providers to whom we disclose personal information. These include providers that host our website servers, manage our Infrastructure and manage our human resources information.

4.2. Disclosure of sensitive information

We only disclose your sensitive information for the purposes for which you gave it to us or for directly related purposes you would reasonably expect or if you agree, for example, to handle a complaint.

4.3. Overseas Recipients

We may disclose personal information to our related bodies corporate, third party suppliers and service providers located overseas. Some of our employees and third party suppliers are located overseas. Except where specific individual consent has been obtained, we take reasonable steps to ensure that the overseas recipients of your personal information do not breach the privacy obligations relating to your personal information.

We may disclose your personal information to entities located overseas, including the following:

• Our related bodies corporate located in Australia,
• Our data hosting and other IT service providers, located globally
• Our clients and their related entities located in foreign countries, to the extent that we are acting on their behalf or at their direction in using, storing, or collecting your personal information.

5.  Storage and security of personal information

We take steps to protect the security of the personal information we hold from both internal and external threats by:

• regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information
• taking measures to address those risks, for example, we keep a record (audit trail) of when someone has added, changed or deleted personal information held in our electronic databases and regularly check that staff only access those records when they need to
• conducting regular audits to assess whether we have adequately complied with or implemented these measures.

6.  Access and Correction

If you wish to get access to the personal information we hold about you, or request that we change that personal information, we will allow access or make the changes unless we consider that there is a sound reason under the Privacy Act or other relevant law to withhold the information, or not make the changes.

7.  Policy Updates

This Policy may change from time to time and is available on our website.

8.  Complaints

Please contact us if you wish to make a complaint about how we have handled your personal information. We may request additional details from you regarding your concerns and may need to engage or consult with other parties in order to investigate and deal with your issue. We will keep records of your request and any resolution.

For any questions and notices, please contact us at:

Privacy Officer
ctrl:cyber
T: +61 1 300 578 528
E: info@ctrl.co