Publication date: October 2020
The Privacy Act 1988 requires entities bound by the Australian Privacy Principles to have a Privacy Policy.
This Privacy Policy outlines the personal information handling practices of Threat Vector X Pty Ltd (ABN 64 061 677 503)(Threat Vector X). Threat Vector X employees and prospective employees should also refer to our Human Resources Privacy Policy.
This policy is written in simple language. The specific legal obligations of Modern Methodologies when collecting and handling your personal information are outlined in the Privacy Act 1988 and in particular in the Australian Privacy Principles found in that Act. We will update this Privacy Policy when our information handling practices change. Updates will be publicised on our website and through our email list.
We collect, hold, use and disclose personal information to carry out functions or activities related to our business.
At all times we try to only collect the information we need for the particular functions or activity we are carrying out.
The main way we collect personal information about you is when you give it to us. For example, we collect personal information such as contact details. This information is collected when you:
We do not collect any sensitive information about you but if we do need to collect sensitive information about you, for example, information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information we will seek your permission to do so before the information is collected.
In the course of handling and resolving a complaint, data breach notification, review or an investigation, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties such as:
your authorised representative, if you have one
applicants, complainants, respondents to a complaint, investigation, application or data breach notification or the third parties’ employees and witnesses.
We also collect personal information from publicly available sources to enable us to contact stakeholders who may be interested in our work or in participating in our consultations.
Where possible, we will allow you to interact with us anonymously or using a pseudonym. For example, if you contact our Enquiries line with a general question we will not ask for your name unless we need it to adequately handle your question.
However, for most of our functions and activities we usually need your name and contact information and enough information about the particular matter to enable us to fairly and efficiently handle your inquiry, request, complaint or application, etc.
The Threat Vector X’s public website, www.threatvectorx.com, is hosted in the public cloud. There are a number of ways in which we collect information though our website.
We collect data about your interactions with our website. The sole purpose of collecting your data in this way is to improve your experience when using our site and to perform analysis of the usage of the site. The types of data we collect with these tools include:
Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to enhance functionality on the website.
Most browsers allow you to choose whether to accept cookies or not. If you do not wish to have cookies placed on your computer, please set your browser preferences to reject all cookies before accessing our website.
Embedded videos on our website use YouTube’s Privacy Enhanced Mode. When you play an embedded video from our website, the video and associated assets will load from the domain www.youtube-nocookie.com, and other domains associated with Google’s YouTube player. If the domain www.youtube-nocookie.com is blocked, a local version of the video will be played instead, if available. The only data we collect about this is whether you received the YouTube version or the local version. You can access the privacy policy for YouTube on its website.
We will collect information that you provide to us when signing up to mailing lists and registering for our events, or when submitting feedback on your experience with our website.
When subscribing to one of our mailing lists, you will be asked to give your express consent that we may use your data for analytics purposes. Analytics are performed when you click on links in the email, or when you download the images in the email. They include which emails you open, which links you click, your mail client (eg ‘Outlook 2016’ or ‘iPhone’), if your action occurred on ‘mobile’ or ‘desktop’, and the country geolocation of your IP address (the IP address itself is not stored).
When registering for an event, you may be required to give personal information including your name, address, telephone number and email address. You may also be required to provide financial information, including credit card number and expiration date, if you make a payment for an event.
We use social networking services such as Twitter, Facebook and YouTube to communicate with the public about our work. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Twitter, Facebook and YouTube (a Google company) on their websites.
When you save or submit a form using our service it is encrypted and stored in a secure server located in Australia. After we download a submitted form, it is deleted from that server. Saved forms that have not been submitted within the timeframe specified on the form will also be deleted from the server. We will not access or download your saved forms before you submit them unless you consent or unless there is a technical issue that requires investigation.
Common situations in which we disclose information are detailed below.
If you notify Threat Vector X about a data breach we will not disclose personal information about you unless you agree, or would reasonably expect us to. If the breach relates to the My Health Records Act, we may disclose your personal information to the My Health Records System Operator under s 73A of that Act.
We may disclose personal information to another review body if a complainant, applicant or respondent seeks an external review of the Threat Vector X’s decision or makes a complaint.
Generally, when we publish decisions, determinations or reports (on Threat Vector X website and on the Australasian Legal Information Institute website) if you are a party who is an individual we will not publish your name unless you ask for it to be published.
We generally only provide the media with personal information relating to a complaint if you have agreed.
Modern Methodologies uses a number of service providers to whom we may disclose personal information. These include providers that host our website servers, manage our IT and manage our human resources information.
To protect the personal information we disclose we:
· include special privacy requirements in the contract or MOU, where necessary.
We only disclose your sensitive information for the purposes for which you gave it to us or for directly related purposes you would reasonably expect or if you agree, for example, to handle a complaint.
Generally, we only disclose personal information overseas so that we can properly handle the complaint or application. For example, if:
When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
To ensure that the personal information we collect is accurate, up-to-date and complete we:
We also review the quality of personal information before we use or disclose it.
We take steps to protect the security of the personal information we hold from both internal and external threats by:
We destroy personal information in a secure manner when we no longer need it. For example, we generally destroy complaint records after two years.
Under the Privacy Act (Australian Privacy Principles 12 and 13) you have the right to ask for access to personal information that we hold about you, and ask that we correct that personal information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.
We will ask you to verify your identity before we give you access to your information or correct it, and we will try to make the process as simple as possible. If we refuse to give you access to, or correct, your personal information, we must notify you in writing setting out the reasons.
If we make a correction and we have disclosed the incorrect information to others, you can ask us to tell them about the correction. We must do so unless there is a valid reason not to.
If we refuse to correct your personal information, you can ask us to associate with it (for example, attach or link) a statement that you believe the information is incorrect and why.
If you wish to complain to us about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.
If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.
If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior staffer than the staffer whose actions you are complaining about.
We will assess and handle complaints about the conduct of an Threat Vector X staff against the Threat Vector X values and code of conduct.
We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.
If you are not satisfied with our response you may ask for a review by a more senior officer within Threat Vector X (if that has not already happened) or you can complain to the Commonwealth Ombudsman.
Need expert help with Microsoft Entra? We