1. Purpose of the policy

AJSBAC is committed to protecting the privacy of personal information obtained through its operations as a professional services firm. AJSBAC is bound by the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs), and any relevant privacy code registered under the Privacy Act.

The purpose of this policy is to generally inform people of:

  • how and when we collect personal information and personal data;
  • how we use and disclose personal information and personal data;
  • how we keep personal information and personal data secure, accurate and up-to-date;
  • how an individual can access and correct their personal information and personal data; and
  • how we will facilitate or resolve a privacy complaint.

2. Policy Statement

The 13 Australian Privacy Principles apply to personal information, that is, information or an opinion (whether true or not) relating to an identified individual or which can be used to reasonably identify that individual. Please note that information about companies is not personal information. However, the principles will apply to an individual who is carrying on a business as a sole trader. All AJSBAC offices are subject to policies and procedures that seek to ensure that the organisation complies with the Australian Privacy Principles.

3. The kinds of personal information we collect and hold

AJSBAC collects personal information for the following purposes: Enquiries from clients; provision of audit services, taxation and business advisory services, and other similar business activities; credit information; marketing services and human resources.
AJSBAC also collects personal information that is reasonably necessary for, or directly related to those purposes.

The specific types of personal information AJSBAC may collect and hold includes the following:

  • name;
  • company name;
  • residency;
  • date of birth;
  • country of residence;
  • job title and employer;
  • Tax File Number;
  • Employee record information;
  • CV, resume or application related behaviour
  • contact details such as address, email address;
  • business/mailing address;
  • title
  • nature of business;
  • bank account and credit or debit card details;
  • advice received from the client or prospective client that may contain additional personal information, such as family relationships and other business-related connections;
  • qualifications, memberships and other accreditations;
  • financial records;
  • racial or ethnic background, political or religious beliefs; and
  • online interactions with our website, publications, alerts and social media activity;

As set out below, AJSBAC also collects certain information that is not directly and specifically provided by third parties, such as an IP address, browsing pattern on the site, click stream, and the status of cookies placed on a computer. AJSBAC does not collect any personal information other than information reasonably necessary for, or directly relating to, the primary purpose for which AJSBAC has been engaged or may be engaged, or its other functions and activities.

4. How we collect personal information

As much as possible, AJSBAC only collects personal information that has been directly provided to us by our clients or prospective clients, associates of clients, our suppliers or potential suppliers, our employees or potential employees, or is otherwise available in the public domain where this information will assist us with the provision of services to our current and prospective clients. Information may have been provided verbally or in writing (including by email or through web forms).

AJSBAC may from time to time collect personal information from alternative sources. Some examples of these alternative collection events are:

  • concerning an associate of a client or a prospective client (e.g. a spouse or a child) where it is considered unreasonable or impracticable to seek this same information directly from the associate;
  • when we collect personal information about you from third parties;
  • personal information collected from your business card;
  • when we collected personal information about you from a referee provided by you on an application made with us;
  • when we collect information from you in order to provide you with services, a quote for services or our invoices in relation to services rendered;
  • when we collect personal information about you when you register to attend or attend an event; or
  • when we collect personal information about you from publicly available sources including but not limited to, court judgments, directorship and bankruptcy searches, Australia Post, White Pages directory, and social media platforms (such as LinkedIn, Facebook, Twitter, Google, Instagram etc.).

Also, our website uses cookies to identify site users and their interests and to track usage of the site. Cookies are small pieces of text stored on a computer that help us to know which browser the operator is using, where they have been on the site and any web sites to which they may link in order to use some of our features. By acceptance of our cookie, the user will be permitted access to certain pages of the site without having to log in each time they visit. A user who does not accept the cookie from the site may not be able to access certain areas of the site.

We also log IP addresses, or the location of computers on the internet to help diagnose problems with our server and to administer the site. If the user prefers not to accept a cookie, they can set their web browser to warn them before accepting any cookies. Alternatively, they can refuse all cookies by turning them off in their web browser.

If AJSBAC collect details about you from someone else, we will whenever reasonably possible, make you aware that we have done this and why, unless special circumstances apply, including as described in this clause below. In general, we will not tell you when we collect personal information about you in the following circumstances:

  • where information is collected from our share registry provider;
  • where information is collected from any personal referee you have listed on any application form (including any employment application) with AJSBAC;
  • where information is collected for publicly available sources including but not limited to, Freedom of Information Act 1982 (Cth), searches, court judgements, directorship and bankruptcy searches, social media platforms (such as Facebook, Twitter, Google, Instagram etc.); or
  • as otherwise required or authorised by law.

Unsolicited information

In the event AJSBAC collects personal information from you, or a third party, in circumstances where we have not requested or solicited that information (known as unsolicited information), and it is determined by AJSBAC (in its absolute discretion) that the personal information is not required, we will destroy the information or ensure that the information is de-identified.

In the event that the unsolicited personal information collected is in relation to potential future employment with AJSBAC, such as your CV, resume or candidacy related information, and it is determined by AJSBAC (in its absolute discretion) that it may consider you for potential future employment, AJSBAC may keep the personal information on its human resource records.

5. How we use your personal information

AJSBAC may at times use and disclose personal information about an individual for the “primary purpose” of collection (i.e. the dominant or fundamental purpose for which that information is collected).

As well as abovementioned purposes, that “primary purpose” includes facilitating our internal business processes, communicating with clients, prospective clients and other external parties, providing ongoing marketing information about our products and services, complying with our legal obligations and dealing with enquiries and complaints.

In certain circumstances, the law may permit or require us to use or disclose personal information for other purposes (for instance where a client would reasonably expect us to and the purpose is related to the purpose of collection).

For tax clients, tax file numbers:

  • can be collected by tax agents and accountants;
  • can be used only to conduct client’s affairs; and
  • can be disclosed only to client and the Australian Tax Office.

Sensitive information

Sensitive information is a subset of personal information. It means information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information about an individual, genetic information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.

Our policy is that we attempt not to collect sensitive information about our clients or prospective clients, however that may not always be possible. If any of our clients or prospective clients elects to provide us with any sensitive personal information, we will take all reasonable steps to ensure that the sensitive information is securely protected.

In the event we propose to use such personal information other than for the reasons set out in this policy, we will first notify you or seek your consent prior to such use.

6. Disclosure of Personal Information

AJSBAC will ordinarily make the following disclosures of your personal information where it is necessary to support the delivery of the client services or other related activities:

  • third party service providers utilised in connection with any administrative matters;
  • service providers (including IT service providers and consultants) who assist AJSBAC in providing or marketing our services;
  • related entities and related bodies corporate of AJSBAC;
  • third parties in connection with the sale of any part of AJSBAC’s business;
  • our contractors and agents;
  • superannuation details to a fund administrator;
  • Tax File Number Declaration to the Australian Taxation Office;
  • where AJSBAC is required by law to provide personal information so that AJSBAC complies with court orders, subpoenas or other legislation that requires us to provide personal information (for example, a garnishee order).
  • your superannuation company; and
  • the Australian Taxation Office.

We may also provide a client’s or prospective client’s personal information to credit reporting bodies and other credit providers. Our separate credit reporting policy sets out how we deal with credit-related information.

We may also use or disclose your personal information and in doing so we are not required to seek your additional consent:

  • when it is disclosed or used for a purpose related to the primary purposes of collection detailed above and you would reasonably expect your personal information to be used or disclosed for such a purpose;
  • if we reasonably believe that the use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or to lessen or prevent a threat to public health or safety;
  • if we have reason to suspect that unlawful activity has been, or is being, engaged in; or
  • if it is required or authorised by law.

Should it be necessary for AJSBAC to forward personal information to third parties outside the firm, we will make every effort to ensure that the confidentiality of the information is protected.

In the event we propose to disclose such personal information other than for the reasons set out in this policy, we will first notify you or seek your consent prior to such disclosure.

If you have received communications from us and you no longer wish to receive those sorts of communications, you should contact us via the details set out at Section 10 and we will ensure the relevant communications cease.

Overseas disclosures

The nature of our business activities may on occasion require that personal information be disclosed to overseas recipients in order to provide the services contemplated under the terms of our engagement or prospective engagement. The location of any overseas recipients of this information will depend upon the nature of the client assignment being conducted or contemplated, and could include Israel, Mauritius, Netherlands, New Zealand, Singapore, the United Kingdom, and the United States.

As we use service providers and platforms which can be accessed from various countries via an Internet connection, it is not always practicable to know where your information may be held. If your information is stored in this way, disclosures may occur in countries other than those listed above.
In addition, we may use overseas IT services (including software, platforms and infrastructure), such as data storage facilities or other IT infrastructure. In such cases, we may own or control such overseas infrastructure or we may have entered into contractual arrangements with third party service providers to assist AJSBAC with providing our products and services to you.

By submitting your personal information to AJSBAC, you expressly agree and consent to the disclosure, transfer, storing or processing of your personal information outside of Australia. In providing this consent, you understand and acknowledge that countries outside Australia do not always have the same privacy protection obligations as Australia in relation to personal information.

The Privacy Act 1988 requires us to take such steps as are reasonable in the circumstances to ensure that any recipients of your personal information outside of Australia do not breach the privacy principles contained within the Privacy Act 1988. By providing your consent, under the Privacy Act 1988, AJSBAC are not required to take such steps as may be reasonable in the circumstances. However, despite this, we acknowledge the importance of protecting personal information and have taken reasonable steps to ensure that your information is used by third parties securely and in accordance with the terms of this Privacy Policy.

If you do not agree to the disclosure of your personal information outside Australia by AJSBAC, you should (after being informed of the cross border disclosure) tell AJSBAC that you do not consent. To do this, either elect not to submit the personal information to AJSBAC after being reasonably informed in a collection notification, or please contact us via the details set out at Section 10.

7. Direct marketing

You give your express and informed consent to us using your personal information set out in Section 3 where that information relates to the provision of services to you or marketing activities to provide you with information and to tell you about our products, services or events or any other direct marketing activity (including third party products, services, and events) which we consider may be of interest to you, whether by post, email, SMS, messaging applications and telephone (Direct Marketing Communications).

If you have provided inferred or implied consent (e.g. not opting out where an opt-out opportunity has been provided to you) or if it is within your reasonable expectation that we send you Direct Marketing Communications given the transaction or communication you have had with us, then we may also use your personal information for the purpose of sending you Direct Marketing Communications which we consider may be of interest to you.

If at any time you do not wish to receive any further Direct Marketing Communication, you may ask us not to send those to you or disclose your information to other organisations for that purpose by using the “unsubscribe” facility in the Direct Marketing Communications.

8. Credit information and our Credit Reporting Policy

The Privacy Act 1988 (Cth) contains provisions regarding the use and disclosure of credit information, which applies in relation to the provision of both consumer credit and commercial credit.

As we provide terms of payment of accounts which are greater than 7 days, we are considered a credit provider under the Privacy Act in relation to any credit we may provide you (in relation to the payment of your account with us).

We use credit related information for the purpose set out in Section 3 above and our Credit Reporting Policy.

We will store your credit information you provide us or we obtain about you in accordance with our Credit Reporting Policy. Please refer to our Credit Reporting Policy if you wish to make a complaint about our handling of your credit information.

9. How we store your personal information

Once we collect your personal information, we will either hold it securely and store it on infrastructure owned or controlled by us or with a third party service provider who have taken reasonable steps to ensure they comply with the Privacy Act.

AJSBAC will take all reasonable steps to protect against the loss, misuse and/or alteration of the information under its control, and that the information it holds is accurate, complete and up to date including through appropriate physical and electronic security strategies.

Only authorised AJSBAC personnel are provided access to personal information, and these employees are required to treat this information as confidential. We may need to maintain records for a significant period of time. However, when we consider information is no longer needed, we will destroy or permanently de-identify these records.

Our policy is that all electronic records are only stored within Australia whenever this is commercially feasible. However, on occasion, a limited number of specialist software applications may involve the storage of personal data at an overseas location where a suitable alternative is not available. We presently disclose some information to the jurisdictions in Section 6 of this policy in limited circumstances.

AJSBAC will only store data with an external provider if a technical assessment of a service provider’s security protocols is considered to meet or exceed the level of security that AJSBAC could apply if the electronic data were to be stored in AJSBAC’s own in-house systems and where we are satisfied that AJSBAC is able to meet its commitments under Australian Privacy Legislation.

10. Accuracy of personal information

AJSBAC will take all reasonable steps to make sure that any personal information collected, used or disclosed is accurate, complete and up to date. As the accuracy of personal information largely depends on the information that you provide to us, we request that you advise us of any errors in or updates require to your personal information. If you believe that the information we hold about you is inaccurate or out of date, they may contact our Privacy Officer (refer Section 10) and we will update the relevant information accordingly.

11. Access to personal information

Under the Australian Privacy Principles, you have the right to request access to any personal information that we may hold about you and to advise us if the information should be corrected. The Australian Privacy Principles set out the circumstances when we can refuse those requests. If we do refuse your request, we will provide you with a written notice that sets out the reasons (unless it would be unreasonable to provide them to you).

Subject to our right to refuse access, AJSBAC will provide you with a report that lists any personal information that we may hold about you.

Our policy is to provide written acknowledgement of our receipt of any request for access to personal information or a request for correction of personal information within 7 days of the request being received. We will then provide a written response within 30 days of our receipt of the request.
If you would prefer to submit a privacy request using a pseudonym or otherwise keep your identity secret, AJSBAC will do its best to support that request if it is feasible to do so under the circumstances.

12. Complaints

We have put in place an effective mechanism and procedure to resolve privacy complaints and enquiries. We will ensure that all complaints and enquiries are dealt with in a reasonably appropriate timeframe so that any decision (if any decision is required to be made) is made expeditiously and in a manner that does not compromise the integrity or quality of any such decision (in respect of a complaint).

If you wish to make an enquiry about your personal information at AJSBAC, or make a complaint because you believe that we may have breached the Australian Privacy Principles or a privacy code that applies to us, please email Alex (our nominated Privacy Officer) at alex@ajsbusinessconsulting.com.au or telephone 0408002297.

You may also write to us at PO Box 120 Bonnyrigg NSW 2176.

In order to resolve a complaint, we:

  • will liaise with you to identify and define the nature and cause of the complaint;
  • may request that you provide the details of the complaint in writing;
  • will keep you informed of the likely time within which we will respond to your complaint; and
  • will inform you of the legislative basis (if any) of our decision in resolving such complaint.

We will respond to each request within a reasonable time. We will also maintain a record of your complaint in a Register of Complaints.

If a party has lodged a complaint with AJSBAC and is not satisfied with our response, they may contact the Office of the Australian Information Commissioner.

13. Consent, modifications and updates

This policy is a compliance document prescribed by law rather than a legal contract between two or more persons. However, certain contracts may incorporate all, or part, of this policy into the terms of that contract. In such instances, AJSBAC may incorporate the terms of this policy such that:

  • certain sections or paragraphs in this policy are incorporated into that contract, but in such a way that they do not give rise to contractual obligations onto AJSBAC, but do create contractual obligations on the other party to the contract; and
  • the consents provided in this policy become contractual terms provided by the other party to the contract.

By using our website, engaging us to provide you with services, where you have been provided with a copy of our policy or had a copy of our policy reasonably available to you, you acknowledge and agree that you:

  • give the consents given by you in this policy; and
  • have been informed of all of the matters in this policy.

We reserve the right to modify our policy as our business needs require. We will take reasonable steps to notify you of such changes (whether by direct communication or by posting a notice on our website). If you do not agree to our continued use of your personal information due to the changes in our policy, please cease providing us with your personal information and contact us via the details set out at the Section 10 of this document.

Information Security and Privacy Statement

We reserve the right to modify our policy as our business needs require. We will take reasonable steps to notify you of such changes (whether by direct communication or by posting a notice on our website). If you do not agree to our continued use of your personal information due to the changes in our policy, please cease providing us with your personal information and contact us via the details set out at the Section 10 of this document.

Introduction

AJSBAC has an active digital security program in place governed by the following:

  • AJSBAC IT & Digital Security obligations has compliance with a number of technical and governance information security controls.
  • AJSBAC’s Information Security Policy and regular assessments against industry standard certifications and/or industry-standard frameworks.
  • Regular information security audits of IT services, infrastructure and office locations.
  • Digital security is incorporated as an integral component of our risk management programs.

Privacy

Where necessary to enable us to conduct our business, clients may provide AJSBAC with information relating to an identified or identifiable individual (‘personal data’). AJSBAC is committed to protecting the privacy of personal data.

At AJSBAC, personal data shall not be collected, used or disclosed except in compliance with governing legislation and the main principles of the protection of personal data.

AJSBAC will take appropriate technical and organisational measures designed to protect against misuse and accidental loss or disclosure, and from unauthorised or unlawful processing, destruction or alteration of personal data, and will comply with applicable laws in the event of any personal data breach.

Information Security

Information Security Policy

AJSBAC’s Information Security Policy has been developed to align with ISO 27000, an internationally-recognised standard for information security.

The responsibility to comply with these standards lies with Alex Stojanovic.

Information Security Incidents

AJSBAC’s Incident Response Policy defines how information security incidents are to be managed and reported.

A specially-nominated officer is responsible for reporting security-related incidents and any relevant information security developments.

Confidentiality

All employees are requested to sign a confidentiality agreement and are subject to background and police checks before commencing employment with the relevant AJSBAC member firm to maintain the confidentiality of any sensitive client information they may have access to when carrying out their duties.

Employees also agree to an Acceptable Usage Policy (which includes password policies) and undertake regular security awareness programs.

Access Control

Privileged access to all systems is controlled and monitored.

User access to data and systems is carefully managed and controlled, based on the least privilege principle where applicable.

Encryption

Data encryption is provided as standard on all staff devices, and enrolment in a specific mobile device management system is mandatory for all mobile platforms and devices that have access to corporate systems and data.

For sensitive data, file transfers are conducted via secure means, an appropriate levels of security are applied when exchanging information.