CRM

This Privacy Policy is intended to apply to CENTRALIAN RECORDS MANAGEMENT PTY LTD and its related entities (“CRM’ /we/us/our”) details our compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPS) (collectively referred to as the “Privacy Act”). The purpose of this Policy is to provide you with information in relation to how we collect, treat and manage your Personal Information (as defined in s6 of the Privacy Act 1988 (Cth)). It also describes how customers may access and amend Personnel Information held by us on your behalf.

1. Introduction

Your privacy is very important to you, which in turn means that it is very important to us. CRM is in the business of handling information securely and we have spent over 20 years working out the best ways to protect your personal information. We train our employees about the importance of confidentiality and maintaining the privacy and security of your information. Access to your Personal Information is restricted to employees who need it to provide benefits or services to you. This Privacy Policy describes exactly how (and why) we collect, use, store and dispose of your personal information. Personal information is information or an opinion, whether true or not and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. If you give us personal information packaged in cartons or personal information in digital format for storage, you can be assured that CRM do not use or disclose, or are even aware of, any of the personal information that you store with us. We do however make sure that it is safe and secure. This Privacy Policy does not address in detail the ways in which we provide secure storage, except to say that CRM has developed security processes to the highest standard. Any additional queries or concerns that you may have in relation to the storage of your information is best addressed with the account manager or other authorised CRM representative. CRM will only disclose your personal information that we have collected to others if you have given us permission, or if the disclosure relates to the main reason we collected the information and you would reasonably expect us to do so.

2. The kind of information we collect

Customers

As a customer of our information management services, you may have provided us with personal information to store in either a physical or digital format or to process by way of scanning. In addition, if you are reading this Privacy Policy as a representative of a customer, then, as a result of your employer asking CRM to provide it with information management services, we may collect your personal information. Details like your name, your work contact details, your position and any other personal information that is relevant to your, or your employer’s, use of CRMs services will be collected.

Candidates

If you are a job applicant or a potential employee of CRM, then we may be provided with your CV, birth date, contact details and other background information. We may store this information in a secure physical location and on our data base.

Supplier’s

If you are a supplier of CRM, or a representative of a supplier, then CRM will collect your name, contact details, bank details, background checks and any other information that you have consented to provide and which is reasonably necessary for you to carry out your functions.

3. How we hold, use or store your information

Customers

Where we store your information as a part of our services or to enable us to provide our services, we have developed security measures at the physical site and have developed and implemented global standard operating procedures that cover the handling and storage of your information. These procedures are in turn localised to effectively ensure Australian standards are adhered to. Internally we have developed a set of standards to ensure our policies and procedures meet or exceed industry and government legislative requirements. In some cases, you may be using services that involve digital storage of your information, whether it is in the form of cloud storage, or as a result of us carrying out scanning or data restoration services. In these cases, we may use the following measures:

• Secure work environments and workflow systems that prevent unauthorised access and copying of your personal information.
• Ensuring that all of our employees perform their

Privacy

duties in a manner that is consistent with our legal responsibilities under the Privacy Act.
• Ensuring that paper and electronic records containing Personal Information are stored in facilities that are only accessible by authorised employees.
• Secure server and network environments.
• Virus scanning tools.
• Encryption of data.• Access logging tools that protect against unauthorised access to your data and our network.
• Ongoing security reviews.

When we scan information on your behalf, the scanned images will be retained on our data servers until sent to you and will then be deleted 30 days thereafter. Our data servers are located in Australia. Wherever your personal information is stored, it will be accessed by authorised personnel only to provide technical support or to carry out other functions reasonably necessary to provide the services. This information will not be disclosed or used in any other way without your express authorisation. The digital world is constantly changing, so while these measures have been successful to date, the nature of the medium means that they cannot always be relied upon to be effective. CRM will keep striving to maintain the security of your digital personal information.

Suppliers and candidates

We will store the information that you provide us in a secure physical location or on our data servers which are located within Australia.

4. Why we collect personel information.

We collect personal information from you, or store any information that you give to us, in order for us to carry out the services we have been contracted to provide. We will also use the personal information in order to provide you with news of updated products and services, provide you with news of any marketing campaigns and where it is reasonably necessary for any other related business or marketing purposes. Having your personal information makes it easier for CRM to discuss our services with you and to contact you in a timely manner should we need to. Other reasons we collect personal information are to:
• Manage our business, including hiring staff.
• Comply with our legal obligations.
• Deal with you as a contractor providing services to CRM.

5. How we collect personal information

From you

You may also have provided us with personal information when you requested us to undertake the conversion of documents from a physical format to a digital format.

From others

We may receive personal information from your employers. Or, if you are a potential candidate, we may receive your CV and other background checks from a recruitment agent. You may also have directed others to provide personal information to us on your behalf, for example, the results of medical checks and police background checks. If we have knowledge of the personal information provided to us (as opposed to being provided with material for the purposes of storage) we will take reasonable steps to make sure you are aware that we have your personal information, how we received it and how we will manage it. Through our website and emails If you visit the CRM website, we may collect various non-personal information, such as internet protocol (IP) addresses, the date and time of website visits, the web pages reviewed, any links that you access through emails sent to you and any documents downloaded and the type of browser and operating system used to access the website. Where such information is collected, it may be used and disclosed by us, but only in an anonymous, aggregated form where no individuals are identified. While this information is not of a personal nature, it may become so when analysed or aggregated together with other information, which could lead to the identification of an individual. If this was to happen, we will inform you that we hold information that is capable of identifying you.

6. How to access your personal information

You are entitled to request access to the personal information that we may hold (subject to the exceptions which may apply under the Privacy Act, such as where access to such information may pose a threat to someone’s life), or you may simply want to know what sort of personal information we hold and for what purposes and how we collect, hold, use and disclose that information. If so, you should direct a written request to accounts@centralianrecords.com.au and we will respond within a reasonable time. If we refuse to provide you with access to your personal

Policy

information, we will provide you with reasons for the refusal. If you are a representative of a customer and we hold personal information that we collected directly from you then, there is generally no cost for accessing the personal information we hold about you, unless the request is complex or resource intensive. If there is a charge, it will be reasonable, and we will let you know what it is going to be so that you can agree to it before we go ahead. If you feel that the information that we hold is incorrect or outdated, then we will take all reasonable steps to correct that information. However, where that information is held as part of the materials that you store with us, access to that information will be charged at your standard rates for retrieval and refiling.

7. Who we may share information with.

In the event of non-payment of CRM’s invoices, we may provide personal information to third party debt collectors. We have partnered with a trusted partner to provide digital services We have taken all reasonable measures to ensure that this partner does not breach the obligations under the Privacy Act. The partner limits their access to your personal information to the extent necessary to do their job. Personal information that we have collected directly from you, your personnel or from other representatives of your company are stored on servers in Australia. The content management suite of digital services that we sell is backed up to servers in Australia. By providing your personal information to us, you consent to the transfer of that information.

8. Legal disclosure of personal information

We may disclose personal information in circumstances where we are obliged to do so under Australian law, for example, where we have been provided with a subpoena or warrant that requires access to the information.

9. Data breaches and mandatory notification

CRM will comply with the data breach notification laws in respect of personal information provided directly to it, where it is able to assess whether an eligible data breach (as defined in the Privacy Act) has occurred and which has the potential to cause serious harm to an individual. Where CRM is not able to assess what, if any, harm may be caused by a suspected or actual data breach, for example, in circumstances where CRM provides storage and other related services for a customer and CRM does not know and is not in a position to discover whether such storage or other related services involves the processing of personal information, then CRM will take all reasonably necessary steps to assist the customer to uphold the customer’s obligations to notify any affected individuals and the Office of the Australian Information Commissioner. This will include timely notification to the customer and a description of the actual or suspected data breach.

10. What happens if we no longer need your personal information?

Where CRM no longer provides services to you or where the personal information is no longer reasonably necessary for us to carry out the services, then the information will be securely destroyed in our secure destruction facility or will be permanently deleted from our system.

11. Marketing by Centralian Records Management

We market our services using email, mail and phone. We will provide you with clear advice as to how you may opt out of any marketing activities that we conduct, but where you do not opt out; you will be taken to having consented to us marketing our services to you.

12. Complaints

Any queries or complaints in relation to how we collect, use, disclose, store or destroy your personal information should be directed to accounts@centralianrecords.com.au We will take your query or complaint seriously and respond within a reasonable time to address your concerns or questions.

13. Amendment

Centralian Records Management reserves the right to amend this Privacy Policy from time to time by posting an updated version of this policy on our web site. Please review it regularly for any changes.

14. More information

For any more information about the Privacy Act or your rights, please visit the website of the Office of the Australian Information Commissioner, at www.oaic.gov.au.