Privacy Policy
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 1.0.0 | 2024-09-22 | 2024-09-22 |
Purpose
This Privacy Policy outlines how Vaxa collects, uses, discloses, and manages personal and sensitive information. Our commitment is to protect the privacy of individuals and ensure compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By adhering to these standards, we aim to maintain transparency and trust with our clients, partners, and employees.
Scope
This policy applies to all personal and sensitive information collected, stored, processed, or disclosed by Vaxa in the course of our data analytics, software development, solution design, program design, and advisory services. It encompasses all employees, contractors, consultants, partners, and third parties who handle personal information on our behalf.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| CTO | Set and maintain the technical implementation of this policy across the business. |
| Privacy Officer | Monitor adherence to the Privacy Act and APPs. Provide guidance on privacy matters. Respond to inquiries and manage data breaches alongside CTO. |
| Employees and Contractors | Comply with this policy and report any privacy concerns. |
| Third Parties | Adhere to privacy obligations when handling information on our behalf. |
Policy
Collection of Personal Information
We collect personal information only when it is necessary for our business functions or activities. This may include:
- Contact Details: Name, address, email, and phone numbers.
- Professional Information: Job titles, employer details, and qualifications.
- Sensitive Information: Health data, racial or ethnic origin, etc., collected only with consent or as required by law.
We strive to collect information directly from individuals. When collecting from third parties, we ensure that consent has been obtained or it is otherwise permissible under the law.
Use and Disclosure
Personal information is used for:
- Providing and improving our services.
- Communicating with clients and stakeholders.
- Fulfilling legal and regulatory obligations.
We do not disclose personal information to third parties except:
- With the individual’s consent.
- When required by law.
- To service providers who assist us in our operations, under confidentiality agreements.
Data Security and Storage
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. Measures include:
- Physical Security: Secure office premises and restricted access areas.
- Technical Safeguards: Firewalls, encryption, and secure servers.
- Administrative Controls: Policies, procedures, and staff training.
- Retention: Personal information is stored securely and retained only for as long as necessary.
These protections form part of our broader Information Security Policy.
Access and Correction
Individuals have the right to access and correct their personal information held by us. Requests should be directed to our Privacy Officer and will be addressed within a reasonable time frame.
Cross-border Disclosure
We may transfer personal information overseas only if:
- The recipient is subject to laws similar to the APPs.
- Consent has been obtained.
- It is necessary for contractual purposes.
- Anonymity and Pseudonymity
Where practicable, individuals may interact with us anonymously or under a pseudonym. However, certain services may require identification.
Direct Marketing
We will not use personal information for direct marketing without consent. Individuals can opt-out of marketing communications at any time.
Data Breaches
In the event of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.
Complaints Handling
Complaints regarding privacy breaches can be submitted to our Privacy Officer via security@vaxagroup.com. We will investigate and respond promptly, in accordance with our obligations and this policy.
Exceptions
Any exceptions to this policy must be approved by the Managing Director and the Privacy Officer. All exceptions will be documented, including the rationale and duration.
Compliance and Monitoring
We are committed to regular monitoring and review of our privacy practices to ensure compliance. Actions include:
- Training: Regular staff training on privacy obligations.
- Audits: Periodic assessments of data handling practices.
- Policy review: Annual reviews or updates in response to legislative changes, in line with our Controlled Document procedure
Non-compliance may result in disciplinary action, including termination of employment or contracts.
Related Documents and Legislation
- Privacy Act 1988 (Cth): available via the Federal Register of Legislation.
- Australian Privacy Principles (APPs): available from the OAIC
- Office of the Australian Information Commissioner (OAIC): OAIC website
- Notifiable Data Breaches Scheme (NDB): OAIC guidance