About this policy
We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (the Privacy Act). We comply with the European Union (EU) General Data Protection Regulation (GDPR) in relation to all personal data that we collect, hold, disclose and otherwise process, whether or not the personal data is within the GDPR (GDPR data) scope.
What is personal data?
Article 4(1) of the GDPR defines personal data as any information about an identified or identifiable natural person (data subject). An identifiable natural person is someone who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The types of personal information we collect
Our policy aims to minimise the amount of personal data we collect. We only collect personal data that is adequate, relevant and limited to what is necessary to be processed and only where we are entitled by law to collect it. We may also use collected personal data for other related, directly related or compatible purposes (if and where permitted by applicable law).
We collect the following types of personal data:
- Contact details, transaction, employment and payment data: We collect names, gender, job titles, telephone numbers, mobile phone numbers, email addresses, occupation, credit card details, tax file numbers, bank account details, records of products and services supplied to a person, postal addresses, residential addresses, business addresses, information contained in resumes and employment records such as employment history, education, qualifications, medical certificates, academic transcripts, salary details, superannuation account detail, and criminal record personal data contained in comments and feedback, personal preferences. We will process this personal data in order to administer our client, employment and business relationships, to answer questions about and to provide and manage our services, and to otherwise enforce our rights and comply with our obligations.
- Client databases: In the course of providing our services we may host client databases or content specifically at the request of our clients that our clients have provided to us. These databases and content may include any type of personal data.
- Managed services technical data: When providing our managed services, we may monitor or access our clients’ computer, network and other equipment remotely or on site. In the course of doing so, we will collect and process information about that equipment and any software and data processed by that equipment. This information includes IP addresses, server names, database names, network names, serial numbers of equipment used, Wi-Fi passwords, computer names, application names, browser history, user access logs, usernames, passwords, technical support log tickets, bandwidth used, error messages, social media handles, FTP server addresses, usernames and passwords, hostnames, subnet masks, router names, server addresses, hosting account usernames and passwords.
- Computer and network use data: Subject to applicable laws, we may carry out electronic surveillance of our employees and contractors when they use our computer equipment, smartphone devices and networks to monitor compliance with company policies (including our corporate IT systems and social media policy). This surveillance includes tracking and monitoring, reviewing and logging emails sent and received, websites visited, content viewed and file uploaded/downloaded. It also includes IP addresses, server names, database names, network names, serial numbers of equipment used, Wi-Fi passwords, computer names, application names, browser history, user access logs, usernames, passwords, technical support log tickets, bandwidth used, error messages, social media handles, FTP server addresses, usernames and passwords, host names, subnet masks, router names, server addresses, hosting account usernames and passwords.
- Telecommunications data: As an internet service provider, we are required to retain data about communications under Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (TIA Act). This information is retained for two (2) years from the date that we create it. We are also required under the TIA Act to retain subscriber information for two (2) years from the date the relevant account is closed. The data that we retain in accordance with our obligations under the TIA Act may be disclosed to law enforcement agencies. The specific types of personal information that we may be required to collect and retain under the TIA Act are as follows:
|1||The subscriber of, and accounts, services, telecommunications devices and other services relating to the relevant service||(a) Any information that is one or both of the following: (i) any name or address information (ii) any other information for identification purposes, being information used by the service provider for the purposes of identifying the subscriber of the relevant service. (b) Any information about any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device. (c) Any information that is one or both of the following: (i) billing or payment information (ii) contact information relating to the relevant service, being information used by the service provider in relation to the relevant service. (d) Any identifiers relevant to the service or any related account, service or device, being information used by the service provider in about the relevant service or any related account, service or device. (e) The status of the relevant service, or any related account, service or device.|
|2||Communication source||Related account service or device identifiers, from which the communication has been sent by means of the relevant service.|
|3||A communication destination||Identifiers of the account, telecommunications device or relevant service to which the communication: (a) has been sent (b) has been forwarded, routed, or transferred, or attempted to be forwarded, routed or transferred.|
The date, time and duration of a communication, or of its connection to a relevant service
|The date and time (including the time zone) about the communication (with sufficient accuracy to identify the communication): (a) the start of the communication (b) the end of the communication (c) the connection to the relevant service (d) the disconnection from the relevant service.|
|5||Communication type or relevant service used in a communication connection||(a) The communications type, such as voice, SMS, email, chat, forum, social media. (b)The relevant service type, such as ADSL, Wi-Fi, VoIP, cable, GPRS, VoLTE, LTE. (c) The relevant service features that were or would have been used by or enabled for the communication, such as call waiting, call forwarding, data volume use. Note: This item will only apply to the service provider operating the relevant service: see paragraph 187A(4)(c).|
|6||Equipment location, or a line, used in communication connection||(a) The equipment location or line at the start of the communication. (b) The equipment location or line at the end of the communication. |
Examples include cell towers, Wi-Fi hotspots.
We may also be required by law to intercept communications content made on our telecommunications networks and provide that content to law enforcement agencies. The data type that may be intercepted include websites visited, packets downloaded, connection duration, IP addresses, customer premises equipment used serial numbers, and any other data transmitted via our networks and captured by our servers.
We collect personal data about
- any person who contacts us with enquiries about our services by any/all communications channels
- people who download whitepapers and other content from our website
- our officers, agents, employees and subcontractors
- our clients (and their officers, agents, employees and subcontractors)
- other parties to a transaction or dispute that we or our clients have entered into or are considering entering into or negotiating, and their representatives
- our suppliers (and their officers, agents, employees and subcontractors)
- individuals who participate in our surveys
- employees, potential employees, subcontractors, potential subcontractors and work experience applicants
- any person where it is necessary to do so in order to provide the services that we are engaged or instructed by our clients to perform
- the service providers and other third parties representatives who may contact us about our clients, and who we deal with on behalf of our clients.
We collect personal data when
- our clients and potential clients fill out forms with their personal data
- we take notes during meetings, interviews, telephone calls, conferences and events
- through emails, letters and other correspondence and documents that we receive from clients, potential clients and others
- we are contacted by, or communicate with, any person online, through social media, email, communication tools such as Skype, Massager, online chat programs, blogs and the contact forms on our websites
- we are provided with completed surveys or questionnaires that we may distribute
- people apply for employment with us or offer to provide us with goods or services as suppliers and contractors (for example, potential employees will provide us with personal information that we will collect when they provide us with references, resumes and attend job interviews)
- our employees, contractors and suppliers provide us with personal data
- when our distributors, resellers and channel partners provide us with personal data that they collect about clients and potential clients
- we trade business cards with any person
- when it is sent to us by our clients to providing us with instructions or information necessary to provide services to our clients
- it is included in contracts that we enter
- through websites, public registers, directories such as telephone directories and business name and company searches
- providing our services
- we obtain databases containing personal data that our clients provide us with so that we can provide services to them which rely on those databases where any person voluntarily discloses it to us.
We hold and use personal information
We hold personal data that we collect in our offices, computer systems, and third party owned and operated hosting facilities. We use personal data:
- to verify a person’s identity to make sure we know who we are communicating with;
- to communicate with our current and potential clients, employees, subcontractors, suppliers and colleagues, whether by telephone, email, post or otherwise;
- to provide clients with our services and to administer, maintain and answer questions about our services
- to send newsletters and other communications to our clients about our services, events and business opportunities
- to send marketing material to clients and other individuals in our newsletter database who we believe may be interested in our marketing material
- to enforce our rights and comply with our contractual and other legal obligation
- to issue bills and invoices to our clients and others, and to enforce the payment obligations of our clients to pay our fees
- to consider a person as a potential employee or contractor (for example, by checking a person’s references or considering the persons’ resume and arranging interviews) and to pay our employees and contractors their wages, salaries, service fees and other entitlements
- when conducting publicity campaigns
- to handle complaints
- to manage employee records
- to process an service application
- to identify an individuals when we are contacted with questions or concerns about the products and services we provide
- to configure a new service for our customers
- when conducting research and development of our products and services
- to conduct checks
- to market.
We disclose personal data:
- To suppliers who host our files and databases in the cloud – we store backup copies of our computer files, software and databases in the cloud with our hosting providers who host those files, and that software and databases (including any personal data contained in them) on our third party hosting providers’ computer servers located in their data centres.
- To hosting providers who host our clients’ databases and content – where necessary or practical to do so for the purposes of providing services to our clients or for the purposes of operating our business, we hold our clients’ databases and content (including any personal data contained in them) on third party computer servers in the data centres of our hosting providers.
- To other parties to a commercial arrangement where necessary in order to provide our services – for example we may need to supply your name to the professional advisors of other parties who you are dealing with (or any regulator) where we agree to represent you or provide you with services with regards to any matter, including but not limited to, where a client authorises us to do so we may need to provide the client’s personal data to its agents or other professional advisors.
- To our resellers, distributors, agents and channel partners – we may appoint resellers, distributors, agents and channel partners to sell our products and services, or to manage parts of our business for us. In the course of those relationships, we may provide client or potential client personal data to them, or they may provide client or potential client personal data to us that they have collected for us.
- So that we can get help from our suppliers and corporate group with our services provisions – in which case we may disclose your personal data to our suppliers and subcontractors as well as to members of our corporate group who we may subcontract the provision of all or part of our services to. For example, we may use printing providers who print documents on our behalf, couriers who deliver documents on our behalf which contain personal data and share computers which contain personal data with our related bodies corporate.
- Conducting publicity campaigns – in which case we may disclose your personal data to our marketing suppliers.
- Handling claims, legal disputes and complaints – in which case we may disclose your personal data to our insurers, lawyers, accountants and other professional advisors.
- Sending out a newsletter – in which case we may disclose your personal data to our email and newsletter service providers.
- In order to identify our customers and end users – when we are contacted with questions or concerns regarding the products and services that we provide.
- In order to record billing details and process payments from our clients – in which case we will provide client bank account, cheques and credit card details to our bank and merchant facility providers.
- For professional advice – when providing information to our legal, accounting or financial advisors/representatives or debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute.
- If we sell the whole or part of our business or merge with another entity – in which case we will provide to the purchaser or other entity the personal data that is the subject of the sale or merger.
- Where a person provides written consent to the disclosure of his or her personal data.
- Where required by law.
We may also provide your personal data to our lawyers, insurers and professional advisors and any court or administrative body:
- to obtain or maintain insurance
- to prevent, detect, investigate, prosecute or punish criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law
- to protect or enforce our rights or defend claims
- to enforce our claims against you or third parties
- to enforce laws about the proceeds of crime confiscation
- to protect public revenue
- to prevent, detect, investigate or remedy seriously improper conduct or prescribed conduct
- to prepare and conduct court or trial proceeding, or implement court or tribunal orders.
- where disclosure is required to protect the safety or vital interests of employees, end users or property.
Notifiable data breaches
Since 22 February 2018, data breaches that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner (OAIC), except where limited exceptions apply. For the GDPR, certain types of data breaches must also be reported to affected individuals if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. In addition, the GDPR requires organisations to report certain types of data breaches to the relevant supervisory authority. We will notify affected individuals, the OAIC and relevant supervisory authorities of any data breach where we are required to do so in accordance with our legal obligations.
Automated decision making
We do not use automated decision making in our business.
Lawful basis of processing
We will only process GDPR data where we have a lawful basis to do so. Except where specified In or implied in this policy to the contrary, we will only process personal data where necessary for our legitimate interests or the legitimate interests of a third party, or where we are required to do so pursuant to a contract or other legal obligation.
Third party websites and platforms
Our websites may include links to third party websites and platforms. Our linking to those websites and platforms does not mean that we endorse or recommend them. We do not warrant or represent that any third-party website or platform operators comply with applicable data protection laws. You should consider the privacy policies of any relevant third-party websites and platforms prior to sending your personal data to them.
You may interact with social media platforms via social media widgets and tools such as the Facebook ‘like’ button and the Facebook pixel that may be installed on our websites. These widgets and tools may collect your IP address and other personal data. Your interaction with such widgets and tools, and any single sign-on services such as Open ID is governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal data.
We take reasonable steps to protect personal data that we hold from unauthorised access, modification and disclosure and implement technical and organisational measures to make sure a protection level appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as follows:
- We perform security testing (including penetration testing of our websites), and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multifactor authentication, firewalls and antivirus software.
- We maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms.
- We require all our employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements that we enter into with them.
- We carry out security audits of our systems to find and eliminate any potential security risks in our electronic and physical infrastructure as soon as possible.
- We pseudonymise and/or encrypt personal data in appropriate circumstances, considering the state of the art, the implementation costs and the processing nature, scope, content and purpose.
- We implement passwords and access control procedures into our computer systems.
- We have a data breach response plan.
- We have data backup, archiving and disaster recovery processes.
- We have antivirus and security controls for email and other applicable computer software and systems.
- We have processes to ensure the integrity and resilience of systems, servers and personal data
- We have processes for regular testing, accessing and evaluating the technical effectiveness and organisational measures to ensure the processing security.
Our websites include privacy tools that you can use to control how we process personal data that we hold on your behalf. Customers can access these privacy tools in you My Swoop customer account.
If you refuse to provide personal data
If you do not provide us with your personal data, you can only have limited interaction with us. For example, you can browse our website without providing us with personal information, such as the pages that generally describe the services that we make available, and our contact us page. However, when you submit a form on our website, or become a client or otherwise enter a business relationship with us, we need to collect personal data from you to identify who you are, provide you with services, and other purposes described in this policy. You have the option of not identifying yourself or using a pseudonym when contacting us to enquire about our services, but not if you wish to obtain our services. It is not practical for us to provide you with our services if you refuse to provide us with personal data.
We do not send ‘junk’ or unsolicited email that contravenes the Spam Act 2003 (Cth). We will, however, use email in some cases to respond to enquiries, confirm purchases, or contact customers. These transaction-based emails are automatically generated. Anytime a client or visitor receives email it does not want from us they can request that we not send further -mail by contacting us at [email protected] or using any ‘unsubscribe’ tool contained in any communication we send. When we receive your request, we will make sure you don’t receive automated emails from us.
Offshore data transfers
At present, we do not transfer personal data out of Australia. We may transfer your personal data to our contractors and service providers who help us provide our products and services to you, with our business operations generally, or where we consider it necessary for them to provide that help.
Provided that we comply with applicable law, including Australian Privacy Principle 8 (Cross-border disclosure of personal information), and the GDPR, we may transfer your personal data to our offshore contractors and service providers as well, who may be located outside the European Union (EU) or the European Economic Area (EEA).
We will only engage new third parties to process GDPR data that you instruct us to process on your behalf if you have authorised us to do In general written authorisation and otherwise in compliance with the GDPR requirements.
Retention and de-dentification of personal data
It is our policy to keep personal data that only allows people to be identified when it’s necessary for the purposes the personal data was collected, or any other directly related or compatible purposes permitted by law. We will only process personal data that you provide to us for the minimum length of time permitted by law and afterwards to delete or return that personal data to you (except where we also need to retain the data to comply with our legal obligations, or to retain the data to protect your or any other person’s vital interests). When personal data is required to be returned, it will be returned to you at that time, and we will delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable, unless the law requires us to retain the personal data. In which case we will notify you of that requirement and only use such data for the purposes of complying with those laws.
Where the personal data is not GDPR data and is personal information for the Privacy Act purposes), instead of destroying the personal information we may take reasonable steps to de-identify the personal information that we hold about an individual where we no longer need it, the information is not contained in a Commonwealth record and we are not required by Australian law (or a court or tribunal order) to retain it.
Your rights under the GDPR
Under the GDPR, you have several rights, including the right:
- to be informed
- of access
- to rectification
- to erasure
- to restrict processing
- to data portability
- to object
- Rights in relation to automated decision making and profiling.
Please contact us if you wish to exercise any of your rights. We will handle all requests in line with our legal obligations. It may not be possible for us provide you services if you withdraw your consent, object to processing your personal data or request us to erase your personal data and we may elect to terminate our business relationship with you.
How to access and correct personal data
Please contact us to access the personal data that we hold about you. Your will be handed In line with our statutory obligations.
To make sure that we only obtain, collect, use and disclose accurate, complete and up to date personal data, we encourage you to let us know if any of your personal details we hold change, or, if any of the personal data held by us is incorrect.
In exchange a reasonable fee, we will provide you (or if you wish, another controller) with a copy of the personal data we hold about you in a structured, commonly used and machine-readable format. However, we will not charge any fee to access your GDPR data where the we are prohibited from doing so.
We are Bosley Holdings Pty Ltd ABN 71613948575 of 1A, 155 Queen Street, Warragul VIC 3820. You can contact us about our privacy practices or your personal data we hold at:
Privacy Representative/ Data Protection Officer
Head of Residential
PO BOX 296, Warragul VIC 3820
We will do our best to resolve any privacy complaint within ten (10) business days when we receive a complaint or request. This may include working with you to resolve the complaint or us proposing resolution options.
If you are not satisfied with the complaint outcome, or want to make a complaint about a Australian Privacy Principles breach contact the Office of the Australian Information Commissioner (OAIC) on:
- Call: 1300 363 992
- mail: [email protected]
- Address: GPO Box 5218, Sydney NSW 2001
In relation to GDPR data, you may lodge a complaint with any relevant supervisory authority.