Personal Information: information or an opinion about an identified individual or a reasonably identifiable individual (for example, name, role title, email, phone, business contact details, IP address).
Sensitive Information: includes information about health, biometrics, racial or ethnic origin, political opinions, religious beliefs, union membership, sexual orientation, and criminal records. We only collect or use sensitive information where permitted by law and where reasonably necessary for our functions.
Depending on your interactions with us, we may collect:
We generally do not need sensitive Information. If we must handle it (e.g., where a client engagement or legal/regulatory requirement demands it), we will obtain consent or rely on another permitted ground and apply additional safeguards.
We collect Personal Information directly from you (forms, meetings, email, phone, video calls), automatically via our websites/online services (including cookies and analytics), and from third parties (referrals, partners, background-check providers, or publicly available sources). Where reasonable and practicable, we collect directly from you.
We collect and use Personal Information to:
Where we wish to use personal information for a secondary purpose reasonably related to the primary purpose, we will do so in line with the APPs (or seek consent where required).
Where lawful and practicable (for example, general enquiries), you may interact with us anonymously or using a pseudonym. Some activities (e.g., contracting, support, compliance) require identification.
We may disclose Personal Information (on a need-to-know basis) to:
Some providers may be located outside Australia. Before disclosing Personal Information overseas, we take reasonable steps consistent with APP 8 to ensure the overseas recipient protects the information in a manner consistent with the APPs (for example, by due diligence, contractual commitments and technical safeguards).
Under s 16C, we may remain accountable for certain acts of overseas recipients.
We use cookies and similar technologies to operate our sites, remember preferences and analyse traffic so we can improve content and security. You can control cookies through your browser settings; blocking some cookies may affect site functionality.
We apply appropriate administrative, technical and physical controls to protect Personal Information from misuse, interference and loss and from unauthorised access, modification or disclosure (consistent with APP 11). Measures include access controls (least privilege, MFA), encryption in transit and at rest (where appropriate), network security, monitoring and logging, vulnerability management, secure development practices, supplier due diligence, personnel training and confidentiality obligations.
We do not use client Personal Information to train AI models. If we use AI-assisted tooling to deliver services, we do so only where appropriate safeguards are in place and in accordance with this policy and the APPs.
We retain Personal Information only for as long as required for our functions, or as required by law (for example, business records). When no longer needed, we take reasonable steps to destroy or de-identify Personal Information.
We may send you information about our services that we think is relevant to your role. You can opt out at any time using the unsubscribe link or by contacting us (see Section 15). Where APP 7 applies, we only use or disclose Personal Information for direct marketing in the limited circumstances permitted and always provide a simple opt-out. Electronic marketing is also subject to the Spam Act 2003.
You may request access to the Personal Information we hold about you and request correction if it is inaccurate, out of date, incomplete, irrelevant or misleading. We will respond within a reasonable period (generally within 30 days) and may ask you to verify your identity. We will provide reasons if we decline all or part of a request and tell you how to complain.
If a data breach occurs that is likely to result in serious harm, we will assess promptly and, where required, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches (NDB) scheme.
Our websites and materials may contain links to third-party sites or services. We are not responsible for their privacy practices. We encourage you to review their privacy notices.
If you have a question or wish to make a privacy complaint, please contact us first. We will acknowledge your complaint and aim to resolve it within 30 days.
If you are not satisfied with our response, you can contact the OAIC. Guidance on lodging a complaint (including online forms) is available on the OAIC website.
We may update this policy from time to time to reflect changes in law or our practices. The latest version will be available on our website and will include the effective date.
Last Updated: 02 September 2025