Analytics8 is a specialist data and analytics consulting organisation that delivers bespoke data and analytics life cycle, strategic planning, implementation and support solutions and provides consulting services and managed services relating to data warehousing and management, advanced analytics, reporting and data visualization across multiple industries (Services).
We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (the Privacy Act). We also comply with the EU General Data Protection Regulation (GDPR) in relation to all personal data that we collect, hold, disclose and otherwise process, but only when the processing is within the scope of the GDPR (GDPR Data).
What is personal data?
The types of personal information we collect
Our policy is to minimise the amount of personal data we collect. Accordingly, we only collect personal data that is adequate, relevant and limited to what is necessary for the purpose for which it is to be processed and only where we are entitled by law to collect it. We may also use collected personal data for other related, directly related or compatible purposes (if and where permitted by applicable law).
We collect the following types of personal data:
- Contact details, transaction, employment and payment data: We collect gender, job titles, telephone numbers, mobile phone numbers, email addresses, occupation, credit card details, tax file numbers, transactional and payment data as well as other data of our employees and clients that they submit to us. We will process this personal data in order to administer our client, employment and business relationships and to otherwise enforce our rights and comply with our obligations.
- Managed Services technical data: When providing our Services, we may monitor or access our clients’ computer, network and other equipment remotely or on site. In the course of doing so, we will collect and process information about that equipment and any software and data processed by that equipment. This information includes IP addresses, server names, database names, network names, serial numbers of equipment used, WiFi passwords, computer names, application names, browser history, user access logs, usernames, passwords, technical support log tickets, bandwidth used, error messages, social media handles, FTP server addresses, usernames and passwords, hostnames, subnet masks, router names, server addresses, hosting account usernames and passwords.
- Computer and network usage data: Subject to applicable laws, we may carry out electronic surveillance of our employees and contractors when they use our computer equipment, smartphone devices and networks to monitor compliance with company policies (including our Corporate IT Systems and Social Media Policy). This surveillance includes tracking and monitoring, reviewing and logging emails sent and received, websites visited, content viewed and files uploaded/downloaded. It also includes IP addresses, server names, database names, network names, serial numbers of equipment used, WiFi passwords, computer names, application names, browser history, user access logs, usernames, passwords, technical support log tickets, bandwidth used, error messages, social media handles, FTP server addresses, usernames and passwords, hostnames, subnet masks, router names, server addresses, hosting account usernames and passwords.
In the course of providing services to our Clients, we may be given access to personal data contained in one or more databases or software platforms hosted by the Client and/or the Client’s third-party suppliers (Client Databases) and/or if requested by our clients, to process and/or receive personal data held in Client Databases. These Client Databases and the content contained within them may include any type of personal data including sensitive data and health data. We only process this type of data in order to deliver the Services that we have been engaged by the Client to provide.
Who we collect personal data about
We collect personal data of:
- people who download content from our website;
- our officers, directors, agents, employees and subcontractors;
- our clients (and their officers, agents, directors, employees and subcontractors);
- other parties to a transaction or dispute that we or our clients have entered into or are considering entering into or negotiating, and their representatives;
- our suppliers (and their officers, directors, agents, employees and subcontractors);
- individuals who participate in our surveys;
- employees, potential employees, subcontractors, potential subcontractors and work experience applicants;
- any person where it is necessary to do so in order to provide the Services that we are engaged or instructed by our clients to perform; and
- the representatives of other service providers, hosting providers of Client Databases and other third parties who may contact us about our clients and who we deal with on behalf of our clients.
How we collect personal information
We collect personal data in the following ways:
- when we take notes during meetings, interviews, telephone calls, conferences and events;
- through emails, letters and other correspondence and documents that we receive from clients, potential clients and others;
- when we are contacted by or communicate with any person online, through social media, email, communication tools such as Skype, online chat programs, blogs and the contact forms on our websites;
- when we are provided with completed surveys or questionnaires that we may distribute;
- when people apply for employment with us or offer to provide us with goods or Services as suppliers and contractors (for example, potential employees will provide us with personal information that we will collect when they provide us with references, resumes and attend job interviews);
- when our employees, agents, contractors and suppliers provide us with personal data;
- when our distributors, resellers and channel partners provide us with personal data that they collect about clients and potential clients;
- when we trade business cards with any person;
- when it is sent to us by our clients for the purpose of providing us with instructions or information necessary for us to process in order to provide Services to our clients; and
- where any person voluntarily discloses it to us.
How we hold and use personal data
We hold personal data that we collect in our offices, computer systems, and third party owned and operated hosting facilities. We use personal data for the following purposes:
- in order to verify a person’s identity when we are contacted to ensure that we know who we are communicating with;
- to communicate with our and our potential clients, employees, our client’s end users, agents, subcontractors, suppliers and colleagues, whether by telephone, email, post or otherwise;
- to provide our clients with our Services and to administer, maintain and answer questions about our Services;
- in order to send newsletters and other communications to our clients concerning our Services, events and business opportunities;
- to send marketing material to clients and other individuals in our newsletter database who we believe may be interested in the content of our marketing material;
- to enforce our rights and comply with our contractual and other legal obligations;
- to issue bills and invoices to our clients and others, and to enforce the payment obligations of our clients to pay our fees;
- in order to consider a person as a potential employee or contractor (for example, by checking a person’s references or considering the persons’ resume and arranging interviews) and to pay our employees and contractors their wages, salaries, service fees and other entitlements;
- when conducting publicity campaigns;
- to handle complaints;
- to manage employee records;
- in order to process an application for our Services or provide Services to any client;
- to identify customers and other individuals when we are contacted with questions or concerns regarding the products and Services we provide;
- in order to configure a new service for our customers;
- when conducting research and development of our products and Services;
- in order to conduct checks for credit worthiness; and
- for direct marketing purposes.
Who we disclose personal data to
We will only disclose personal data that we collect to third parties as follows:
- To our suppliers who host our files and databases in the cloud – we store backup copies of our computer files, software and databases in the cloud with our hosting providers who host those files, and that software and databases (including any personal data contained in them) on our third party hosting providers’ computer servers located in their data centres;
- To other parties to a commercial arrangement where necessary in order to provide our Services – for example we may need to supply your name to the professional advisors of other parties who you are dealing with (or any regulator) where we agree to provide you with Services with regards to any matter, including but not limited to, where a client authorises us to do so we may need to provide the client’s personal data to its agents or other professional advisors;
- To our resellers, distributors, agents and channel partners – we may appoint resellers, distributors, agents and channel partners to sell our products and Services, or to manage parts of our business for us. In the course of those relationships, we may provide client or potential client personal data to them, or they may provide client or potential client personal data to us that they have collected for us;
- So that we can obtain assistance from our suppliers, related bodies corporate, affiliates and corporate group with the provision of our Services – in which case we may disclose your personal data to our suppliers and subcontractors as well as to members of our corporate group who we may subcontract the provision of all or part of our Services to. For example, we may use printing providers who print documents on our behalf which contain personal data, couriers who deliver documents on our behalf which contain personal data, and share computers which contain personal data with our related bodies corporate;
- Conducting publicity campaigns – in which case we may disclose your personal data to our marketing suppliers;
- Handling claims, legal disputes and complaints – in which case we may disclose your personal data to our insurers, lawyers, accountants and other professional advisors;
- Sending out a newsletter – in which case we may disclose your personal data to our email and newsletter service providers;
- In order to identify our clients and our client’s end-users – when we are contacted with questions or concerns regarding the products and Services that we provide;
- In order to record billing details and process payments from our clients – in which case we will provide client bank account, cheques and credit card details to our bank and merchant facility providers;
- For professional advice – when providing information to our legal, accounting or financial advisors/representatives or debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
- If we sell the whole or part of our business or merge with another entity – in which case we will provide to the purchaser or other entity the personal data that is the subject of the sale or merger;
- Where a person provides written consent to the disclosure of his or her personal data; and
- Where required by law.
We may also provide your personal data to our lawyers, insurers and professional advisors and any court or administrative body, for one or more of the following purposes:
- To obtain or maintain insurance;
- The prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
- To protect or enforce our rights or defend claims;
- Enforcement of our claims against you or third parties;
- The enforcement of laws relating to the confiscation of the proceeds of crime;
- The protection of the public revenue;
- The prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
- The preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of the court or tribunal; and
- Where disclosure is required to protect the safety or vital interests of employees, our clients, our client’s end users or property.
Notifiable data breaches
Since 22 February 2018, data breaches that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner (OAIC), except where limited exceptions apply. For the purposes of the GDPR, certain types of data breaches must also be reported to affected individuals if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. In addition, the GDPR requires organisations to report certain types of data breaches to the relevant supervisory authority. We will notify affected individuals, the OAIC and relevant supervisory authorities of any data breach where we are required to do so in accordance with our legal obligations.
Automated decision making
We use automated-decision making in our business in the course of analysing data provided to us by our clients and reporting to our clients on that data.
Lawful basis of processing
Third party websites and platforms
Our websites may include links to third party websites and platforms. Our linking to those websites and platforms does not mean that we endorse or recommend them. We do not warrant or represent that any third-party website or platform operators comply with applicable data protection laws. You should consider the privacy policies of any relevant third-party websites and platforms prior to sending your personal data to them.
You may interact with social media platforms via social media widgets and tools such as the Facebook Like button and the Facebook pixel that may be installed on our websites. These widgets and tools may collect your IP address and other personal data. Your interaction with such widgets and tools, and any single sign-on services such as Open ID is governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal data.
We take reasonable steps to protect personal data that we hold from unauthorised access, modification and disclosure and implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as follows:
- We perform security testing (including penetration testing of our websites), and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multi-factor authentication, firewalls and antivirus software.
- We maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of any equipment such as electronic tablets and laptops that are provided by clients to provide us with access to Client Databases.
- We require all of our employees, directors, personnel, agents and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements that we enter into with them.
- We carry out security audits of our systems which seek to find and eliminate any potential security risks in our electronic and physical infrastructure as soon as possible.
- If appropriate in the circumstances, taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, we pseudonymize and/or encrypt personal data.
- We implement passwords and access control procedures into our computer systems.
- We have a Data Breach Response Plan in place.
- We have data backup, archiving and disaster recovery processes in place.
- We have anti-virus and security controls for email and other applicable computer software and systems in place.
If you refuse to provide us with personal data
We do not send “junk” or unsolicited e-mail in contravention of the Spam Act 2003 (Cth). We will, however, use e-mail in some cases to respond to inquiries, confirm purchases, or contact clients. These transaction-based e-mails are automatically generated. Anytime a client or visitor receives an e-mail that it does not want from us, they can request that we not send further e-mail by contacting us via email at: firstname.lastname@example.org or using any ‘unsubscribe’ tool contained in any communication we send. Upon receipt of any such request, we will ensure that they cease to receive automated emails from us.
Offshore data transfers
We do not transfer any personal data outside Australia.
Retention and de-identification of personal data
It is our policy to retain personal data in a form which permits identification of any person only as long as is necessary for the purposes for which the personal data was collected; and for any other related, directly related or compatible purposes if and where permitted by applicable law. We will only process personal data that you provide to us for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal data to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person’s vital interests). Where you require personal data to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.
Your rights under the GDPR
Under the GDPR, you have a number of rights, that apply with respect to GDPR Data, including:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- Rights in relation to automated decision making and profiling.
Please contact us if you wish to exercise any of your rights under the GDPR. We will handle all such requests in accordance with our legal obligations. If you withdraw your consent for processing, object to the processing of your personal data or request us to erase your personal data and as a result it is not possible or practical for us to continue providing you with our Services, we may elect to terminate our business relationship with you.
How to access and correct personal data held by us
Our contact details
If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us at the following address:
Privacy Representative and/or Data Protection Officer
Analytics 8 Limited Partnership
Level 8, 350 Collins Street, Melbourne VIC 3000
We will use our best endeavours to resolve any privacy complaint within ten (10) business days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.
If you are not satisfied with the outcome of a complaint or you with to make a complaint about a breach of the Australian Privacy Principles you make refer the complaint to the OAIC who can be contacted using the following details:
Call: 1300 363 992
Address: GPO Box 5218, Sydney NSW 2001
In relation to GDPR Data, you may lodge a complaint with any relevant supervisory authority.