Agilify Strategy and Innovation Pty Limited
ABN: 50 637 655 577
Effective date: 1 January 2024
Version: 1.0

1. About this policy

Agilify Strategy and Innovation Pty Limited ("Agilify", "we", "us", "our") is committed to protecting the privacy of individuals whose personal information we handle. This policy explains how we collect, hold, use, disclose and protect personal information in accordance with the Privacy Act 1988 (Cth) (the "Privacy Act") and the Australian Privacy Principles ("APPs").

Agilify is a consulting and software development and support organisation serving large commercial and government clients, principally in the financial services and federal government sectors. Our engagements are almost exclusively business-to-business. We do not ordinarily seek, require or wish to collect personal information about our clients' customers, suppliers or business partners in the course of delivering our services, and we take active steps — both contractually and operationally — to avoid doing so.

Nevertheless, in running our business we necessarily handle a limited amount of personal information — principally about our own personnel, the personnel of our clients and prospective clients, job applicants, suppliers and visitors to our website. This policy describes how that information is handled.

2. Scope

This policy applies to personal information handled by Agilify in the conduct of its own business. It does not apply to information we handle solely as a service provider or processor on behalf of a client, where that handling is governed by the terms of our contract with that client and, where applicable, the client's own privacy policy. In those circumstances, the relevant client is the APP entity responsible for the information and queries should be directed to that client.

3. What is personal information?

"Personal information" has the meaning given in the Privacy Act — broadly, information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in a material form or not.

"Sensitive information" is a subset of personal information and includes information about a person's health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record and biometric information.

4. The kinds of personal information we collect and hold

We generally collect and hold only the personal information that is reasonably necessary for our business activities. This typically includes:

• Business contact information for individuals who work for our clients, prospective clients, suppliers and business partners — such as name, job title, employer, business email address, business phone number and correspondence with us.
• Personnel information about our directors, employees and contractors — such as contact details, tax file numbers, superannuation details, bank account details for payment, employment history, qualifications, security clearance status (where relevant to government engagements), performance information and emergency contacts.
• Recruitment information about job applicants — such as contact details, CVs, qualifications, references, right-to-work information and the results of any pre-employment checks.
• Supplier and contractor information — such as contact details and payment details for individuals operating as sole traders or through small entities.
• Website and electronic information — such as IP address, device and browser information, pages viewed and interactions with our online presence (see section 10).
• Information provided in enquiries or correspondence — such as the content of emails, form submissions, meeting notes and call records.

We do not generally collect sensitive information. Where we need to (for example, health or clearance information in connection with an employment relationship or a government engagement), we do so only with the individual's consent or as required or authorised by law.

4.1 Information about our clients' customers, suppliers and business partners

Our services are designed so that we do not need access to personal information held by our clients about their own customers, suppliers or business partners. Where access to such information is unavoidable — for example, when our personnel are embedded in a client environment or when diagnosing software issues using production or production-like data — we:

• treat that information as belonging to the client and governed by our contract with that client;
• use the information only for the purposes of delivering the services; and
• apply our information security controls (see section 10) and any additional controls required by the client.

We do not use such information for our own purposes and we do not disclose it other than as permitted by our contract with the relevant client or as required by law.

5. How we collect personal information

Wherever reasonably practicable, we collect personal information directly from the individual concerned. We may collect personal information:

• during the course of engagements and correspondence with clients and prospective clients;
• when individuals contact us by email, phone, our website or at meetings and events;
• when individuals apply for employment with us, or through recruitment agencies and referees;
• from publicly available sources (such as LinkedIn and company websites) in the ordinary course of business development; and
• through the operation of our website and IT systems.

If we receive unsolicited personal information, we will assess whether we could have collected it in the ordinary course of our activities and, if not, we will destroy or de-identify it as soon as practicable and lawful to do so.

6. Why we collect, hold, use and disclose personal information

We collect, hold, use and disclose personal information for purposes connected with operating our business, including:

• providing consulting, software development and support services to our clients;
• responding to enquiries and managing our relationships with clients, prospective clients and suppliers;
• business development and marketing (on a business-to-business basis);
• recruiting, employing and managing our personnel;
• administering contracts, invoicing and payments;
• maintaining the security and integrity of our IT systems and premises;
• complying with our legal, regulatory and contractual obligations, including obligations to federal government clients; and
• other purposes reasonably expected by the individual or permitted by law.

Where we use personal information for a secondary purpose, we do so only where the secondary purpose is related to the primary purpose and the individual would reasonably expect us to use it in that way, or where the individual has consented or the use is otherwise permitted by the Privacy Act.

7. Disclosure of personal information

We disclose personal information only where necessary for the purposes set out above. Recipients may include:

• our personnel, on a need-to-know basis;
• our clients, where relevant to the engagement;
• our professional advisers (such as lawyers and accountants);
• our IT, hosting, communications and professional services providers;
• recruitment agencies and background check providers, in the context of recruitment;
• government agencies, law enforcement or regulators, where required or authorised by law; and
• a purchaser or prospective purchaser of our business or assets.

We do not sell personal information, and we do not disclose personal information for the purpose of direct marketing by third parties.

8. Overseas disclosure

Some of the third-party services we use to run our business (for example, cloud hosting, email, productivity and customer relationship management platforms) may store or process personal information outside Australia. The countries in which our service providers operate may include the United States.

Before disclosing personal information overseas we take reasonable steps to ensure the overseas recipient handles the information in a manner consistent with the APPs, typically through contractual protections.

For engagements with federal government clients and certain financial services clients, we apply additional data residency and hosting controls as required by the applicable contract.

9. Data quality

We take reasonable steps to ensure that the personal information we collect is accurate, up to date and complete, and that the personal information we use or disclose is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.

10. Data security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Our controls include:

• access controls and role-based permissions on our IT systems;
• multi-factor authentication for staff access to business systems;
• encryption of data in transit and, where appropriate, at rest;
• endpoint protection and patch management;
• secure software development and code review practices;
• confidentiality obligations in employment and contractor agreements;
• security training and awareness for our personnel;
• due diligence on our service providers and suppliers; and
• physical security of our premises and devices.

Additional controls — including Australian data residency, personnel security clearances and alignment with frameworks such as the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF) — may apply in the context of federal government engagements. Equivalent controls aligned to APRA CPS 234 and similar standards may apply to financial services engagements.

Despite our controls, no method of transmission or storage is completely secure. If you suspect any misuse or loss of, or unauthorised access to, your personal information held by us, please contact us (see section 15).

11. Retention and destruction

We retain personal information only for as long as it is needed for the purposes for which it was collected, or as required by law or by the terms of the relevant client contract. When personal information is no longer required, we take reasonable steps to destroy it or to ensure it is de-identified.

12. Notifiable data breaches

If we become aware of a data breach involving personal information that is likely to result in serious harm to affected individuals, we will respond in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. This includes notifying affected individuals and the Office of the Australian Information Commissioner ("OAIC") as required. Where the breach involves information handled on behalf of a client, we will also notify the client in accordance with our contractual obligations.

13. Cookies and website analytics

Our website may use cookies and similar technologies to help the site function, to remember preferences and to understand how the site is used.

You can configure your browser to refuse cookies or to alert you when cookies are being sent. Some parts of our website may not function properly if cookies are disabled.

14. Accessing and correcting your personal information

You may request access to, or correction of, the personal information we hold about you by contacting us using the details in section 15. We will respond to your request within a reasonable period (generally within 30 days).

We will provide access unless we are permitted or required to refuse access under the Privacy Act (for example, where providing access would unreasonably impact the privacy of others, or where the information relates to existing or anticipated legal proceedings). If we refuse your request, or refuse to provide access in the manner you requested, we will give you written reasons and information about how to complain.

There is no charge for making a request, but we may charge a reasonable fee for providing access (for example, where significant collation is required). We will not charge for making a correction.

If you believe information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us and we will take reasonable steps to correct it.

15. Contact us and complaints

If you have any questions about this policy, or if you wish to make a privacy complaint, please contact us:

Privacy Officer
Agilify Strategy and Innovation Pty Limited
7 Burrawong Avenue
MOSMAN NSW 2088
Australia

We will acknowledge your complaint promptly and aim to provide a substantive response within 30 days. If we need more time, we will let you know.

If you are not satisfied with our response, you may refer your complaint to the OAIC:

Office of the Australian Information Commissioner
GPO Box 5288, Sydney NSW 2001
Phone: 1300 363 992
Website: www.oaic.gov.au

16. Changes to this policy

We may update this policy from time to time. The current version will be published on our website, and the "Effective date" at the top of the policy will indicate when it was last updated. We encourage you to review this policy periodically.