We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (the “Privacy Act“). We comply with the EU General Data Protection Regulation (“GDPR“) but only to the extent it applies to the personal data that we collect, hold, disclose and otherwise process (“GDPR Data“).
What is personal data?
The Privacy Act defines “personal information” as information or an opinion about an identified individual, or an individual who is reasonably identifiable (a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not. Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5‑1A of that Act.
Article 4(1) of the GDPR defines “personal data” as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The types of personal information we collect
Our policy is to minimise the amount of personal data we collect. Accordingly, we only collect personal data that is adequate, relevant and limited to what is necessary for the purpose for which it is to be processed and only where we are entitled by law to collect it. We may also use collected personal data for other related, directly related or compatible purposes (if and where permitted by applicable law).
We collect the following types of personal data:
|Kinds of information to be kept
|Description of information
|The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service
(a) any information that is one or both of the following:
(i) any name or address information;
(ii) any other information for identification purposes;
relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service;
(b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device;
(c) any information that is one or both of the following:
(i) billing or payment information;
(ii) contact information;
relating to the relevant service, being information used by the service provider in relation to the relevant service;
(d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device;
(e) the status of the relevant service, or any related account, service or device.
|The source of a communication
|Identifiers of a related account, service or device from which the communication has been sent by means of the relevant service.
|The destination of a communication
Identifiers of the account, telecommunications device or relevant service to which the communication:
(a) has been sent; or
(b) has been forwarded, routed or transferred, or attempted to be forwarded, routed or transferred.
|The date, time and duration of a communication, or of its connection to a relevant service
The date and time (including the time zone) of the following relating to the communication (with sufficient accuracy to identify the communication):
(a) the start of the communication;
(b) the end of the communication;
(c) the connection to the relevant service;
(d) the disconnection from the relevant service.
|The type of a communication or of a relevant service used in connection with a communication
(a) the type of communication;
Examples: Voice, SMS, email, chat, forum, social media.
(b) the type of the relevant service;
Examples: ADSL, Wi‑Fi, VoIP, cable, GPRS, VoLTE, LTE.
(c) the features of the relevant service that were, or would have been, used by or enabled for the communication.
Examples: Call waiting, call forwarding, data volume usage.
Note: This item will only apply to the service provider operating the relevant service: see paragraph 187A(4)(c).
|The location of equipment, or a line, used in connection with a communication
The following in relation to the equipment or line used to send or receive the communication:
(a) the location of the equipment or line at the start of the communication;
(b) the location of the equipment or line at the end of the communication.
Examples: Cell towers, Wi‑Fi hotspots.
We may also be required by law to intercept the content of communications made on our telecommunications networks and provide that content to law enforcement agencies. The types of data that may be intercepted may include websites visited, packets downloaded, connection duration, IP addresses, serial numbers of customer premises equipment used, and any other data transmitted via our networks and captured by our servers.
Who we collect personal data about
We collect personal data of:
How we collect personal information
We collect personal data in the following ways:
How we hold and use personal data
We hold personal data that we collect in our offices, computer systems, and third party owned and operated hosting facilities. We use personal data for the following purposes:
Who we disclose personal data to
We will only disclose personal data that we collect to third parties as follows:
We may also provide your personal data to our lawyers, insurers and professional advisors and any court or administrative body, for one or more of the following purposes:
Notifiable data breaches
Since 22 February 2018, data breaches that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner (OAIC), except where limited exceptions apply. For the purposes of the GDPR, certain types of data breaches must also be reported to affected individuals if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. In addition, the GDPR requires organisations to report certain types of data breaches to the relevant supervisory authority. We will notify affected individuals, the OAIC and relevant supervisory authorities of any data breach where we are required to do so in accordance with our legal obligations.
Automated decision making
We do not use automated-decision making in our business.
Lawful basis of processing
Third party websites and platforms
Our websites may include links to third party websites and platforms. Our linking to those websites and platforms does not mean that we endorse or recommend them. We do not warrant or represent that any third party website or platform operators comply with applicable data protection laws. You should consider the privacy policies of any relevant third party websites and platforms prior to sending your personal data to them.
You may interact with social media platforms via social media widgets and tools such as the Facebook Like button and the Facebook pixel that may be installed on our websites. These widgets and tools may collect your IP address and other personal data. Your interaction with such widgets and tools, and any single sign-on services such as Open ID is governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal data.
We take reasonable steps to protect personal data that we hold from unauthorised access, modification and disclosure and implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as follows:
If you refuse to provide us with personal data
We do not send “junk” or unsolicited e-mail in contravention of the Spam Act 2003 (Cth). We will, however, use e-mail in some cases to respond to inquiries, confirm purchases, or contact clients. These transaction-based e-mails are automatically generated. Anytime a client or visitor receives e-mail it does not want from us they can request that we not send further e-mail by contacting us via email at: [email protected] or using any ‘unsubscribe’ tool contained in any communication we send. Upon receipt of any such request, we will ensure that they cease to receive automated emails from us.
Offshore data transfers
We may transfer your personal data to our contractors and service providers who assist us with providing our products and services to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance.
Provided that we comply with applicable law, including the provisions of Australian Privacy Principle 8 (Cross-border disclosure of personal information), and the GDPR – in relation to GDPR Data, we may transfer your personal data to our offshore contractors and service providers as well, who may be located outside the European Union (EU) or the European Economic Area (EEA). At present, we do not transfer personal data out of Australia.
We will only engage new third parties to process GDPR Data that you instruct us to process as a processor on your behalf if you have authorised us to do so pursuant to a specific or general written authorisation and otherwise in compliance with the requirements of the GDPR.
Retention and de-identification of personal data
It is our policy to retain personal data in a form which permits identification of any person only as long as is necessary for the purposes for which the personal data was collected; and for any other related, directly related or compatible purposes if and where permitted by applicable law. We will only process personal data that you provide to us for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal data to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person’s vital interests). Where you require personal data to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.
Your rights under the GDPR
Under the GDPR, you have a number of rights, including:
Please contact us if you wish to exercise any of your rights under the GDPR. We will handle all such requests in accordance with our legal obligations. If you withdraw your consent for processing, object to the processing of your personal data or request us to erase your personal data and as a result it is not possible or practical for us to continue providing you with our services, we may elect to terminate our business relationship with you.
How to access and correct personal data held by us
Our contact details
We are Network Solutions Group Pty Ltd ABN 73 609 444 920 of Level 32, 101 Miller Street, North Sydney NSW 2060. If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us at the following address:
Network Solutions Group Pty Ltd
Level 25, 100 Mount Street, North Sydney NSW 2060
We will use our best endeavours to resolve any privacy complaint within ten (10) business days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.
If you are not satisfied with the outcome of a complaint or you with to make a complaint about a breach of the Australian Privacy Principles you make refer the complaint to the Office of the Australian Information Commissioner (OAIC) who can be contacted using the following details:
Call: 1300 363 992
Email: [email protected]
Address: GPO Box 5218, Sydney NSW 2001
In relation to GDPR Data, you may lodge a complaint with any relevant supervisory authority.