Privacy Statement

 

Purpose

The purpose of this policy is to outline how the company will meet legal and regulatory requirements to ensure Privacy of Personal Information as required by the Privacy Act 2018 and equivalent acts in other jurisdictions we operate in, including:

  • New Zealand – Privacy Act 2020
  • European Union – General Data Protection Regulation 2016/679 (GDPR)
  • Canada – Personal Information Protection and Electronic Documents Act (PIPEDA)
  • South Africa – Protection of Personal Information Act 2013
  • United Kingdom and Ireland – Data Protection Act 1998.

 

Scope

This policy covers all employees and third-party users.

Engagement Hub software is designed to enable licensees/ clients to meet their obligations under the Privacy Act 1988, and the Australian Privacy Principles outlines in schedule 1. You will need to check the Privacy Policy of the licensee/ client to confirm what personal information they collect and how they manage this.

Engagement Hub has no access to information collected by our licensees/ clients, which is controlled and managed by the Licensee/ Client Administrator/s. In rare circumstances, Engagement Hub may be asked to troubleshoot, train, or undertake consultancy services that may provide us temporary access to the personal information collected by licensees/ clients. In these instances, we abide by the Licensee/ Client’s privacy statement as a third-party service provider.

 

Principle

Personal information is classified and treated as classification level Confidential, and all associated policies, controls and processes apply.

 

Privacy Protection Policy Statement

This policy confirms our commitment to protect the privacy of the personal information of our customers, clients, employees, and other interested parties in line with relevant legislation laid out in the Legal and Contractual Compliance Register, in particular the Privacy Act 1988 and the Australian Privacy Principles.

We have engaged in a programme of Information Security Management which is aligned to the international standard ISO27001 to ensure our Information Security Management System protects personal information using best practice policies and processes.

 

Definitions

Personal information
Is defined in the Privacy Act as “Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
1. whether the information or opinion is true or not; and
2. whether the information or opinion is recorded in a material form or not.”

Sensitive Information

‘Sensitive information’ is a subset of personal information and is defined as:information or an opinion (that is also personal information) about an individual’s:

  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual orientation or practices, or
  • criminal record
  • health information about an individual
  • genetic information (that is not otherwise health information)
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification.

Consent
The four key elements of consent, as defined by the Office of the Australian Information commissioner, are:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific, and
  • the individual has the capacity to understand and communicate their consent.

 

What Personal Information is Collected?

Clients
Engagement Hub may collect the following personal information on Clients, including (but may not be limited to):

  • Your name and job title
  • Contact details including email address and phone number
  • The organisation you work for
  • Details of the services requested by you and provided to you and Engagement Hub’s response to you, training and support requirements.
  • Any feedback you provide to Engagement Hub
  • Any other personal information requested by Engagement Hub and/or provided to Engagement Hub by you or by a third party.

Employees
Engagement Hub may collect the following information on employees:

  • the employee’s personal and emergency contact details
  • information about terms and conditions of employment
  • wage or salary details
  • leave balances
  • records of work hours
  • records of engagement, resignation or termination of employment
  • information about training, performance and conduct
  • taxation, banking or superannuation details
  • union, professional or trade association membership information
  • other details that may be necessary for employment, ie resumes.

Suppliers
Engagement Hub may collect the following information on third party business suppliers.

  • Names and titles of relevant employees
  • Contact details including business addresses and email addresses
  • Business details including ABN or equivalent
  • Insurance details
  • Banking or other payment details
  • Contracts and details of the services, skills and expertise offered.

End-Users of our Services (client’s stakeholders)
Engagement Hub software is designed specifically to enable a Licensee/ Client to engage stakeholders/ communities to inform/ collect feedback on matters specific to their organisation. The software comprises a website builder with built in data collection tools, a stakeholder relationship management database and an electronic direct mail tool, which together allow the Licensee/ Client to consult and gather feedback from their stakeholders.

Visitors to Licensee/ Client engagement sites can use this software without any personal information being collected. Collection of personal information only occurs when visitors elect to participate in a consultation by providing feedback/ submissions, requesting notification on updates and areas of interest. The type and amount of personal information collected will vary between Licensees/ Clients. For an end-user to register an account, the following information is required:

  • First name
  • Verified email address
  • Screenname/pseudonym
  • Password.

Clients may elect to obtain additional relevant information on their end-users for the purposes of communications and analytics. This is at the discretion of the client and may include information such as:

  • Surname
  • Profile picture
  • Phone number
  • Physical address, postcode, or other locational attributes
  • Demographic information such as age, gender, etc.
  • Information about your preferences
  • Your IP addresses
  • Your recorded thoughts, ideas, opinions, etc. as expressed by you. This may include sensitive information if you are asked to provide opinions in areas considered sensitive (see 3.5.2).

Collection of personal information only occurs if you elect to participate by providing feedback. It may be collected in a range of ways including through a registration process or through various activities and interactions on the site such as using a Submissions/ Contact Us form, completing an Online Survey or Quick Poll.

  • If you choose to participate in an online discussion, you will be asked to register, where, at a minimum you will be asked for a verified email address, your first name, screen name and password.
  • Registration is also the mechanism for you to optionally provide to receive Electronic Direct Mail.
  • Registration also enables you to follow a project and/or register interest in particular topic areas resulting in automated email communication based on these interests.
  • Once registered, you have access to your own dashboard where you can:
    • Edit your contact details
    • Amend your preferences
    • Acess online feedback submitted by you
    • Unsubscribe from Electronic Direct Mail
    • Delete your account
  • When completing an online submission/ contact us form your first name and email address are required.

The Licensee/ Client has the option to select from different data collection instruments, which provide different levels on anonymity ranging from anonymity in public to anonymity to the Administrators of the site.

  • You will need to check the Privacy Policy of the Licensee/ Client to confirm what personal information is being collected and how they get your consent.
  • Engagement Hub itself does not have access to this information, which is under the control of the Licensee/ Client, unless we are invited to temporarily access this information to provide advice, troubleshooting, training or other additional services.

 

How your Personal Information is used
Clients
Engagement Hub may use information it collects (personal or otherwise) in order to:

  • provide our Services
  • allow you to access our Software
  • send you updates and information where you have consented or would reasonably expect to receive them
  • respond to your enquiries
  • to request your feedback
  • to maintain our licenced Software
  • for internal record keeping, administrative, invoicing and billing purposes
  • to detect and rectify fraud or other behaviour that violates any terms of use
  • to comply with our contractual or legal obligations and resolve any disputes that we may have
  • to conduct de-identified research, analytics and business development
  • to improve our Services, Software and our website
  • if otherwise required or authorised by law

Employees
Engagement Hub may use the personal information of employees to:

  • Pay entitlements
  • Meet regulatory and standard requirements
  • Contact in cases of emergency
  • If otherwise required or authorized by law.

Suppliers
Engagement Hub may use the personal information of suppliers to:

  • Pay contracts
  • Meet regulatory and standard requirements
  • Contact in cases of emergency
  • If otherwise required or authorized by law.

End-Users of our Services (client’s stakeholders)
You will need to check the Privacy Policy of the Licensee/ Client to confirm how they use the personal information collected.

  • Automated features within Engagement Hub software that may use your personal information include:
  • Automated email notifications confirming actions completed (ie Registration, Submissions received, Comments published etc).
  • Electronic Direct Mail/ Newsletters sent, if permission has been given to receive this. You may access and change your preferences by logging into your profile to change your settings at any time.
  • Email notification of updates requested. You may access and change your preferences by logging into your profile to change your settings at any time.

Engagement Hub will only ever have access to the personal data collected by Licensee/ Client’s if responding to a service request from the Licensee/ Client to:

  • Respond to an enquiry about how to best use the software
  • Assist in analysing the usage and data collected. 

 

Cookie collection and use

As is common practice with almost all professional websites, this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience. This section describes what information they gather, howe we use it and why we sometimes need to store these cookies. We will also share how you can prevent these cookie from being stored however this may downgrade or break certain elements of the site’s functionality.

How we use Cookies
We use cookies for a variety of reasons detailed below. Unfortunately in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to the site. It is recommended that you leave on all cookies if you are not sure whether you need them or not in case they are used to provide a service that you use.

Disabling Cookies
You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this site. Therefore it is recommended that you do not disable cookies.

Third Party Cookies
In some special cases we also use cookies provided by trusted third parties. The following section details with third party cookies you might encounter through this site.
The site uses Google Analytics which is one of the most widespread and trusted analytics solution on the webs for helping us to understand how you use the stie and ways that we can improve your experience. These cookies may tract things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.
We also use social media buttons and or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites, including: X (previously Twitter), Facebook, will set bookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.

 

How do we protect your Information?

Engagement Hub takes the privacy of your information very seriously and we use industry standard practices to keep your personal Information safe and secure. Our policies and procedures follow the Privacy Principles set out in Annex A of the Australian Privacy Act 1988.

Personal Information Classification and Handling
Personal data classification and handling is in line with the Information Classification and Handling Policy.

Personal Information Retention
Client, employee and supplier personal data is retained and destroyed in line with the Information Classification and Handling Policy, Asset Management Policy, and the Data Retention Schedule.

Client end-user data is managed by the client administrators.

How does an end-user access, change or delete their personal information?
Registered end-users can access and amend their personal information by logging into their dashboard.

If an end-user deletes their account, their feedback is retained but no longer identifiable.

If an end-user requires assistance to have their data and/or feedback permanently deleted, in the first instance they should contact the client directly to delete.

Alternatively, assistance can be provided by the Engagement Hub team at support@mybusinessapp.com.au.

Personal Information Transfer / Transmit
Client, employee and supplier personal data is transferred in line with the Information Transfer Policy and employees ensure the appropriate level of security in line with the policy and company processes.
Data, including personal information, on client Engagement Hub sites is encrypted in transit, at rest, and on all backups using:

  • AES256
  • SHA-2 (256)

Access to Engagement Hub software is only available through secure HTTPS. Data in transit is encrypted over HTTPS protocols. For secure communication protocol we utilise TLS with the most recent patch level (TLS1.3 at the transport layer).
All data storage is redundant with redundant databases residing in a private subnet.

Will my personal information be transferred overseas?
Engagement Hub does not transfer any personal information overseas.

Personal Information Storage
Personal Information storage is in line with the Information Classification and Handling Policy, Physical and Environmental Security Policy, Cloud Security Policy, Cryptographic Control and Encryption Policy, Backup Policy, and the Data Retention Schedule.

Engagement Hub software is hosted in a secure data centred located in Sydney, Australia. Physical, technical and administrative systems and processes are in place to safeguard your data and personal information.

Engagement Hub software’s systems (including but not limited to computing, operating and network infrastructure) are monitored twenty-four (24) hours per day, every day of the year to detect any issues, which shall include but not be limited to environmental monitoring, network monitoring, load balancing monitoring, web server and database monitoring, firewall services and intrusion detection.

Breach
In the event of a breach of the principles of the Privacy Act 2018 employees inform their line manager, and /or a member of the Management Review Team and/or Senior Management and invoke the Incident Management Process.
Breaches are assessed and where appropriate and required the Data Subjects and / or the Information Commissioners Office are informed without undue delay.

Unsolicited Communication - SPAM Act
My Business App Pty Ltd does not have access to clients’ end-user personal information, which is collected by Licensee/ Clients on their Engagement Hub site/s. Clients’ can only send bulk electronic communication to their end-user/s if the user has consented to receive electronic direct mail via the registration process. End- users can access and change their preferences at any time.

Terms of Use
Please also visit the Terms of Use which establish the use, disclaimers and limitations of liability governing use of this website.

We reserve the right to modify this policy from time to time, at our sole discretion. If we make a material change to the Privacy Policy we will notify you and the modified policy shall be effective once we notify you of the change. if we do not make any material amendments then we will post the modified policy on our website and it will be effective once posted. We recommend that you regularly check our website to make sure you are aware of our most up to date policy.



Further Assistance

If you have concerns or questions about our privacy, please contact My Business App Pty Ltd at support@mybusinessapp.com.au or send a letter to My Business App Pty Ltd at 45 Evans Street, Balmain, NSW, 2041 Australia.

 

Appendix 3 – GDPR

Under the GDPR individuals located in the EU have extra rights which apply to their personal information.
If operating in the European Union, please request our Data Protection and Data Retention policies which outline specific policies related to EU operations.

 

Policy Compliance

Compliance Measurement
The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions
Any exception to the policy must be approved and recorded by the Information Security Manager in advance and reported to the Management Review Team.

Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement
The policy is updated and reviewed as part of the continual improvement process.

 

Areas of the ISO27001 Standard Addressed
Privacy Policy Relevant ISO27001 Controls Mapping

ISO27001:2022 ISO27002:2022 ISO27001:2013/2017 ISO27002:2013/2017
ISO27001:2022 Clause 5 Leadership
ISO27001:2022 Clause 5.1 Leadership and commitment
ISO27001:2022 Clause 5.2 Policy
ISO27001:2022 Clause 6.2 Information security objectives and planning to achieve them
ISO27001:2022 Clause 7.3 Awareness		 ISO27002:2022 Clause 5 Organisational Controls
ISO27002:2022 Clause 5.1 Policies for information security
ISO27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security
ISO27002:2022 Clause 5.4 Management Responsibilities
ISO27002:2022 Clause 6 People Controls
ISO27002:2022 Clause 6.3 Information security awareness, education, and training
ISO27002:2022 Clause 6.4 Disciplinary process ISO27002:2022 Clause 7 Physical Controls
ISO27002:2022 Clause 7.7 Clear desk and clear screen
ISO27002:2022 Clause 7.9 Security of assets off- premises
ISO27002:2022 Clause 8 Technological Controls ISO27002:2022 Clause 8.1 User endpoint devices		 ISO27001:2013/2017 Clause 5 Leadership
ISO27001:2013/2017 Clause 5.1 Leadership and commitment
ISO27001:2013/2017 Clause 5.2 Policy
ISO27001:2013/2017 Clause 6.2 Information security objectives and planning to achieve them
ISO27001:2013/2017 Clause 7.3 Awareness		 SO27002:2013/2017 Clause 5 Information security policies
ISO27002:2013/2017 Clause 5.1 Management direction for information security
ISO27002:2013/2017 Clause 5.1.1 Policies for information security
ISO27002:2013/2017 Clause 5.1.2 Review of the policies for information security
ISO27002:2013/2017 Clause 7 Human resource security
ISO27002:2013/2017 Clause 7.2.1 Management Responsibilities
ISO27002:2013/2017 Clause 7.2.2 Information security awareness, education, and training
ISO27002:2013/2017 Clause 7.2.3 Disciplinary process
ISO27002:2013/2017 Clause 11 Physical and environmental security
ISO27002:2013/2017 Clause 11.2 Equipment
ISO27002:2013/2017 Clause 11.2.6 Security of equipment and assets off premises
ISO27002:2013/2017 Clause 11.2.8 Unattended user equipment
ISO27002:2013/2017 Clause 11.2.9 Clear Desk and Clear Screen Policy