Worx Safety Online Safety Management
DATA PROTECTION POLICY

LAST UPDATED: 24 May 2023

ANNEXURE A

Worx Inductions Pty Ltd t/a Worx Safety - ABN 14 629 751 382 (Worx) is committed to complying with the requirements of the Privacy Act 1988 (Cth), as amended from time to time (‘Act’). This Privacy Policy sets out how we will handle personal information that is regulated by the Act.

The core requirements of the Act are set out in the Australian Privacy Principles (APPs). The APPs set out how we are to collect, hold, use, and disclose personal information. The APPs also give individuals a right to know what information an organisation holds about him or her, and a right to correct it if it is wrong. You can see the full text of the APPs online at the Office of the Australian Information Commissioner’s website at: http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act

WHAT KIND OF PERSONAL INFORMATION DO WE COLLECT AND HOLD?

We only collect and hold the following information (Information), where appropriate and necessary to provide our services, by lawful and fair means:

1. Personal information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether or not recorded in a material form, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
2. Sensitive information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, health information, genetic or biometric information.

In general, the Information we collect includes but is not limited to:

1. Our Employees: We generally collects personal information such as the employee’s name, date of birth, address, phone numbers, e-mail address, Tax File Number and financial information (including bank details), work-related qualifications/licences and details of the next of kin.
2. Employees of Worx Safety Clients: We generally collect personal information such as the individual’s name, e-mail address, work-related qualifications/licences and details of the next of kin.
3. Client contacts: We collects contact information from or about clients or prospective clients, including individuals working for clients or prospective clients, and records details of interactions with clients and prospective clients. This could include:
   1. Contact information that allows us to communicate with the client, such as their name, username, mailing address, telephone numbers, email address or other addresses that allow us to send messages.
   2. Transaction information about how the client interacts with us, including purchases, inquiries, customer account information, and information about how the client uses our applications.

We will only collect Sensitive Information where it is necessary for business purposes, for example health information on our employees to determine their fitness for duty.

HOW DO WE COLLECT PERSONAL INFORMATION?

We collect Information directly from any person who engages with us during the ordinary course of our business or directly from the subject individual or their authorised representative(s). Information collected will differ depending on the purpose of collection.

Generally, we may collect Information of the kind described in the Privacy Policy from you in the following ways:

1. when you provide us with Information by telephone or email or during any other dealings you may have with our representatives;
2. when you access our website and use our web-based applications;
3. when you have consented for this collection (for example, via our privacy statement and/or when you complete and return a form); or
4. during any other communication between you and our representatives when you would reasonably expect us to collect your Information and it is necessary for us to collect this information for a specific purpose (such as investigation of a complaint).

By sending emails to us, you will be providing us with certain Information which may include your name and contact details. This information is collected by us for the purpose of dealing with your request. We may not be able to deal with your request without collecting this information from you.

In most cases, we will collect Information about an individual directly from our client that employs the individual. We do not normally deal directly with clients’ employees, we expect our clients to comply with their obligations under the Act and APPs in relation to the collection, use and disclosure of their employee’s Information to and by us. We expect our clients to have regard to the information in this Privacy Policy in making its own disclosures to its employees under the Act.

Where practicable, we will allow you to deal with us anonymously or under a pseudonym. This option will not be available where we are required or authorised by law to deal with individuals who have properly identified themselves, or if we need to verify your identity in order to provide products or services to you. Further, if you choose not to give us Information that we request from you, we may not be able to provide you with any goods or services you have asked us to supply.

HOW DO WE HOLD AND SECURE YOUR INFORMATION?

We provide an ongoing program of security awareness education designed to keep all members of our staff informed and vigilant of security risks. We will also provide training to our staff to help them understand their responsibilities when handling data.

Physical Security

Our information is securely stored and encrypted within the Amazon Web Services (AWS) data center located in the ap-southeast-2 region, specifically in Sydney NSW, Australia. We also utilize a global points-of-presence network to deliver fast and reliable experience to users anywhere in the world. Our data center provider complies with top certifications, including ISO27001, AICPA SOC 2 and 3, PCI DSS, HIPAA, and more.

In addition, physical access is limited to a control list and mantraps with a dedicated security operations centre with 24x7 on-site security guards, constant CCTV surveillance and all areas are intruder resistant.

Data Storage

We have established a secure data storage system to safeguard your information in accordance with the below:

1. The entire Worx Safety application is encrypted with SSL.
2. We use cookies for user authentication. We use session IDs to identify user connections. Those session IDs are contained in HTTPS-only cookies not available to JavaScript.
3. Worx Safety account passwords are one-way salted & hashed. Our own staff can’t even view them. If you lose your password, it can’t be retrieved — it must be reset.
4. The databases are further protected by access restrictions, and key information (including your password) is encrypted when stored. Data is either uploaded directly into the application using a web browser or uploaded via the API which uses secure transfer protocols.
5. All source code is industry best practices. We have separate environment and databases for different stages of application development. We do not use production data in our test and development environments.
6. Servers are high end IBM database servers utilising SSDs and highly tuned MySQL software.
7. Load balancers have been implemented, so as to not re-direct all traffic to one busy server.
8. Back-up & redundancy are important which is why we utilise several layers of backup. Our NAS performs nightly snapshots which are used to provide fast access to data and this data is then replicated to our DR site in Alexandria. Weekly backups are performed on site to a separate device to provide a final layer of redundancy.
9. With Network Attached Storage (NAS) there will be no delays when retrieving data from a local disk. There is also the added benefit that if a web server goes down, there is a greater level of redundancy, as all files are served on our NAS.
10. Web clusters are used within the network, for safe and reliable server operation in case of an over load, the server is automatically removed from the pool minimising any effect on customers, as websites are dynamically distributed to other servers.

Staff Guidelines

Information is of no value to us unless the business can make use of it. However, it is when Information is accessed and used that it can be at the greatest risk of loss, corruption or theft. Our staff are expected to adhere to the following guidelines:

1. When working with Information, staff should ensure the screens of their computers are always locked when left unattended.
2. Information should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
3. Information must be encrypted before being transferred electronically.
4. Staff should not save copies of Information to their own computers.
5. Always access and update the central copy of any data. It should be deleted and disposed of.
6. Staff should request help from their direct manager if they are unsure about any aspect of handling and securing Information.

WHY DO WE COLLECT, HOLD, USE AND DISCLOSE PERSONAL INFORMATION?

Purpose for collecting, holding and using Information

We collect Information that is reasonably necessary to conduct our business activities. Generally, the Information we collect and hold will be used to provide our services and to deal with your requests and enquiries in relation to those services.ies in relation to those services.

We will collect, hold, use and disclose your Information for the following purposes:

1. Providing workplace induction and worker pre-qualification services;
2. Billing and account management;
3. Internal business operations such as planning, product development, research, and reporting;
4. Fulfilling requests for services and for related activities, such as service delivery, customer service, account management, support and training and to provide other services related to the relationship with us; and
5. Providing marketing communications and offers for services.

We may also collect, hold, use and disclosure your Information for any other purpose you may reasonably expect, or for any other purposes disclosed to or authorised by you.

In the event we hold Information that is unsolicited and we were not permitted to collect it, the Information will be destroyed as soon as practicable.

Purpose of disclosing Information

We will endeavour to only use and disclose Information for the purpose in which it was collected, unless disclosure is reasonably necessary to take appropriate action with suspected unlawful activity or serious misconduct, to establish or exercise a defined legal or equitable claim. We may also disclose personal information when required or authorised to do so by law.

Where permitted or authorised by law, we may disclose your Information to:

1. our staff for the purposes of conducting our business activities and providing our services, fulfilling requests by you, or to provide products and services to you;
2. our suppliers and third parties with whom we have commercial relationships, for business related purposes;
3. our clients who use the Worx Safety applications for workplace inductions and verification of pre-qualification requirements;
4. any government agency (for example, the Fair Work Ombudsman, workplace health and safety regulators) as permitted, required or authorised by law;
5. other organisations for authorised purposes with your consent; and
6. debt collectors when payments are overdue (as applicable).

We may also use and disclose Information that is not personally identifiable. For example, we may publish reports that contain aggregated and statistical data about our clients. These reports do not contain any Information that would enable the recipient to contact, locate or identify an individual. These reports also do not contain any identifiable company information.

HOW CAN I ACCESS MY INFORMATION?

You are entitled to access your Information held in our possession. You will only be granted access to your Information where we are permitted or required by law to grant access. We are unable to provide you with access that is unlawful.

You can make a request for access by sending an email or letter addressed to our Privacy Officer at the contact details set out below. We will endeavour to respond to your request for Information within a reasonable time period or as soon as practicable in a manner as requested by you. We will normally respond within thirty (30) days.

With any request that is made we will may to authenticate your identity to ensure the correct person is requesting the information.

We will not charge you for making an access request, however if reasonable we may charge you with the costs associated with your access request.

HOW CAN I CORRECT OR UPDATE MY INFORMATION?

We believe it is important to make sure that the Information we hold about you is accurate and up to date. You are entitled to correct your Information held in our possession. We request that you contact us and tell us if any of your Information has changed (e.g. your contact details) or if you believe that the Information is inaccurate. After you advise us we can then update our records and ensure that the Information we hold is accurate and up to date.

We will endeavour to resolve any correction requests within thirty (30) days. If we require further time we will notify you in writing and seek your consent.

You may contact us and request access to the Information we hold about you, and advise us if that Information needs to be amended or corrected in any way. You may contact our Privacy Officer at the contact details set out below.

DOES WORX SAFETY DISCLOSE INFORMATION TO OVERSEAS RECIPIENTS?

We may choose to, if permitted by law, share and/or disclose your Information with recipients outside of Australia. We are required to notify you with a list of any countries which Information may be transmitted to, or disclosed where it is practical for us to do so.

At this point in time, we do not share and/or disclose Information to overseas recipients as we only operate in Australia and all technologies and data storage is located within Australia.

HOW DO I RAISE A CONCERN OR MAKE A COMPLAINT?

If you have any concerns, queries, disputes or complaints about our Privacy Policy or our handling of your Information, please contact our Privacy Officer at:

In the event that you wish to make a complaint about a failure of us to comply with our obligations in relation to the Act please raise this with our Privacy Officer on the contact details above. We will provide you with a receipt of acknowledgment within seven (7) days.

We will then endeavour to respond to your complaint and attempt to resolve the issues within thirty (30) days, unless otherwise specified. In dealing with your complaint we may need to consult a third party.

If we fail to deal with your complaint in a manner that you feel is appropriate or you are not satisfied with the process of making a complaint to our Privacy Officer you may make a complaint to the Information Commissioner using the following contact details:

The Information Commissioner can decline to investigate a complaint on a number of grounds including where the complaint was not made at first to us.

PRIVACY POLICY AMENDMENTS

We reserve the right to change this Privacy Policy at any time. All Information held by us will be governed by our most recent updated policy.

ANNEXURE B - PRIVACY COLLECTION NOTICE – THIRD PARTY EMPLOYEES

Worx Inductions Pty Ltd t/a Worx Safety - ABN 14 629 751 382 (Worx) is committed to complying with the requirements of the Privacy Act 1988 (Cth), as amended from time to time (‘Act’). This Privacy Policy sets out how we will handle personal information that is regulated by the Act.

This Privacy Collection Notice applies if your employer has elected to use our service or any of our applications to administer a construction site safety induction and to provide your work-related information to principal/head contractors to satisfy site requirements.

To the extent that this Privacy Collection Notice applies, we will collect personal information about you, including your name, address, e-mail address, work-related qualifications/licences and details of your next of kin.

We will collect, use and disclose this personal information about you for the following purposes:

1. to administer a construction site induction for your to complete; and
2. to provide your information to principal/head contractors to satisfy their site requirements:
   1. your qualifications, licenses and other competencies as provided;
   2. records of your construction site induction; and
   3. the details of your next of kin in the event of an emergency.

   We collect this information from either yourself or your employer. If you do not provide your personal information to us, we will not be able to administer the construction site induction or provide your information to satisfy the principal/head contractor’s site requirements.

   We will disclose your personal information, whether provided by yourself or your employer, to principal/head contractors to satisfy site requirements

   We will not disclose your personal information to anyone overseas.

   If you have any questions or concerns about this Privacy Collection Notice our or our handling of your Information, please contact our Privacy Officer at:

   Address:	The Privacy Officer Worx Safety Pty Ltd Suite 41/124-130 Auburn Street Wollongong NSW 2500
   Email:	[email protected]