In its everyday business operations BusinessCraft makes use of a variety of data about identifiable individuals, including data about:
Current, past and prospective employees
Customers and customer contacts
Web Site users
In collecting and using this data, BusinessCraft is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
The purpose of this policy is to set out the relevant legislation and to describe the steps BusinessCraft is taking to ensure compliance.
This control applies to all systems, people and processes that constitute BusinessCraft’s information systems and products, including directors, team members, suppliers and other third parties who have access to BusinessCraft systems.
Australian Privacy Act 1988
The Australian Privacy Act 1988 affects the way that BusinessCraft carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred, which is designed to protect the personal data of Australian citizens. It is BusinessCraft’s policy to ensure that our compliance with the Privacy Act 1988 and other relevant legislation is clear and demonstrable at all times.
There are 13 Australian Privacy Principles (APPs) contained within Schedule 1 of the Privacy Act 1988 and it is not appropriate to reproduce them all here. However, the principles are as follows:
BusinessCraft must ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new systems and products. BusinessCraft’s operation of an information security management system (ISMS) that conforms to the ISO/IEC 27001 international standard is a key part of that commitment.
Further, BusinessCraft will comply with international requirements where products or services provided are governed by license agreements such as the Apple Developer Program License Agreement.
Privacy by Design
BusinessCraft has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.
The privacy impact assessment will include:
Consideration of how personal data will be processed and for what purposes
Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
Assessment of the risks to individuals in processing the personal data
What controls are necessary to address the identified risks and demonstrate compliance with legislation
Transfer of Personal Data
Transfers of personal data outside of Australia must be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by both the Privacy Act 1988 and legislation in the destination of the data transfer.
Data Protection Officer
A defined role of Data Protection Officer (DPO) is not required under current Australia legislation, however BusinessCraft will ensure that the functions of a Data Protection Officer are delegated to one or more BusinessCraft Team Members.
It is BusinessCraft’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.
Our Obligations as a Cloud Service Provider
In addition to holding personal data on our own account, BusinessCraft by necessity may need to store and process the personal data of our cloud customers through 3rd party cloud providers.
In doing so, there are a number of additional obligations that we must fulfil. Our policy in this area is informed by ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors which, as well as recommending specific enhancements to ISO/IEC 27001 controls, also provides the following policy guidance:
We will provide our customers with the facilities to meet their obligations under law in activities such as accessing, amending and erasing individuals’ PII
We will only use the cloud customer’s PII for their purposes, not our own
The customer will be informed if we are required by law to disclose any of their data, unless we are prohibited from doing so
Details of disclosures will be recorded
We will tell our customers if we use sub-contractors to process their PII
We will tell our customers if their PII is subject to unauthorized access
It will be clear in which country or countries the customer’s PII is stored
We will ensure that 3rd party cloud providers we use have certification under ISO 27001 including the
additional recommendations stated in ISO/IEC 27018.
Apple Developer Program License Agreement
In relation to the Apple Developer Program License Agreement, the only data that BusinessCraft collects in relation to applications provided by BusinessCraft on the Application Store are login data. All other communication and data recorded is carried out between the Applications downloaded and installed by the Customer on mobile devices chosen by the customer and the Customer’s Servers configured and administered by the customer or their authorised administrators.
15th May 2019