Concept Tech Privacy Policy 

Purpose

This policy defines Concept Tech's commitment to protecting personal information in compliance with the Australian Privacy Principles (APPs) under the Privacy Act 1988. It outlines how Concept Tech collects, uses, stores, and discloses personal information while maintaining transparency and accountability to safeguard customer and employee privacy.

Scope

This policy governs the handling of personal information collected through Concept Tech' services, website, applications, customer interactions, and business operations.  Applicable to: 

  • All personal information collected by Concept Tech, including customer and employee data. 

  • All covered individuals, including employees, contractors, and service providers handling personal information. 

  • All data processing systems storing or handling Concept Tech' collected information. 

Definitions

  • Personal Information: Information that identifies or can reasonably identify an individual, such as names, contact details, payment information, and account history. 

  • Sensitive Information: Information about an individual’s racial or ethnic origin, political opinions, religious beliefs, health data, or other classified details as per the Privacy Act 1988. 

  • Covered Individuals: Employees, contractors, consultants, and service providers engaged with Concept Tech. 

  • Australian Privacy Principles (APPs):  A set of 13 principles governing the management of personal information by organisations covered under the Privacy Act 1988. 

  • Data Breach: Any unauthorized access, loss, misuse, or disclosure of personal information. 

  • De-identification: Relates to anonymity and pseudonymity. The process of removing personal identifiers from data so it cannot be linked to an individual. 

Collection of Personal Information

Concept Tech will only collect personal information when it is reasonably necessary for business operations. Information may be collected through: 

  • Customer account registration and transactions.

  • Website and application interactions.

  • Customer support inquiries and feedback forms.

  • Marketing subscriptions and surveys.

Sensitive Information will only be collected with explicit consent, unless required by law. 

Use and Disclosure of Personal Information

Concept Tech will use personal information only for the primary purpose for which it was collected. This includes: 

  • Managing customer accounts and providing services.

  • Processing payments and fraud prevention.

  • Complying with legal obligations.

  • Marketing (only with consent and opt-out options).

Personal information will not be disclosed to third parties without consent, except: 

  • When required by law or law enforcement agencies.

  • When necessary for service provision (e.g., payment processors, IT infrastructure providers). 

  • For data analytics and business improvements (only using anonymized or de-identified data).

Cross-Border Data Transfers

Concept Tech takes reasonable steps to not transfer personal information overseas unless: 

  • The recipient complies with the Australian Privacy Principles (APPs).

  • The transfer is necessary for service provision.

  • The individual has provided explicit consent.

Security of Personal Information

Concept Tech implements reasonable security safeguards to protect personal information from misuse, loss, and unauthorized access, including: 

  • Encryption of stored and transmitted data.

  • Access controls limiting internal data handling to authorised personnel.

  • Regular security audits and breach response procedures.

Personal information will be de-identified or destroyed when no longer required for business or legal purposes. 

Access to and Correction of Personal Information

Individuals have the right to request: 

  • Access to their personal information held by Concept Tech.

  • Correction of inaccurate, outdated, or incomplete data.

Requests must be made in writing to contact@concept-tech.com.au. Concept Tech will respond within 30 days, subject to legal exceptions. 

Direct Marketing and Opt-Out

Concept Tech may use personal information for marketing purposes only when individuals have: 

  • Provided consent.

  • A reasonable expectation of receiving communications.

All marketing communications will include a clear, simple, opt-out option. Individuals can withdraw consent at any time via their account settings or by contacting contact@concept-tech.com.au

Privacy by Design

 It is a requirement to incorporate privacy considerations into new product and service development.

Breach Reporting and Resolution

If a data breach occurs, Concept Tech will: 

  • Assess the breach and determine the risk to individuals. 

  • Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if serious harm is likely. 

  • Take corrective action to prevent future breaches. 

Suspected breaches can be reported to contact@concept-tech.com.au.

Procedures

1. Data Collection and Consent Procedure

  • Personal information must be collected directly from the individual, except where impracticable. 

  • Privacy notices must be displayed clearly at time of collection, outlining:  

  • The purpose of data collection. 

  • Whether disclosure to third parties occurs. 

  • The individual's rights regarding their data. 

  • Sensitive information requires explicit consent, obtained through signed agreements or digital acceptance. 

2. Data Use, Storage, and Security Procedure

  • Personal data will be used only for its collected purpose unless an exception under the APPs applies. 

  • Data must be stored securely using encryption, firewalls, and access controls. 

  • Systems must enforce role-based access, ensuring only authorized personnel access sensitive data. 

  • All personal data stored physically must be kept in locked, access-controlled locations. 

3. Third-Party Data Sharing Procedure

  • Agreements and details on data access and processing by third parties must be in place before sharing customer information. 

  • Data shared overseas must meet equivalent APP protections. 

  • Periodic audits will verify third-party compliance with security measures. 

4. Access and Correction Procedure

  • Individuals can request access to their personal information by submitting a written request. 

  • Concept Tech must respond within 30 calendar days, granting access unless legally exempt. 

  • If an individual requests a correction, Concept Tech must:  

  • Verify the requestor’s identity. 

  • Assess whether the correction is reasonable. 

  • Update records or provide written refusal with reasoning. 

5. Data Retention and Disposal Procedure

  • Personal data will be retained only as long as necessary for business and legal requirements. 

  • Personal data no longer required must be:  

  • Permanently deleted from databases using verifiable deletion methods. 

  • Physically destroyed if in paper format. 

  • De-identified where ongoing storage is necessary. 

6. Data Breach Response Procedure

If a data breach occurs, the following steps must be taken: 

  • Step 1: Identify and Contain

  • The IT Security Team will assess and contain the breach. 

  • Affected systems will be isolated to prevent further exposure.

  • Step 2: Assess the Impact

    1. Determine the nature and extent of compromised information. 

  • Identify affected individuals and assess potential risks. 

  • Step 3: Notify Affected Individuals and Authorities

    1. If serious harm is likely, notify the Office of the Australian Information Commissioner (OAIC) as soon as is practical. 

  • Inform affected customers promptly, detailing the breach, risks, and protective actions.

  • Step 4: Implement Remediation Measures

  • Enhance security protocols. 

  • Conduct a post-breach investigation and implement lessons learned, reviewed by Directors.

  • Review and update privacy and security policies. 

7. Privacy by Design Procedure

Concept Tech integrates privacy into product and service development through: 

  • Proactive Planning: Incorporate privacy measures during initial planning. 

  • Privacy Impact Assessments: Conduct before implementing new technologies to identify risks, assess compliance, and recommend mitigation strategies. 

  • Data Minimization: Design systems to collect only necessary data, limit retention, and restrict access based on need. 

  • Design Review: IT Security and Privacy Officer approve designs, ensuring built-in privacy controls, protective default settings, and user-friendly privacy controls. 

  • Technical Implementation: Implement encryption, automated retention/purging, and access logging for all systems handling personal information. 

  • Lifecycle Management: Document and maintain privacy controls throughout the entire data lifecycle.

Roles and Responsibilities

Company Directors:

  • Policy custodian responsible for oversight, enforcement, and compliance. 

  • Approves privacy impact assessments for new data collection methods. 

  • Ensures compliance with privacy laws and conducts annual privacy audits. 

  • Responds to customer requests for data access and corrections. 

  • Ensures privacy by design principles are included in project management frameworks.

Infrastructure and Security Responsible Person:

  • Implements, maintains and verifies security controls to protect personal information. 

  • Provides privacy-enhancing technology recommendations.

  • Investigates data breaches and applies incident response measures. 

Marketing and Customer Service Responsible Person:

  • Ensure privacy notices are clearly communicated during customer interactions. 

  • Obtain consent before using customer data for marketing. 

Team Coordinator:

  • Ensure all forms and other tools used to collect personal information comply with this policy and is business activity relevant.

  • Staff are trained and audited in the collection and processing of personal information. 

  • Confidentiality is preserved. 

All Employees and Contractors:

  • Must comply with privacy protocols, complete privacy training, and report data breaches. 

Training and Compliance Audits

  • Mandatory privacy awareness training for all employees and contractors. 

  • Audits to ensure compliance with this policy and the APPs. 

  • Policy updates will be communicated to all staff and reflected through internal communication channels. 

Compliance and Disciplinary Measures

  • Non-compliance with this policy may result in: 

  • Warnings, retraining, or restricted system access. 

  • Termination of employment or contracts for repeated violations. 

  • Legal action if unauthorized disclosure of personal information occurs. 

  • Individuals may appeal disciplinary actions.

Policy Review and Audits

  • Privacy Audits will assess compliance with this policy.

  • This Policy will be reviewed during privacy audits as a minimum. It will be reviewed as a part of a compliance breach or as required by legislative changes. 

  • Policy updates will be communicated in writing to all employees. 

  • Training will be provided on significant policy changes. 

References and Related Documents

  • Privacy Act 1988 

  • Australian Privacy Principles (APPs) 

  • OAIC Notifiable Data Breach Scheme