Under s 33E of the Privacy Act 1988 (Cth)
This undertaking is offered to the Australian Information Commissioner by:
Precedent Communications Australia Pty Ltd
(ACN 139 121 814)
Suite 601, Level 6, 102 James Street, Northbridge WA 6003
Precedent Communications Australia Pty Ltd (Precedent) offers this enforceable undertaking under s 33E of the Privacy Act 1988 (Cth) (Privacy Act) to address the concerns identified by the Australian Information Commissioner (Commissioner) in the investigation commenced by the Office of the Australian Information Commissioner (OAIC) on 27 October 2016.
Security of personal information
1 Precedent undertakes to, by 30 January 2018, implement the security enhancements outlined in the confidential schedule.
Privacy management policies, statement and procedures
2 Precedent undertakes to, by 31 October 2017:
- Establish a data breach response plan
- Publish online a privacy statement that satisfies the requirements of APP 1.3
3 Precedent undertakes to, by 30 January 2018, update the following policies:
- Privacy and data protection policy
- Information security policy
- Risk management policy, to address information security relating to the handling of personal information and procedural requirements for Precedent employees regarding privacy obligations
4 Precedent undertakes to, by 30 January 2018, ensure that privacy training has been delivered to all its staff members.
5 Precedent undertakes to establish processes and procedures that require all Precedent staff to complete refresher privacy training at least annually.
6 Precedent undertakes to create and maintain appropriate records of the privacy training all Precedent staff have completed and are required to complete.
7 Precedent will confirm in writing to the Commissioner that it has implemented each undertaking referred to in paragraphs 1 to 6 of this undertaking by 28 February 2018. Precedent will provide sufficient details and supporting documentary and electronic evidence to establish that it has complied with the undertaking, including:
- a copy of the report of the external security review referred to in the confidential schedule
- a copy of its data breach response plan, referred to in paragraph 2
- a copy of its updated privacy statement, referred to in paragraph 2
- a copy of its updated information security policy, referred to in paragraph 3
- a copy of its updated risk management policy, referred to in paragraph 3
8 Precedent will provide all documents and information requested by the Commissioner from time to time for the purpose of assessing Precedent’s compliance with the terms of this enforceable undertaking.
9 Precedent will pay the costs of its compliance with this enforceable undertaking.
10 Precedent nominates Rob van Selm, Managing Director, Australia, as the person responsible for overseeing compliance with the requirements of this undertaking and reporting to the OAIC. Precedent has provided the OAIC with this person’s contact details.
11 Precedent acknowledges that the Commissioner:
- may issue a media release, media interview or social media posts on execution of this undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking
- may from time to time publicly refer to this undertaking, including any breach of this undertaking by the Precedent
- will publish this undertaking as well as a summary of the undertaking, on the OAIC website, excluding any confidential schedules
12 Precedent acknowledges that:
- the Commissioner’s acceptance of this undertaking does not affect the OAIC’s powers to investigate, or pursue other enforcement options available to the Commissioner in relation to any contraventions not the subject of the related report of investigation, or arising from future conduct
- this undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct
- if the Commissioner considers that Precedent has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 33F(2) of the Privacy Act
Confidentiality of information provided to OAIC
13 The Commissioner acknowledges that information provided by Precedent in accordance with this undertaking is likely to contain sensitive commercial information. The Commissioner acknowledges that this information is provided by Precedent in confidence.
14 The Commissioner and the OAIC:
- will only publish or otherwise disclose information provided in accordance with this undertaking with Precedent’s written agreement
- will only use this information for the Commissioner’s privacy regulatory activities
Rob van Selm, Managing Director Australia
Precedent Communications Australia Pty Ltd
Date: 27 July 2017
Accepted by Timothy Pilgrim, Australian Information and Privacy Commissioner, under s 33E of the Privacy Act:
Date: 28 July 2017