- Introduction
The Information Systems Audit and Control Association Sydney Chapter (ISACA Sydney, we, us, our) is an affiliate of the Information Systems Audit and Control Association, Inc., (ISACA USA) a California not-for-profit corporation.
ISACA USA is a global provider of knowledge, certification, communication, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of information technology (IT), and IT-related risks and compliance.
ISACA Sydney is one of many independent chapters of ISACA USA, internationally located and engaged in the promotion of education of its members for the improvement and development of their capabilities relating to the auditing of, management consulting in, or direct management of the fields of IT governance, IS audit, security, control and assurance.
While ISACA USA develops and maintains frameworks, provides certifications and hosts international conferences, the chapters around the world, including ISACA Sydney, provide advocacy, monthly professional development sessions, training on frameworks, boot camp review sessions for certification exams, and networking opportunities at various local events (Member Services).
Under the terms of a Chapter Affiliation Agreement between ISACA USA and ISACA Sydney (Affiliation Agreement), ISACA Sydney receives, has access to, or otherwise acquires Personal Information (PI) from or on behalf of ISACA Sydney its members, or others in order to achieve its objectives as an ISACA Chapter.
- Applicability
ISACA Sydney is an applicable entity under the Australian Privacy Act (Cth) 1988 (Privacy Act) and the Notifiable Data Breaches scheme under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Scheme). In certain circumstances, ISACA must also comply with privacy-related laws in other countries.
Under the terms of the Affiliation Agreement ISACA Sydney acquires rights and obligations, it also inherits ISACA policy and procedure which include how privacy and PI are handled by ISACA in the United States and elsewhere. This inheritance includes the fact that the PI of ISACA Sydney members will flow between Australia and the United States, and that the law of Cook County, Illinois, United States applies.
The result of the Affiliation Agreement is that the ISACA Privacy Policy is a related document to this ISACA Sydney Privacy Policy and Collection Statement (Policy), as are the ISACA Cookie Policy and other legal notices published on the ISACA USA website. In the event of a conflict, the ISACA USA policies may prevail.
- ISACA Sydney Personal Information
ISACA Sydney will only store or process PI for Chapter-related purposes in accordance with applicable law, the Affiliation Agreement and this Policy.
In almost all cases where PI is collected and processed, it is collected and processed by ISACA USA and ISACA USA allows ISACA Sydney to access PI in the USA in order to provide the Member Services. The result of this arrangement is that minimal PI is collected and processed by ISACA Sydney.
- Purpose and Audience
The purpose of this Policy is to provide information to interested persons on how ISACA Sydney holds, collects, records, organises, structures, stores, adapts, alters, retrieves, consults, uses, discloses, transmits, disseminates or makes available, aligns, combines, restricts, erases, destroys and profiles (Processes) PI. It is also to inform affected individuals (you, your) about how ISACA Sydney handles your PI and inform you of your rights and choices in relation to the Processing of your PI.
- Terminology: Privacy, Personal Information, Personal Data, Employee Records, Credit-Related Personal Information and Tax File Number Personal Information
This Policy concerns information or an opinion about an identified individual or an individual that is reasonably capable of being identified, either as the result of a single identifier or a collection of inferential identifiers.
For the purposes of this Policy, PI, privacy, personal information, personal data, employee record, credit-related personal information, and tax file number personal information, (PI) all have the same meaning and outcome: The PI either identifies, or it has the potential to identify an individual.
We make no distinction between different kinds PI records. Neither do we discriminate between different formats of PI (electronic, paper), nor upon whether the information or opinions are true or not. All PI that we hold, use and disclose is treated with respect, security and high standards.
- Sensitive Personal Information
ISACA Sydney limits the Processing of PI to the minimum required to fulfil Member Services. We do not Process sensitive PI (such as genetic and biometric information, physical and mental health, racial, political, religious or philosophical beliefs, sexual orientation, criminal records and professional or trade association information). We do not collect biometric forms of PI (such fingerprints).
- Scope
This scope of this Policy extends to all PI that we process while fulfilling ISACA Sydney’s purpose, in complying with law and managing risk.
This Policy extends to:
- Internal operational activities: Activities that include those under the Affiliate Agreement, member relationships, internal operations (management) and external operations (third parties such as business relationships and service providers); and
- External activities: Such as our online presence at Sydney Chapter website and PI that is collected through our website and the use of email for general communications, marketing and Member Services.
This Policy does not extend to third party websites or to social media accessed via links on our website or email communications. Use of third party links and social media will be governed by the privacy policies and terms of use of the relevant service providers.
- About this Privacy Policy
This Policy is intended to be easy to understand. If something is not clear, please contact us so that we can provide assistance. Our contact details are provided in section 17 below. We will also provide contact details every time that we contact you, to make it easy for you to contact us to ask questions or to enforce your rights.
This Policy outlines the current PI handling practices of ISACA Sydney. We will update this Policy when our information handling practices change, and we will publish updates on our website and through our email distribution lists.
We will provide a copy of this Policy in paper format on request and not charge a fee. If, however, a request is made for a copy in some special format (foreign language or linked to disabilities such as sight or hearing impairment), special arrangements may need to be made and a charge may apply.
- Consent
In all cases where consent is required for us to Process your PI, whether it be express consent (verbal, in writing, click-wrap tick box), or implied consent (browse-wrap without a tick-box and other behaviour which indicates consent through continued use), you must give it freely, to a specific kind of Processing and you must be informed about the Processing based upon adequate information and the choices available to you. Naturally, you must have the capacity to understand the circumstances for which consent is required and be able to give and communicate consent (for example be 16 years or older).
Individuals who are not sure about consent or who think we fall short of the consent requirements are encouraged to contact us. Section 17 below.
Individuals who are entitled to additional rights, including in relation to consent under European Union Regulations are referred to section 14. On request we will make special arrangements to accommodate you in the exercise of your rights.
- Privacy Principles Governing the Handling of Personal Information
ISACA Sydney is committed to making every reasonable effort to manage PI in an open and transparent way.
10.1 Open and Transparent Management of Personal Information
To support this commitment, we have implemented practices, procedures and systems to align our handling of PI with principles that have been derived from our Affiliate Agreement with ISACA USA, Australian privacy law, relevant international law, international standards and best practice.
These practices, procedures and systems are intended to regulate our internal and external Member Services and business activities through the use of administrative, technical and physical controls.
This Policy and other legal notices which we may publish on our website from time to time set out how we provide for the open and transparent management of PI, so that individuals can make informed choices about Member Services and communications with us.
10.2 Anonymity and Pseudonymity
Under some circumstances, individuals have the right to remain anonymous (you cannot be identified, and we do not collect your PI), or can use a pseudonym (you can use a name, term or description that is different from your own) when dealing with us.
Circumstances where we give individuals the option to remain anonymous or to use a pseudonym include, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified.
Circumstances where we will need to know the identity of the person that we are dealing with relate to the provision of the Member Services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction of a PI record, and where cost becomes excessive or impractical without us knowing the identity of the individual we are dealing with.
10.3 Collection of Solicited Personal Information
We are committed to collecting PI by lawful and fair means.
Under the terms of the Affiliation Agreement ISACA Sydney has access to PI provided by ISACA Sydney members to ISACA USA when they register online to become members of ISACA. ISACA Sydney collects and Processes PI in collaboration with ISACA USA in order to provide the Member Services but does not itself collect member PI.
ISACA Sydney does not employ staff or engage independent contractors. The Board of Directors of ISACA Sydney are volunteers and Member Services are provided on a volunteer basis.
Aside from email communications and its website presence, which includes forms for event registrations, ISACA Sydney collects and holds little or no PI. ISACA Sydney does not collect employee, credit or tax file information.
10.4 Dealing with Unsolicited Personal information
ISACA Sydney does not seek, collect or retain unsolicited PI.
10.5 Notification of the Collection of Personal Information
We are committed to making all reasonable efforts to inform individuals about the PI we collect. For example, by making this Policy and other legal notices publicly available (website and email communications). We will inform individuals about the collection of PI at the time we collect PI, for example when an individual register for a conference or chapter event on our website.
Through this Policy and other legal notices published on our website or provided by email communications, we seek to ensure that individuals are informed about the reasons for the collection of PI, and that they know how to contact the accountable office bearers at ISACA. (Section 18 below).
10.6 Use or Disclosure (Processing) of Personal Information
Where we hold PI about you that was collected for a particular purpose (such as membership type) we will not use or disclose the information for another purpose unless required or authorised by law, you have consented, or you would reasonably expect us to use or disclose it for a related purpose (such as providing information about a different membership type or member event).
Broadly speaking, ISACA Sydney uses PI internally to provide Member Services, including for conferences and ISACA Chapter events (in collaboration with third parties). Examples include, name, title, email address membership type and number.
Broadly speaking, we disclose PI by releasing it outside of our possession or control for the same reasons above; providing Member Service and collaborating with third parties. We will also release PI outside of our possession or control where there is a legal obligation to do so.
We retain records for legal, business and evidential reasons for retention terms required by law. Where PI records are concerned our policy is to keep these only so long as the purpose requires us to do so (for example the term of membership). We will also consider requests for earlier deletion of PI records under certain circumstances, for example under the international right of erasure.
10.7 Direct Marketing
When we provide Member Services to individuals, we ask for consent to communicate directly with the individual in order to provide information and to promote our Member Services.
Whenever we do, we allow individuals to opt-out of receiving direct communications and direct marketing notifications. When individuals request us to stop communicating with them, We will comply with that request within a reasonable time (thirty (30) days).
If an individual requests information about how we came to have their PI, we will respond, and provide the source of an individual’s PI wherever possible. We will respond to these requests within a reasonable time (thirty (30) business days).
We do not disclose, sell or share PI to third parties for direct marketing purposes.
10.8 Cross-border Disclosure of Personal Information
ISACA Sydney volunteers and the board of directors operate from New South Wales Australia. These operations include internal managerial operations that support the Member Services, and activities that rely upon third party services that involve PI travelling over telecommunications lines and the storage of static (archived) PI on information systems (email).
ISACA Sydney members are primarily located in New South Wales Australia, but as they are also members of ISACA USA, member PI is stored and flows (is exported and imported) between Australia and the United States.
In dealing with third party service providers, wherever reasonably possible, we meet international best practice standards and employ recognised mechanisms such as contractual clauses and other arrangements (such as Binding Corporate Rules) to ensure the security and confidentiality of the PI that we Process.
Despite our best efforts, there is no guarantee of security or privacy, and individuals are cautioned to consider how their PI moves and is stored on global information systems and to make appropriate choices.
10.9 Adoption, Use or Disclosure of Government Identifiers
We do not adopt, use or disclose government identifiers of an individual as our own identifiers.
10.10 Quality and Accuracy of Personal Information
We are committed to taking reasonable steps to ensure that the PI we Process is accurate, up-to-date, complete and relevant in relation to the purpose for which it is Processed.
To ensure the quality and accuracy of member PI, ISACA USA provides a member registration portal on its website where members can access, verify and update their PI records. See the ISACA USA website.
In the event of an Eligible Data Breach (section 13 below) as defined in the NDB Scheme, we will need to contact you if you are affected by the breach, and we need to know that the information we have to do so is accurate. For your own security, please ensure that you keep your PI records up to date to ensure we can contact you through your preferred means of communication.
10.11 Security of Personal Information
We are committed to taking reasonable steps to protect the PI that we hold from misuse, interference and loss. We are committed to securing PI from unauthorised access, modification and unauthorised disclosure.
To comply with law and manage risk, our practices, procedures and systems aim to protect the confidentiality, integrity and availability of our information systems and the information on them.
Where there is no requirement under the Affiliation Agreement or legal obligation to retain records and evidence, and in circumstances where we no longer need PI to provide Member Services we take reasonable steps to destroy the information or to ensure that the information is de-identified.
10.12 Access to Personal Information
Where we hold or have the right and power to deal with PI, we will, on request by an individual, normally give that individual access to their information. We do this so that individuals know what information we hold on them and because it assists us to ensure that the PI that we hold is up-to-date, complete and relevant.
In considering a request for access to PI by an individual (other than direct member access to the ISACA USA member portal), we will require identification. We reserve the right not to give an individual access to their PI, and will assess the request in the light of relevant law, commercial sensitivity and negative impact upon a third party.
We will respond to an individual’s request for access within a reasonable time (thirty (30) business days), and we will consider reasonable requests for access to be given in a particular format, for example, through user registration login, by facsimile, email and postal services. As a matter of courtesy, we will provide reasons for the refusal if access is refused.
No charge will apply when an access to information request is received. We do however reserve our rights to charge a fee where we incur costs, for example, for photocopying, postage and costs associated with using an intermediary if one is required.
10.13 Correction of Personal Information
Where we hold PI, we will take reasonable steps to correct it to ensure that, having regard to the purpose for which we hold it, it is accurate, up-to-date, complete, relevant and not misleading. You may request that we correct PI that we hold about you in circumstances where you believe that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
When considering a request for the correction of PI that we hold, we will require identification. We reserve the right not necessarily to effect the changes sought but undertake to consider reasonable requests and we will provide a statement which records our refusal to effect the change if we consider refusal the appropriate action.
We will respond to a request to change information within a reasonable time (sixty (60) business days) although changes sought may take longer, for example, because we may need to contact or notify other organisations and individuals about the request. No charge applies for making a request, correcting PI or associating a statement for refusal to change a record.
As a matter of courtesy, we will provide reasons for the refusal if correction is refused, and also a reminder of the complaint process available to individuals that feel aggrieved by the refusal (sections 11 and 12).
- Complaints, Enquiries and Access to Information Requests
The applicable regulator is the Office of the Australian Privacy Commissioner. In most circumstances, the Australian Information Commissioner will not investigate a complaint if an individual has not first raised the matter with us. For this reason, we ask individuals to submit all complaints relating to this Policy to us first, so that we have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to us at president@isaca.org.au and to see sections 14 and 17 for further details.
- How to make a Complaint, Enquiries and Request Access to Information
Individuals wanting to lodge a complaint can make general enquiries, request access to their information and complain to us in writing. Writing includes email communications but excludes text and social media platforms.
We will respond to complaints within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed if we need to contact or notify other organisations and individuals affected by the complaint. In this case we will endeavour to respond within sixty (60) business days. Please refer to see sections 14 and 17.
- Eligible Data Breach
Under the NDB Scheme, ISACA must notify the Office of the Australian Privacy Commissioner and affected individuals of an Eligible Data Breach if, and when:
There is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
- The information is lost, and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to
13.1 Actual Eligible Data Breach
If, and when, ISACA becomes aware of a breach of its network or information systems resulting in the circumstances outlined in 12a and 12b, ISACA will:
- Take remedial action;
- Where remedial action fails to adequately limit the risk, notify you if you are affected, and notify the Office of the Australian Information Commissioner (Commissioner): and
- Work with ISACA USA, you, other individuals concerned and the Commissioner to protect everyone and everything
13.2 Suspected Eligible Data Breach
If, and when we suspect a breach of our network or information systems resulting in the circumstances outlined in 13a and 13b, we will:
- Undertake an assessment of the situation to establish the facts; and
- Do this in a reasonable time (thirty (30) business days).
When a suspected breach is found to be an actual breach, we will follow the steps in 13.1 above.
If any person suspects or becomes aware of a breach or an impending breach, please contact us as a matter of urgency on president@isaca.org.au.
- Information for Individuals Located in the European Union
If You are a member of ISACA USA and ISACA Sydney and your PI is protected under European Privacy (EU) Law, please refer to the undertakings under section C of the ISACA USA privacy policy ISACA US Privacy Policy.
ISACA Sydney is committed to supporting your rights. Please contact us for assistance. See section 17 below.
- Governing Law
The principles outlined in this Privacy Policy and Collection Statement are governed by Australian law, and international best practice.
The law of Cook County, Illinois applies in relation to the Affiliation Agreement.
- Skill, Diligence, Care
ISACA will exercise reasonable skill, diligence and care as may reasonably be expected from a similar member association.
- Company Information
ISACA SYDNEY CHAPTERPO Box 3900
RHODES NSW 2138
AUSTRALIA
president@isaca.org.au
isaca.org/sydney
ABN: 51 002 407 276