Callida recognises that privacy governance plays a critical role in:

• Identifying and protecting PII held by Callida;
• Supporting and prompting accountability and transparency;
• Supporting information confidentiality, integrity and availability;
• Promoting efficient work practices; and
• Supporting best business practices that align with Callida’s strategic direction and privacy compliance obligations.

Callida manages personal information in accordance with the APPs, which require us to:

• Collect only information reasonably necessary for our functions and activities;
• Open and transparent management of personal information (APP1);
• Use or disclosure of personal information (APP6);
• Implement security safeguards (APP11);
• Enable access to and correction of personal information (APP 12 & 13); and
• Assess and report eligible data breaches under the Notifiable Data Breaches scheme (NDB).

This policy will be guided by the following standards:

• Proactive privacy – Callida is proactive in its approach to privacy protection by anticipating and preventing invasive events before they occur;
• Privacy by design – Callida will embed privacy considerations into the design and architecture of information technology systems and business processes;
• Callida collects, uses, discloses and manages all PII as Callida records in accordance with the relevant legislation.

“Personal information” means any information or opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable. In general terms, this includes information or an opinion that personally identifies you either directly (e.g. your name) or can reasonably identify you indirectly.

The personal information we collect about you depends on the nature of your dealings with us or what you choose to share with us. Callida is only permitted to collect your PII in a transparent, lawful, fair manner that is not unreasonably intrusive.

Callida collects your personal information:

• Where necessary and relevant to Callida’s functions and activities; or
• Where required by law; or
• Where you or your authorised representative have consented.

Callida is only permitted to collect your sensitive information where you or your authorised representative have provided consent, or where the collection:

• Is required by law;
• Is otherwise authorised under relevant acts.

If we collect your sensitive information, we will do so only with your consent, if it is necessary to prevent a serious and imminent threat to life or health, or as otherwise required or authorised by law, and we take appropriate measures to protect the security of this information

Callida will take all reasonable steps to not collect PII from individuals, if it is reasonable and practicable to transact with them without collecting this type of information.

You do not have to provide us with your personal information. Where possible, we will give you the option to interact with us anonymously or by using a pseudonym. However, if you choose to deal with us in this way or choose not to provide us with your personal information, we may not be able to provide you with our services or otherwise interact with you.

We collect your personal information directly from you when you:

• Interact with us over the phone;
• interact with us in person;
• interact with us online;
• participate in surveys or questionnaires;
• attend a Callida event;
• subscribe to our mailing list;
• apply for a position with us as an employee or contractor.

In the course of its activities, Callida will take all reasonable steps to only use PII collected for:

• The primary purpose of collection; or
• A related secondary use reasonably anticipated by the individual; or
• Where an individual has consented; or
• Where authorised by law.

Callida’s employees and associates are only permitted to access relevant PII to the extent necessary to perform their job.

Callida may disclose your personal information to third parties in accordance with this policy in circumstances where you would reasonably expect us to disclose your information. For example, to an IT Managed Services, HR or Payroll system provider.

Callida will not share your PII with other third parties without your prior consent unless this is required by law. Authorised disclosures of relevant parts of your personal information with your consent will be made to organisations nominated by you for an identified purpose such as for the deposit of your salary in regard to contractors or employees.

Some of the third-party service providers we disclose personal information to may be based in or have servers located outside of Australia.

Where we disclose your personal information to third parties overseas, we will take reasonable steps to ensure that data security and appropriate privacy practices are maintained. We will only disclose to overseas third parties if:

• you have given us your consent to disclose personal information to that third party; or
• we reasonably believe that:
  • the overseas recipient is subject to a law or binding scheme that is, overall, substantially similar to the Australian Privacy Protection Laws; and
  • the law or binding scheme can be enforced; or
  • the disclosure is required or authorised by an Australian law or court / tribunal order.

Callida will take reasonable steps to ensure that the personal information that we hold about you is kept confidential and secure, including by:

having robust physical security of our premises and databases / records;

• taking measures such as managerial procedures to restrict access to only personnel who need that personal information to effectively provide services to you;
• having technological and electronic measures in place (for example, anti-virus software, firewalls, access controls, multi-factor authentication);
• destroy or permanently de-identify data when it is no longer needed;
• take all reasonable steps to ensure that its contracted service providers comply with all privacy laws that apply to Callida.

Callida uses Microsoft 365 and OneDrive to store and manage data, with all data located in the Microsoft Australia Central region. The Microsoft Online Services Sub-processor List provides a list of sub-processors (sub-contractors) that may have access to both customer data and personal data. More information can be found in the Microsoft document Sub-processors and Data Privacy.

The Callida website uses cookies. A cookie is a small file of letters and numbers the website puts on your device if you allow it. These cookies recognise when your device has visited our website(s) before, so we can distinguish you from other users of the website. This improves your experience and the Callida website.

We do not use cookies to identify you, just to improve your experience on our website. If you do not wish to use the cookies, you can amend the settings on your internet browser so it will not automatically download cookies. However, if you remove or block cookies on your computer, please be aware that your browsing experience and our website’s functionality may be affected.

Our website uses Google Analytics to help us better understand visitor traffic, so we can improve our services. Although this data is mostly anonymous, it is possible that under certain circumstances, it may be possible to connect it to you.

We may send you direct marketing communications and information about our services, opportunities, or events that we consider may be of interest to you if you have requested or consented to receive such communications. These communications may be sent in various forms, including mail, SMS, and email, in accordance with applicable marketing laws, such as the Australian Spam Act 2003 (Cth).

You consent to us sending you those direct marketing communications by any of those methods. If you indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so.

You may opt-out of receiving marketing communications from us at any time by following the instructions to “unsubscribe” set out in the relevant communication.

In addition, we may also use your personal information or disclose your personal information to third parties for the purposes of advertising, including online behavioural advertising, website personalisation, and to provide targeted or retargeted advertising content to you (including through third party websites).

We will not keep your personal information for longer than we need to. In most cases, this means that we will only retain your personal information for the duration of your relationship with us unless we are required to retain your personal information to comply with applicable laws, for example record-keeping obligations.

Callida will endeavour to keep your personal information accurate, complete and up to date. If you wish to make a request to access and / or correct the personal information we hold about you, you should make a request by contacting us and we will usually respond within 3 working days. Please email info@callida.com.au to access or correct your personal information. Please note that to protect your privacy and the privacy of others, Callida requires appropriate evidence of your identity and/or proof of accurate and current delegation before it can consider a request for access or correction.

Callida may change this Privacy Policy in the future at any time. All modifications will be effective upon the date approved and the policy being published.

For complaints about how Callida handles, processes or manages your personal information, please contact the Callida Chief Operations Officer at info@callida.com.au, or by phone (02) 6162 3339 or PO Box 4026 Kingston, ACT 2604. Note we may require proof of your identity and full details of your request before we can process your complaint.

Please allow up to 10 days for Callida to respond to your complaint. It will not always be possible to resolve a complaint to everyone’s satisfaction. If you are not satisfied with Callida’s response to a complaint, you have the right to contact the Office of Australian Information Commissioner (at oaic.gov.au) to lodge a complaint.

The Chief Operating Officer will;

• receive, review and respond to enquiries and complaints,
• control and maintain this policy,
• administer this policy and monitor compliance,
• inform training requirements, and
• investigate potential privacy breaches.

All Callida employees and contractors will be responsible for performing the duties of their employment, appointment or engagement by Callida, in accordance with the following principles:

• Respect the privacy of personal and health information that they collect, use or disclose;
• Comply with the requirements of all applicable personal data protection laws, and this policy,
• Take all reasonable steps to keep the information secure including adopt a respectable behaviour that wouldn’t impinge the security and safety of Callida’s network nor the privacy of employees or clients while:
  • Being on Callida premises;
  • Accessing Callida’s network;
  • Complying with the Callida Technology Policy.
• Undertake and complete the privacy training at induction and on a regular basis;
• Complete relevant screening or security checks.

• Confidential Information: all data, in its original and duplicate form, for which there is either a legal, ethical, or contractual requirement to restrict access. Confidential information must be restricted to those with a legitimate business need for access. For example: financial information, system access passwords, tenders and contracts, information about a third party with whom Callida has a commercial relationship, etc.
• Data & Privacy Breach: Unauthorised access, misuse, disclosure or loss of any Confidential Information, Personal Information or Sensitive Information held by Callida. Data Breach refers to any type of information whereas privacy breach relates to any PII.
• Employees: refers to all former, current and prospective employees, officers, agents, contractors and subcontractors of Callida.
• Notifiable Data Breach scheme (NDB): means eligible data breaches that fall under the Commonwealth mandatory reporting scheme. As a Tax File Number Recipient, this applies to Callida in relation to any unauthorised access to, or unauthorised disclosure of, tax file number data.
• Personally Identifiable Information (PII): collectively or individually refers to Personal Information, Sensitive Information, Health information, and identifiers.
• Personal Information: refers to information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. Common examples are an individual’s name; age; date of birth; contact details; address, bank account details, medical records, image (as recorded in video footage or a photograph).
• Sensitive Information: refers to information or an opinion about your race; ethnicity; political opinions; trade union memberships; religion; sexual preferences; or criminal record.

If you have any questions about this Privacy Policy, please contact info@callida.com.au