Index

№ 05Privacy

How we handle your information.

ISO Certification Australia (the practice, we, us, our) is bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. This policy explains what personal information we collect, how we use it, who we may share it with, and how we protect it.

Effective 6 May 2026 · Version 1.0

FIG. 01-Application

Application

Scope

This policy applies to ISO Certification Australia and all personal information collected, held, used or disclosed in the course of our certification, audit and advisory activities, delivered under JAS-ANZ accreditation through Equal Assurance.

“Personal information” means any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not, as defined under section 6 of the Privacy Act 1988 (Cth).

We do not knowingly collect personal information from children under 16. Our services are directed at organisations rather than consumers.

FIG. 02-Categories

Information we collect

We collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities. This typically includes:

Identity and contact information - name, job title, employer, business email address, business phone number and postal or business address.
Engagement information - details you or your organisation provide to enable an audit or certification engagement, including organisational structure, management system documentation, process descriptions, and the names and roles of personnel interviewed during an audit.
Audit findings - observations, evidence and findings recorded during the course of an audit, which may reference identifiable individuals where relevant to the assessment.
Communications - records of correspondence, file notes, meeting agendas and minutes relating to enquiries and engagements.
Technical and analytics information - IP address, device and browser information, referring page, pages viewed and approximate location, collected automatically when you visit our website.

We do not deliberately collect sensitive information (as defined under the Privacy Act) unless it is necessary for the engagement and you have consented, or another exemption applies.

FIG. 03-Sources

Sources

How we collect it

Wherever practicable we collect personal information directly from the individual concerned. In practice, the routes are:

Forms submitted through this website, including the enquiry form on our contact page.
Email and telephone correspondence initiated by you or your organisation.
During audit and certification engagements, including on-site interviews, document review and observation of work practices.
From your employer or principal contractor where they have engaged us and have authority to provide the information.
Automatically through standard server logs and analytics tools when you interact with this website.

If we collect personal information about you from a third party, we will take reasonable steps to make you aware of the collection where required by APP 5.

FIG. 04-Purpose

Purpose

How we use information

We use personal information for the primary purposes for which it was collected, and for related secondary purposes you would reasonably expect. Specifically:

To respond to your enquiry and provide information about our services.
To plan, conduct, document and report on certification audits, second-party supplier audits and related advisory work.
To issue, vary, suspend or withdraw certifications, and to maintain certification records as required by JAS-ANZ and the relevant ISO standards.
To fulfil our obligations under our contractual arrangements with you and with our accreditation partner.
To meet legal, regulatory, accreditation and insurance obligations, including audit traceability requirements.
To improve the quality of our services, including by reviewing audit outcomes and aggregate (de-identified) usage data.

We do not sell personal information, and we do not use it for unrelated direct marketing.

FIG. 05-Disclosure

Disclosure

Who we share it with

We disclose personal information only where it is necessary for the purposes set out above, where you have consented, or where we are required or authorised by law. Recipients may include:

Equal Assurance, our JAS-ANZ accredited certification body partner, for the administration and issue of certificates and the maintenance of certification records.
JAS-ANZ, the joint accreditation body, where disclosure is required as part of accreditation oversight, witness audits or complaint resolution.
Regulators and government agencies, where disclosure is required by law (for example in response to a valid subpoena, notice or court order).
Professional advisors, including our insurers, auditors and legal advisors, on a confidential basis.
Service providers who support our operations, including IT and cloud-hosting providers, under contractual confidentiality and data-protection obligations.

We require any service provider that handles personal information on our behalf to do so consistently with the Australian Privacy Principles.

FIG. 06-Cross-border

Cross-border

Overseas disclosure

Some of our service providers (including cloud-hosting, analytics, and email infrastructure providers) may store or process personal information outside Australia. Where this occurs, we take reasonable steps to ensure that the recipient handles the information consistently with the Australian Privacy Principles, including through contractual data-protection commitments.

The countries in which our providers may hold information include the United States and member states of the European Union.

FIG. 07-Security

Security

Storage and security

We store personal information in electronic form on secure servers and, where necessary, in hard-copy in our offices. We protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure through:

Encryption in transit (TLS) for data submitted via this website.
Access controls and least-privilege principles for personnel with access to client records.
Confidentiality clauses and data-protection obligations in our agreements with personnel and third parties.
Logical and physical security measures appropriate to the sensitivity and volume of information held.
Periodic review of security controls and incident-response arrangements.

No method of transmission or storage is completely secure. While we take reasonable steps to protect personal information, we cannot guarantee absolute security.

If we become aware of an eligible data breach as defined under the Notifiable Data Breaches scheme, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) where required.

FIG. 08-Cookies

Cookies and analytics

This website uses a small number of cookies and similar technologies. These fall into two categories:

Essential cookies - required for the website to function (for example to remember session state). These cannot be disabled without breaking core functionality.
Analytics - we may use privacy-respecting analytics tools to understand how visitors interact with the site at an aggregate, de-identified level. We do not use third-party advertising cookies.

You can configure your browser to refuse cookies or to alert you when cookies are being sent. If you disable cookies, some parts of the website may not function as intended.

FIG. 09-Retention

Retention

How long we keep it

We retain personal information only for as long as it is needed for the purposes for which it was collected, or as required by law and our accreditation obligations. In practice:

Audit and certification records are retained for a minimum of seven years following the end of the engagement, in line with accreditation requirements.
Enquiry and correspondence records are retained while the relationship is active, plus a reasonable period thereafter, before being destroyed or de-identified.
Server logs and analytics data are retained for shorter periods consistent with their operational purpose.

When personal information is no longer required and we are not required to retain it by law, we take reasonable steps to destroy or de-identify it.

FIG. 10-Your rights

Your rights

Access and correction

You have the right to request access to the personal information we hold about you and to ask for it to be corrected if it is inaccurate, out of date, incomplete, irrelevant or misleading.

We will respond to a request within a reasonable period (generally within 30 days). There is no charge for making a request, although we may charge a reasonable fee to cover the cost of providing access where significant work is required.

We may decline a request where the law permits or requires us to do so, for example where granting access would have an unreasonable impact on the privacy of others. If we decline a request, we will provide written reasons.

FIG. 11-Complaints

Complaints

Concerns and complaints

If you believe we have not complied with our obligations under this policy or the Australian Privacy Principles, you may lodge a complaint via our website. We will acknowledge your complaint and aim to provide a substantive response within 30 days.

If you are not satisfied with our response, you may refer the matter to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

FIG. 12-Changes

Changes

Updates to this policy

We may update this policy from time to time to reflect changes in our practices, technology, legal obligations or business structure. The “Effective” date at the top of this page reflects the most recent version. Material changes will be communicated where reasonably practicable.

Your continued engagement with us, or continued use of the website, after a revised policy is published constitutes acceptance of the updated terms.

End of policy

ISO Certification Australia · Effective 6 May 2026 · Version 1.0

Operating under JAS-ANZ accreditation through Equal Assurance.