Edentiti Pty Ltd ABN 67 111 307 361 (Edentiti), is a private identity verification services provider and a gateway service provider for the Commonwealth Document Verification Service.

Edentiti is committed to complying with the Australian Privacy Principles. It understands the importance of protecting the privacy of individuals. This Privacy Policy, therefore, sets out:

• Edentiti’s procedures in relation to the collection, use, disclosure, storage and protection of information that Edentiti collects from or about individuals (personal information); and
• the rights of individuals to seek access to and correction of personal information which Edentiti holds about them.

This Privacy Policy is divided into 5 principal sections:

• Section 1 — Visitors;
• Section 2 — Trial Users;
• Section 3 — Individual Users;
• Section 4 — Organisation Representatives; and
• Section 5 — General Provisions.

If you would like Edentiti to send you a MS Word or PDF copy of this Privacy Policy (at no charge), please use the contact details at the end of this Privacy Policy to request a copy. If you require a copy of this Privacy Policy in a different format, Edentiti will use its reasonable efforts to comply with your request. If Edentiti cannot supply a copy of the Privacy Policy in the format you have requested, Edentiti will contact you to discuss your requirements and attempt to identify and agree an alternative format in which the copy of the Privacy Policy can be provided to you.

Edentiti welcomes your comments on this Privacy Policy. If you would like to make a comment, you should contact Edentiti using the contact details set out in the Contact Details section of this Privacy Policy.

1. Visitors

A visitor is a person who visits Edentiti’s website or otherwise contacts Edentiti but to whom Edentiti does not provide any goods or services or who does not undertake a trial of any products or services provided by Edentiti (Visitor).

Edentiti does not attempt to identify a Visitor when the Visitor is accessing the website or otherwise contacting Edentiti except where the Visitor wishes to undertake a trial of any of Edentiti’s services (in which case, you should refer to section 2 of this Privacy Policy). Edentiti will not collect personal information about any Visitor unless the Visitor expressly provides this to Edentiti (for example, by sending an email or completing an online registration form or online inquiry form).

If a Visitor wishes to undertake a Trial, the Visitor cannot undertake the Trial unless the Visitor provides an email address.

Where possible, Edentiti’s systems will allow a Visitor to communicate with Edentiti on an anonymous basis or by using a pseudonym.

2. Trial Users

A trial user is a person who visits Edentiti’s website or otherwise contacts Edentiti and undertakes a trial of any products or services provided by Edentiti or visits the public demonstration pages of Edentiti’s website (Trial User).

A Trial User will only be able to undertake a trial of products or services provided by Edentiti if the Trial User provides an email address.

This section is divided into the following subsections:

• Why Edentiti collects personal information;
• What personal information Edentiti collects;
• How Edentiti collects personal information of Trial Users;
• How Edentiti obtains consent from Trial Users;
• How Edentiti uses personal information of Trial Users; and
• Disposal or destruction of personal information.

2.1 Why Edentiti collects personal information

Edentiti collects personal information of Trial Users:

• to confirm that the Trial User is a person who wishes to use the products and services of Edentiti on a trial basis; and
• for the purposes of communicating with the Trial User.

2.2 What personal information Edentiti collects

Edentiti collects only the Trial User’s email address. It is not possible to undertake a trial of any products or services provided by Edentiti or visits the public demonstration pages of Edentiti’s website unless a user provides the user’s email address. Therefore, it will not be possible for a Trial User to communicate with Edentiti on an anonymous basis or using a pseudonym.

2.3 How Edentiti collects personal information of Trial Users

Edentiti will collect information directly from each Trial User.

2.4 How Edentiti obtains consent from Trial Users

In most cases, either before or at the time of collecting the personal information, Edentiti will obtain the consent of the Trial User to the collection of the personal information.

2.5 How Edentiti uses personal information of Trial Users

Edentiti will use the personal information to monitor usage patterns, to determine whether the Trial User is a genuine user of the trial products and services and to communicate with the Trial User including for the purposes of marketing.

Edentiti will not disclose any personal information to any individual or entity without the express permission of the Trial User.

2.6 Disposal or destruction of personal information

Edentiti will delete all personal information on conclusion of trial arrangement except in those cases where Edentiti is required to maintain a record.

3. Individual Users

An Individual User is a person who visits Edentiti’s website or otherwise contacts Edentiti and to whom Edentiti provides products or services.

Edentiti’s identity verification service is a service which verifies the identity of an Individual User thereby allowing the Individual User to prove that the Individual User is who the individual say he or she is including to allow the Individual User to electronically present himself or herself to a trusted independent entity with whom the Individual User may already have a relationship.

This section is divided into the following subsections:

• Why Edentiti collects personal information;
• What personal information Edentiti collects;
• How Edentiti collects personal information of Individual Users;
• How Edentiti obtains consent from an Individual User;
• How Edentiti uses personal information of an Individual User;
• Access to personal information;
• Disposal or destruction of personal information.

3.1 Why Edentiti collects personal information

Edentiti collects personal information of Individual Users:

• to provide identity verification services to the Individual Users;
• for the purposes of communicating with the Individual User;
• for the purpose of providing information to specific organisations with whom an the Individual User has authorised Edentiti to communicate; and
• to provide services related to the services and purposes described above.

To provide the Edentiti’s identity verification service, the information collected by Edentiti is compared against an information database.

Edentiti also collects personal information of Individual Users which is reasonably necessary to undertake a function or activity (for example, to manage and administer Edentiti and conduct its business).

3.2 What personal information Edentiti collects

Edentiti collects the following information about Individual Users:

1. name;
2. address;
3. birthdate;
4. time and date of use of Edentiti; and
5. email address.

Additional information may be required depending on the services which the individual user wishes to acquire from Edentiti and Edentiti will, notify the Individual User of the requirement to collect this additional information as specified in section 3.4 of this Privacy Policy.

Where possible, Edentiti’s systems will allow an Individual User who wishes to communicate with Edentiti on an anonymous basis or by using a pseudonym. However, it will not be possible for an Individual User to communicate with Edentiti on an anonymous basis or using a pseudonym if the Individual User requires assistance in relation to its account or the information which it has provided to Edentiti for the purposes of establishing or using its account.

3.3 How Edentiti collects personal information of Individual Users

Edentiti will collect information directly from each Individual User or from third parties whom the Individual User has authorised Edentiti to contact.

3.4 How Edentiti obtains consent from an Individual User

In most cases, either before or at the time of collecting the personal information, Edentiti will obtain the consent of the Individual User to the collection of the personal information. If Edentiti cannot obtain the consent of the Individual User before or at the time of collection, it will obtain consent as soon as practical after the collection.

3.5 How Edentiti uses personal information of an Individual User

The Edentiti service enables an Individual User to use the Individual User’s personal information for the Individual User’s own purposes. Edentiti uses the personal information of an Individual User as required to provide products and services to the Individual User. This may include disclosure of personal information to persons whom the Individual User has authorised Edentiti to contact or provide the personal information for the purposes of providing the verification service to the Individual User.

Edentiti will not disclose any personal information to any individual or entity without the express permission of the Individual User.

3.6 Access to personal information

Individual Users may access all the personal information they have provided to Edentiti or which Edentiti has collected and may update or delete it except in those cases where Edentiti or an organisation to which Edentiti has provided the personal information as part of Edentiti’s provision of the verification services is required to maintain a record. This includes retention of records for compliance with the Anti-Money laundering and Counter-Terrorism Financing Act 2006 or other laws or regulations.

3.7 Disposal or destruction of personal information

Edentiti will delete all personal information on conclusion of the Individual User’s arrangements with Edentiti except in those cases where Edentiti is required to maintain a record.

4. Organisation Representatives

An Organisation Representative is a person who is dealing with Edentiti in his or her capacity as the representative of an organisation who has appointed Edentiti as its agent for the purposes of the Commonwealth Attorney-General’s Department’s Document Verification Service and who is authorised to act on behalf of the organisation.

This section is divided into the following subsections:

• Why Edentiti collects personal information;
• What personal information Edentiti collects;
• How Edentiti collects personal information of an Individual Users;
• How Edentiti obtains consent from an Organisation Representative;
• How Edentiti uses personal information of an Individual User;
• Access to personal information;
• Disposal or destruction of personal information.

4.1 Why Edentiti collects personal information

Edentiti collects personal information of an Organisation Representative to:

• to provide services to the organisation which the Organisation Representative represents;
• for the purposes of communicating with the Organisation Representative and the organisation which the Organisation Representative represents;
• for the purpose of managing Edentiti’s contract with the organisation which the Organisation Representative represent; and
• to provide services related to the services and purposes described above.

Edentiti also collects personal information of Organisation Representatives which is reasonably necessary to undertake a function or activity (for example, to manage and administer Edentiti and conduct its business).

4.2 What personal information Edentiti collects

Edentiti collects the following information about Organisation Representatives:

1. name;
2. address;
3. birth date;
4. email;
5. telephone number;
6. fax number; and
7. name of the organisation which the Organisation Representative is representing and other information which is required to identify the organisation including ABN, address, telephone number; fax number and website.

Where possible, Edentiti’s systems will allow an Organisation Representative to communicate with Edentiti on an anonymous basis or by using a pseudonym. However, it will not be possible for an Organisation Representative to communicate with Edentiti on an anonymous basis or using a pseudonym if the Organisation Representative requires assistance in relation to Edentiti’s arrangements with the organisation which the Organisation Representative represents or the Organisation Representative’s account.

4.3 How Edentiti collects personal information of Individual Users

Edentiti will collect information directly from each Organisation Representative.

4.4 How Edentiti obtains consent from an Organisation Representative

In most cases, either before or at the time of collecting the personal information, Edentiti will obtain the consent of the Organisation Representative to the collection of the personal information. If Edentiti cannot obtain the consent of the Organisation Representative, it will obtain consent as soon as practical after the collection.

4.5 How Edentiti uses personal information of an Organisation Representative

Edentiti does not anticipate disclosing the personal information of an Organisation Representative to enable Edentiti to provide products and services to the organisation which the Organisation Representative represents.

4.6 Access to personal information

Organisation Representative may access all the personal information they have provided to Edentiti or which Edentiti has collected and may update this information and update it or delete it except in those cases where Edentiti is required to maintain a record.

4.7 Disposal or destruction of personal information

Edentiti will delete all personal information on:

• conclusion of the arrangements between Edentiti or the organisation which the Organisation Representative represents except in those cases where Edentiti is required to maintain a record; or
• when the Organisation Representative notifies Edentiti that it is no longer the representative of the organisation; or
• when the organisation which the Organisation Representative represents notifies Edentiti that it is no longer the representative of the organisation,

except in those cases where Edentiti is required to maintain a record.

5. Provisions Applicable to All Persons From Whom Edentiti Collects Personal Information

This section is divided into the following subsections:

• Unsolicited personal information;
• Usage patterns;
• Cookies;
• Disclosure of personal information by Edentiti;
• Transfer of personal information outside Australia;
• Data security and data storage;
• Government related identifiers;
• Concerns about personal information;
• Response to request for access to personal information;
• Process for accessing personal information;
• Refusing access to personal information;
• Quality of personal information and correction of personal information;
• Complaints;
• Changes to Privacy Policy; and
• Contact details.

5.1 Unsolicited personal information

There may be situations in which Edentiti receives personal information about a person even though Edentiti has not requested any personal information about an individual or has not requested the particular information which has been received about an individual (unsolicited personal information).

If Edentiti receives any unsolicited personal information, it will, within a reasonable period of receipt of the unsolicited personal information, review the unsolicited personal information to determine if it is reasonably necessary for its functions. If it is, Edentiti will handle the information in the same way as it handles the information we collect from a person. If Edentiti does not need the information, Edentiti will destroy the information or de-identify it.

5.2 Usage patterns

Edentiti’s web server collects information on the usage patterns of people visiting Edentiti’s website. The information is collected each time a user visits Edentiti’s website. Except in relation to a Trial User, it is not used to identify browsing activities of any individual user but is collected for statistical purposes. The information collected consists of:

• the date and time of visits;
• number of users who visit the website;
• traffic patterns and pages viewed.

This data will be used to research Edentiti’s website and product and to evaluate, develop and improve its usability.

5.3 Cookies

Edentiti’s website uses session based cookies to keep Individual Users and Organisation Representatives logged in during a session. No other cookies or trackers are used.

5.4 Disclosure of personal information by Edentiti

Edentiti will not disclose information that identifies an individual, or enables an individual to be identified except as:

• specified in this Privacy Policy;
• authorised by the individual;
• as required under applicable laws; or
• as directed by courts, tribunals or other bodies having authority over Edentiti.

5.5 Transfer of personal information outside Australia

In providing verification services to an Individual User, Edentiti will be required to transfer personal information of an Individual User outside Australia if the Individual User provides verification information from a country other than Australia. In this instance, personal information will be transferred by Edentiti to the country from which the verification information provided by the Individual User originates. Therefore, given the possible scope of Individual Users, it is possible that Edentiti may transfer personal information of an Individual User to a country which is a member country of the United Nations or a country having observer status at the United Nations.

By giving Edentiti your personal information, you consent to such transfer and disclosure. In addition, we believe that the recipients of such information are subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the applicable Australian privacy laws.

5.6 Data security and storage

All personal information held by Edentiti is protected from unauthorised access through the use of secure passwords and user logons and other forms of biometric verification.

Edentiti stores all personal information that it collects securely in a manner that is sufficient to prevent misuse and loss, unauthorised access, modification or disclosure of personal information. Edentiti maintains a high level of data security by implementing:

• physical security to prevent unauthorised entry to our premises, by installing systems to detect unauthorised access and secure containers for storing paper-based personal information;
• computer and network security to protect computer systems and networks for storing, processing and transmitting personal information;
• communications security to protect communications via data transmission and to prevent unauthorised intrusion into our computer network; and
• personnel security, through Edentiti’s personnel security measures and background checking procedures to limit access to personal information only by authorised staff and for only approved purposes.

5.7 Government related identifiers

Edentiti does not use or disclose any government identifier or identifier issued by another person.

5.8 Concerns about personal information

Users can contact Edentiti to address any concerns that they have about their personal information.

If you would like access to the personal information which Edentiti holds about you or a person whom you are authorised to represent, please contact Edentiti using the contact details set out in the Contact Details section of this Privacy Policy. Your request should specify the format in which you wish to be provided the personal information (for example, in person, by email, by telephone, hard copy or other electronic record). This application is free of charge. However, Edentiti may make a reasonable charge for providing access to you. If Edentiti wishes to charge you to access the personal information, Edentiti will notify you of this charge prior to giving you access to the personal information.

5.9 Response to request for access to personal information

If you make a request to access personal information, Edentiti will respond to your request within 30 days of the date of your request. If Edentiti cannot respond within this period, Edentiti will notify you of the delay, the reasons for the delay and the date by which Edentiti will provide a response.

5.10 Process for accessing personal information

If Edentiti agrees to give you access to your personal information, the following process will apply:

• No charge for access — Edentiti will notify you of its decision and (where you have requested that the information be provided to you by email, hard copy or other record that can be delivered to sent to you), Edentiti will also provide the personal information to you at the same time (except as set out below)
• Access charge — Edentiti will notify you of its decision and the proposed charge for giving you access and the payment terms and method of payment. If you wish to discuss the proposed charge with Edentiti, you should contact the Edentiti representative nominated in the notice. Once you have paid the access charge ), Edentiti will provide the personal information to you (except as set out below).
• Form of access if different from format requested — If Edentiti concludes acting reasonably, that it is not possible or practicable for Edentiti to provide the personal information in the format you have requested (for example because of the volume or nature of the personal information or your needs), Edentiti will contact you to agree a format in which Edentiti can give you access to the personal information. If you have requested access by in person or by telephone, Edentiti will contact you to arrange the time and place at which you may access the personal information.

5.11 Refusing access to personal information

Edentiti is entitled to refuse a request for access in the circumstances specified in the Australian Privacy Principles. If Edentiti decides to refuse your request, Edentiti will notify you of its reasons (except where it is permitted to refuse to provide reasons). Edentiti will consult with you to identify an alternative means of giving you access to the personal information which may include reducing the scope of request or giving you access through an agreed intermediary.

If you disagree with Edentiti, you may make a complaint as described in the Complaints section of this Privacy Policy.

5.12 Quality of personal information and correction of personal information

Edentiti makes reasonable efforts to ensure that the information that it collects is accurate, up-to-date, complete and relevant both at the time of initial collection and during the period that Edentiti holds the personal information.

If you consider that any personal information that Edentiti holds about you is inaccurate, out-of-date, incomplete, irrelevant or misleading and you wish to have the information corrected, you should contact Edentiti using the contact details set out in the Contact Details section of this Privacy Policy. Edentiti will respond to your request within 30 days. This application is free of charge.

If Edentiti accepts the request, it will take such steps as are reasonable in the circumstances to correct the information to ensure that, having regard for the reasons for which the information is held, the information is inaccurate, out-of-date, incomplete, relevant and not misleading.

If Edentiti refuses the request:

• Edentiti will send you a written notice explaining the reasons for the refusal (except where it is unreasonable to provide an explanation), the complaint mechanism which you may follow and other matters which Edentiti is required to include; and
• you may request that Edentiti associate with the personal information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. Edentiti will take reasonable steps (given the circumstances) to associate the statement in such a way to make it apparent to users of the information.

5.13 Complaints

If you wish to make a complaint about:

• this Privacy Policy;
• the manner in which Edentiti has implemented this Privacy Policy; or
• any other matter relating to the personal information Edentiti holds about you or your dealings with Edentiti in relation to your personal information,

please contact Edentiti using the contact details set out in the Contact Details section of this Privacy Policy. All complaints will be considered by Edentiti’s privacy officer who may contact you to obtain further details of your complaint and to better understand your complaint so that it resolved as quickly as possible.

Edentiti aims to resolve all disputes in a manner which is satisfactory to both you and Edentiti. There may be circumstances where you are not satisfied with the manner in which Edentiti has resolved your complaint. If you are not satisfied with the manner in which Edentiti deals with your complaint, you may complain to the Office of the Australian Information Commissioner (see https://www.oaic.gov.au/).

5.14 Changes to this Privacy Policy

Edentiti reserves the right to change this Privacy Policy as required to maintain compliance with the Australian Privacy Principles and other applicable laws, to comply with changes in technology or to facilitate changes in its business. Edentiti will, if possible, give prior notice of its intention to change this Privacy Policy. If Edentiti considers it necessary, it will consult with the Office of the Australian Information Commissioner or other appropriate government representatives and other representative groups before implementing any change to this Privacy Policy. However, there may be circumstances where Edentiti considers that prior notice or prior consultation is not required or where it is not possible for Edentiti to give prior notice of a change to this Privacy Policy or undertake consultation before changing this Privacy Policy.

When this Privacy Policy is updated, those updates will appear on this page. Edentiti will ensure that changes to this Privacy Policy are identified in each update. Edentiti will also ensure that prior versions of the Privacy Policy can be accessed.

5.15 Contact Details

If you have any questions or comments about this Privacy Policy, would like to request a copy, request access to personal information held about you or make a complaint, please contact:

The Privacy Officer
Edentiti Pty Ltd
PO Box 4863
Sydney NSW 2001
AUSTRALIA
e-mail: info@edentiti.com

© 2015 Edentiti Pty. Ltd. All rights reserved. ABN 67 111 307 361.