About AlphaBeta

AlphaBeta Advisers is a strategy, economics and data analytics firm with offices in Sydney, Melbourne and Canberra.

In the course of work, we collect, handle, manage and store many types of data. While we avoid the use of personal and sensitive data where possible, there are times when its use is essential to our work.

We are committed to respecting individual’s privacy. This policy outlines how we comply with our legal obligations, and how we manage personal and sensitive information.

In this Privacy Policy, ‘us’, ‘we’ or ‘our’ means AlphaBeta Advisers unless otherwise indicated.

Purpose of this Privacy Policy

The purpose of this Privacy Policy is to describe how we comply with the Australian Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs) and other Australian privacy and data protection laws (together, Australian Privacy Laws).

We also wish to demonstrate our commitment to protecting an individual’s privacy in all the work that we do.

We implement processes and safeguards that have been designed by us to meet requirements of the Australian Privacy Laws.

These processes and safeguards ensure privacy by design, information security, and the minimisation of the handling of personal information about individuals regardless of where those individuals are located.

We also segregate data entrusted to us by our business partners and clients, and we manage this data in accordance with agreed requirements as to confidentiality with their customers and suppliers.

Approach to privacy

AlphaBeta works with public and private sector clients to help solve problems and gain insight into significant trends. We believe that new data sources and analytical techniques are critical to improve the quality of problem-solving, and the quality of insights derived. This is because data analysis:

  •  Allows the study of actual observed behaviour and trends, rather than modelling or inferring them

  •  Often enables information to be analysed in close to real-time, and at a vast scale However, we also believe that data analysis needs to be supplemented with a range of other

    research and analytical techniques, such as surveys and economic modelling.

    The nature of our work means we are often asked to research and analyse complex questions that may involve collecting, managing and analysing data on individuals and / or organisations.

    We prioritise protecting individual privacy, and therefore work with de-identified, aggregated data by default unless the data is essential to our work, and not able to be analysed in a deidentified or aggregated fashion. On the occasions where we do work with personal or sensitive information, we follow the practices set-out in this policy.

What is personal or sensitive information?

‘Personal information’ is information or an opinion about an individual who is identified or reasonably identifiable, for example, by

‘Sensitive information’ includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional association, trade association or a trade union, sexual preferences / practices, criminal record. Sensitive Information also includes health and genetic information about an individual.

How we analyse data

We are responsible for the careful handling of all information that our clients entrust to us, including ensuring that we follow responsible business practices, and comply with Australian Privacy Laws.

Before undertaking a project, we agree with the client what data will be used, and if it is likely to raise any privacy considerations. If it does, we agree an appropriate approach to managing privacy. This may included instituting practices to avoid receiving personal or sensitive information; ensuring that consent to use data is gained; and conducting a privacy impact assessment.

In some instances, AlphaBeta may collect data as part of the research for a project, such as via a survey. In this case, we will agree privacy protocols with the client and survey provider, and ensure that where personal or sensitive information is collected, it is done in accordance with the law, and with consent.

Client and Third-Party Data

Where we receive information for the purposes of providing services to a client, we receive this information from that client and not from any individual.

This Privacy Policy does not apply to our clients or other third parties. Each client and each provider of data to AlphaBeta is responsible for providing and complying with its own privacy policy and complying with all privacy and data protection laws applicable to that client or other provider.

Each of our clients is responsible for providing any required notice, obtaining any required consent, and offering and processing any applicable optout or similar choice option as required by applicable privacy and data protection laws.

Please refer to the privacy policy, statement or notice for entities with whom you deal, or whose internet sites, mobile applications and other online services you access, to learn how they collect and use information about you.

We rely on our client to obtain any necessary consents before disclosing any information to AlphaBeta. Notwithstanding this, we have in place practices and procedures to satisfy ourselves that any necessary consents have been correctly and properly obtained by our clients. This may include obtaining and reviewing our clients’ privacy policies, making reasonable enquiries with our clients about their permitted use of personal information they hold on individuals, and obtaining contractual promises from our client that we are using any information received from a client in a manner that is consistent with an individual’s consent.

Working with de-identified and transaction data

In some instances, we agree with clients to work only on their de-identified data, such as for transaction data provided to us by data custodians. In these cases, data relating to transactions of our clients’ customers or suppliers is provided to AlphaBeta only after our clients have de-identified personal information about individuals that are transacting our client’s customers or suppliers. This ensures that AlphaBeta does not receive transaction data about individuals that are transactors in a form which enables those transactors to be identified, or reasonably identifiable by AlphaBeta.

AlphaBeta does not conduct the de-identification process to remove personal identifiers of individuals, or otherwise hold any code that would enable re-identification of individuals.

AlphaBeta does not have any method or process to reverse engineer personal identifiers from the de-identified data.

AlphaBeta will also, where relevant, agree to contractual restrictions that prohibit reverse engineering of the de-identified data that we receive.

When do we receive personal information?

We collect and use personal information about individuals that is reasonably necessary for one or more of our business functions or activities, as follows:

  1. we collect personal information for recruitment, employment, business, operational and administration purposes and when an individual applies or accepts a job with us, we may collect sensitive information; and

  2. we collect personal information for the purposes of maintaining contact with our clients, to keep our clients informed of our products and services, to keep our clients updated on industry developments that may be of interest to them, to keep our clients updated on seminars and other events we are holding, or to otherwise undertake business to business direct marketing activities.

  3. We may collect information to provide, maintain, improve or develop the services we offer to our clients, which includes undertaking research and statistical analysis. In this instance, we will only disclose personal information to the client that provided it.

The types of personal information about individuals collected, received and used by us will depend on the functions and activities that are relevant for the collection as outlined below:

  1. where we are collecting information for recruitment, employment, business, operational and administration purposes, the information we collect may include an individual’s photo, name, birth date, address, e-mail addresses, contact details (including contact details of the individual’s emergency contact), tax file number, financial information (such as bank account details) and an individual’s work history, references and personal background checks;

  2. where we are collecting information for the purposes of maintaining contact with our clients, to keep our clients informed of our services, to keep our clients updated on industry developments that may be of interest to them, to keep our clients updated on seminars and other events we are holding or otherwise to undertake business to business direct marketing activities, the information we collect may include photos, videos, individual’s names, job titles, e-mail addresses and contact details; and

  3. where we are receiving information for the purposes of providing services to our clients, the information we receive will depend on the information provided by our client and the purpose for which it is needed. Such information may include photos, names, postcodes,

addresses, dates of birth, email addresses, membership numbers and other information directly related to our clients’ functions, or products and services being offered to our clients’ customers.

To the extent that we receive any personal information from our clients (including where any information we receive from our clients is capable of re-identification of an individual), and we do not require that information to deliver our services to that client, we will notify the client and delete such information in accordance with this Policy.

In some exceptional circumstances, we will agree to work on a client engagement that involves our analysis of personal information. In these circumstances we will ensure that such work is done in accordance within strict protocols and safeguards that have been established by AlphaBeta to ensure compliance with the Australian Privacy Laws and any other relevant privacy laws.

In these circumstances where we receive personal information (occasionally including sensitive information) from our clients, this information will (to the extent within AlphaBeta’s control as recipient) only be received by AlphaBeta where necessary for the delivery of such services to our clients.

This personal information is not shared with third parties or used for the purposes of targeted advertising. We also handle that personal information for a client in a data handling environment isolated and separated by reliable controls and safeguards from our de-identified data environment, usually by accessing the personal information in the client’s own systems, behind their firewalls.

How we collect personal information from individuals

Any personal information collected by us is collected in the course of business, by lawful and fair means and in accordance with this Policy.

Where we are collecting information for employment, recruitment, business, operational and administration purposes, this information is generally provided by an individual by filling in forms, résumés, face to face meetings, email messages and telephone conversations.

Subject to an individual’s prior written consent, we may collect personal information about that individual from a third party (such as referees).

Where we are collecting information for the purposes of maintaining contact with our clients, or to undertake business-to-business direct marketing activities, the information we collect is generally provided by an individual by filling in forms, face to face meetings, email messages, business card, email signatures and telephone conversations.

Where we collect personal information directly from an individual, before collecting such information, we will, where practical and reasonable in the circumstances, notify that individual of:

  1. our contact details;

  2. the circumstances and the purpose of the collection;

  3. the main consequence (if any) if all or some of the information is not collected by us;

    and

  4. any third parties that we may disclose that information to (if any).

Where the information is received from a third party for employment, recruitment, business, operational and administration purposes, we may obtain an individual’s consent to collect their personal information from third parties.

Use and disclosure of personal information

We only use personal information for the purpose for which it was given to us. We will only use personal information if it is reasonably necessary for one or more of our functions and activities. Such uses primarily include:

  1. for recruitment, employment, business operations and administration;

  2. to maintain contact with our clients, to keep our clients informed of our products and

    services, to keep our clients updated on industry developments, seminars and other events that may be of interest to them and to undertake business to business direct marketing activities; and

  3. to provide, maintain, improve or develop the services we offer to our clients, which include undertaking research and statistical analysis. In this instance, we will only disclose personal information to the client that provided it.

For the avoidance of doubt, information provided by our client to enable the delivery of services will only be used for that purpose and will not be used by AlphaBeta for any other purpose without the prior written consent of the client.

We will not use any personal information of an individual for a secondary purpose unless:

1. an individual would reasonably expect that we would use or disclose the personal information for that secondary purpose and that purpose is related to the primary purposes for which it was given to us.

2. that individual has consented to the use of that personal information for the secondary purpose; or

3. the secondary use or purpose is required or permitted under law.
We may disclose personal information for the purposes described in this Policy to:

  1. our related bodies corporate and AlphaBeta Health and its related bodies corporate and shareholders

  2. our clients, in circumstances where that personal information was originally provided to us by that client;

  3. third party suppliers and service providers (including providers for the operation of our websites and/or our business or in connection with providing services to our clients);

  4. professional advisers, dealers, business partners and agents;

  5. anyone to whom our assets or businesses (or any part of them) are transferred;

  6. specific third parties authorised by you to receive information held by us; and/or

  7. other persons, including government agencies, regulatory bodies and law enforcement

    agencies, or as required, authorised or permitted by law; and

  8. otherwise as may be required by law.

Direct marketing

Where we use personal information for the purposes of business-to-business direct marketing, we rely on the exception in the Privacy Act to do so. We will comply with APP 7 and the Spam Act 2003 (Cth) in relation to any direct marketing by us, including:

1. allowing an individual to opt out of receiving any further direct marketing from us; and

2. in each written communication from us, setting out our business address, telephone number and, if the communication with that individual is made by electronic means, a number or address at which we can be directly contacted electronically.

Quality of information

Where we collect personal information from an individual directly, we take steps to ensure that the personal information we collect, use and disclose is accurate, up to date and complete. These steps include maintaining and updating any personal information when we are advised by an individual that their information has changed.

Where we collect personal information about an individual from a third party, we rely on that third party to ensure that information it collects is accurate, up to date and complete.

Security of personal information

We place a high degree of importance on data security and take all reasonable steps to protect any personal information that we hold from misuse, interference, loss, unauthorised access, modification or disclosure.

These steps include:

  1. storage of such information in a secure environment;

  2. restricted access to such information to only those for whom such access is reasonable and

    necessary, including password protection and restricted physical access;

  3. the use of up to date hardware and software security measures; and

  4. establishing processes and procedures to ensure that we review any protections we have in

    place and ensure that these are operating correctly.

Retention of information

We retain personal information after we have used the personal information for the purposes for which we collected or received it. If we retain such information, it will only be used for the following purposes:

  1. as required by or under any applicable law, or a court / tribunal order;

  2. as required for professional indemnity insurance; and

  3. in accordance with our back-up archive policy. When no longer required, AlphaBeta will take

    reasonable steps to ensure that all such information is deidentified or destroyed in a secure manner and within a reasonable time frame.

Access to information

An individual may request access to their personal information held by us in accordance with section 19 below. Subject to any permitted exception under the Privacy Act, we shall give that individual access to that information.

If an individual notifies us that the information we hold about them is not accurate, we will take reasonable steps to correct that information. To the extent that we have received any personal information from a client, we will notify our client that it has received a request from an individual to access or correct the personal information it has provided to us.

Unsolicited information received by us

Where we receive any personal information which we did not request or otherwise in error, we shall, as soon as practical, destroy that information or ensure that the information is de- identified.

Our employees are given training to ensure that they are able to identify personal information received by us in error.

Cookies and anonymous identifiers

A cookie is a small file containing information specific to a user, passed through an internet protocol such as a web browser and stored on a device.

We use cookies, web beacons and other similar technology to track access to, and use of, our website. The information gathered is not personally identifiable and is used to improve our website and facilitate opt outs.

We may also receive cookie data, web beacon data, device information, log information, browser information and other anonymous identifier data from our clients and strategic partners about a person’s use of our clients’ and strategic partners’ products and services.

We receive and use this information to deliver products and services to our clients and strategic partners, including:

  1. to analyse trends and identify audiences and customers for our clients and strategic partners;

  2. to create audience segments that are categorised by common behaviours and preferences (these audience segments are used by our clients and strategic partners to enable them to conduct more effective marketing and advertising campaigns); and

  3. to measure the effectiveness of marketing and advertising campaigns of our strategic partners and advertisers. The anonymised data may be collected for matching with offline data and may be shared with third parties for the purposes of marketing and targeted advertising.

If you wish to opt of receiving any targeted advertising from clients, strategic partners or advertisers, you may do so at this link: https://www.AlphaBeta.com/opt-out/

An individual’s right to anonymity and pseudonymity

Nothing in this Policy restricts an individual’s option to not identify themselves or use a pseudonym when dealing with us, provided that this right does not apply in relation to matters where:

  1. we are required or authorised by or under law, or court / tribunal order, to deal with an individual who has identified himself / herself; or

  2. it is impractical for us to deal with an individual who has not identified themselves or who has used a pseudonym (in a job application for example).

Cross-border disclosure of information

AlphaBeta is an international business. We may disclose personal information about an individual to our overseas related bodies corporate for the purposes of delivering our services.

We may also be required by a client to disclose personal information about an individual to an overseas recipient, generally a related body of that client, for the purposes of delivering our services.

We will ensure that such information is only transferred as follows:

1. in accordance with any applicable laws;
2. where applicable, with the approval of our client; and
3. the information being transferred is transferred to countries that have an adequate level of

protection for the rights of the data subject.

EU General Data Protection Regulation

AlphaBeta does not have an establishment in the European Union. Some of our clients may have an establishment in the European Union, so we have developed our privacy and security processes and safeguards having regard to the requirements of the EU General Data Protection Regulation.

We also seek to comply with data protection laws in countries other than Australia where we know that a device collecting data is being used in a particular country, although often we will not be in a position to know where a device is being used.

Our activities as conducted outside the European Union are activities consistent with AlphaBeta being a ‘data processor’ of ‘pseudonymised personal data’ or ‘anonymised personal data’ relating to individuals as those terms are defined in the EU General Data Protection Regulation.

How to contact us

If an individual:

  1. would like to access or inquire about any personal information we hold about that individual;

  2. has a query in relation to this Privacy Policy; or

  3. would like to make a complaint about our handling of an individual’s personal information,

    they can contact us at:

Level 7, 4 Martin Place Sydney NSW 2000

sydney@alphabeta.com

+61 2 9221 5612
This Policy relates to AlphaBeta Advisors Pty Limited and each of its related bodies corporate.

CyberSeek Australia is supported by AustCyber and the Australian Government through the AustCyber Projects Fund 2020. Privacy Policy