Protecting personal information is important to ACS and personal information will be held in strictest confidence.
Personal information will only be used for the purposes it was collected or in the way that the provider has given ACS permission to use it.
Types of Personal Information the ACS Collects and Holds
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a) whether the information or opinion is true or not; and
b) whether the information or opinion is recorded in a material form or not.
We generally ask for all or some of the following types of personal information:
- Title, name, address and contact details
- Date of birth
(NB some of the information asked for is optional).
Depending on the service you select we may also ask for other types of personal information such as:
- Employment information
- Educational qualifications
- Academic transcripts
- Current course of study in ICT at an Australian institute or RTO
- Passport details
- Birth certificate
Credit card information is collected by ACS but is processed using a secure gateway therefore this information is not held.
ACS does not collect sensitive information as such, noting however that membership to ACS as a Professional Association is in itself sensitive information.
Why We Collect Personal Information
ACS collects personal information for the purposes of:
a) providing members with a comprehensive range of membership products and services and with valuable information regarding relevant products and services from ACS and appropriate ACS contracted third parties;
b) performing its role as a ‘Skills Assessment for Migration’ agency;
c) providing professional development events (courses, conferences, seminars, workshops etc) for members and the general public;
d) conducting the ACS Professional Year Program in ICT;
e) seeking a better understanding of member needs in order to continually develop relevant membership products and services; and
f) meeting its legal obligations.
When collecting personal information by whichever means, ACS will ensure that appropriate notices are given and consents obtained in accordance with the Australian Privacy Principles. Most information is collected directly from the individual. ACS may also obtain some personal information from third party sources. In such cases ACS will require a warranty from the third party that the information has been collected in accordance with Australian Privacy Principle, including notification that the information may be disclosed to organisations such as ACS.
How We Collect Personal Information
The personal information we require to deliver our products and services is usually collected directly from you:
- using written forms
- via the internet including websites and social media
- via email
- via telephone
- via face-to-face contact (eg at forums, trade shows and events)
- through security surveillance cameras (installed in some ACS offices)
We also collect personal information from third parties eg migration agents acting on your behalf.
We may keep unsolicited personal information (personal information we receive that we have taken no active steps to collect) if the information is reasonably necessary for one or more of our functions or activities.
Note: Cookies provide information which is not classified as personal information.
Our website uses a range of data analytics platforms for marketing intelligence purposes. These do not identify individual users or associate member and customer IP addresses with any other data held by those platforms. The type of information that is collected includes:
- type of device being used to access the website
- country where user is located
- time on a page
- bounce rate - the number of users that enter and leave the same page (expressed as a percentage).
- other metrics as required
Disclosure of Personal Information
Personal information provided to ACS will not be disclosed to other organisations or individuals without the provider's permission or when obliged to provide such information by lawful authority.
ACS may disclose personal information for secondary purposes that are related to the primary collection purpose but only in situations where it is reasonable to expect such information to be disclosed. Typically this would be for internal business practices (auditing, product development etc).
ACS is represented on a number of international bodies (including IFIP, SEARCC and IP3) and is a signatory to the Seoul Accord. It does not disclose any personal information to these bodies other than that of the ACS’s appointed representatives.
ACS is a Registered Training Organisation (RTO) within the Australian Skills Quality Authority (ASQA) framework and as such is required to comply with the National VET Provider Collection Data Requirements Policy. This includes providing reports which reveal personal information. This information is presented in aggregated form and used by VET regulators to better support the VET sector and will not identify individuals.
ACS is obligated by statute (Associations Incorporation Act 1991) to make available for inspection by the members of ACS the Prescribed Information in its Register of members. Prescribed Information includes the name and address of each member.
Marketing ACS products and services is important for us to fulfil our role. We use a number of direct marketing strategies and channels including email, mail, SMS, social media and telephone.
ACS will from time to time enter into contractual agreements with other organisations to provide services/benefits to ACS members. On occasion, personal information on ACS members will be released to those contracted third parties for the purposes that the contract was entered into. Our contracted third parties may use similar marketing strategies and channels as ACS. Members have an Opt In option on ACS' website to grant consent to receive such third party communications. Also, ACS will be expanding its options for members to choose which third party communications they would like to receive and the frequency. Non-members can use the unsubscribe option available on marketing communications.
Likewise, members and others who have registered for an ACS event have an Opt In option to receive SMS communications (typically reminders for events).
ACS will never sell, trade, lease or rent any personally identifiable information to other organisations except as stated and agreed when collecting information from members or other persons.
ACS reserves the right to communicate with members about the substantive affairs of the organisation.
Protection of Personal Information
Securing and protecting data is an issue that ACS takes very seriously. We have implemented technology and security processes to protect the personal information that we collect and we take all reasonable steps to protect it. Our websites have electronic security systems in place, including the use of firewalls and data encryption. User identifiers and passwords are also used to control access to your personal information.
- data is encrypted at rest in all our systems
- data is encrypted in transit
- audit records track access to data stored in the cloud
- two-factor authentication is required for member and customer data access
- access is restricted to only those members of staff who require access for their role
- strict policies govern how and when member and customer data is accessed and under what circumstances
ACS member and customer data is held in the Cloud by a number of providers. Our CRM provider stores data outside of Australia, so potentially Privacy Principle 8 (cross-border disclosure of personal information) applies. However, the ACS maintains effective control of what, where and when its data is disclosed and to whom, as this provider is a ‘user’ not a ‘discloser’. This, in combination with technical controls mentioned above, means that the requirements of Privacy Principle 8 do not apply. This does not lessen our vigilance on privacy. (Note that our CRM provider has been certified by the Australian Signals Directorate through their ASD Certified Cloud Services program).
ACS' agreements with our cloud providers address compliance with Australian Privacy Laws and any amendments to those laws. We are confident that the providers will maintain administrative, technical, and physical safeguards to help protect the security, confidentiality and integrity of member and customer data consistent with applicable requirements of Australian Privacy Laws.
ACS limits physical access to its offices. We maintain all personal information, including membership and 'in-house’ mailing lists, subscriber details and web server logs, in controlled environments that are secured against unauthorised access. Proof of identity is required before information is released to any person, including a member.
ACS servers are located in an ISO 27001 (Information Security Management System) certified facility.
Collect, Update, or Delete Personal Information
Every effort is made to ensure that personal information held is current, accurate and complete. In particular, members can access, and are expected to update as necessary, their contact details and professional development activities through the ACS website.
ACS acknowledges that ICT professionals may suspend and reactivate their ACS membership as they move through experiences and employment and ACS will retain personal information for reasonable periods to assist in this process. Additionally, ACS acknowledges the merit in keeping metrics on the assessment of ICT skills and will also retain personal information on skills assessment applicants for reasonable periods. Outside of reasonable retention, we will destroy or permanently de-identify personal information. We will also do the same on lawful request.
Access to Personal Information
Any individual has the right to seek access to personal information we hold on them.
Members can readily access and amend as necessary their own personal information by visiting MyACS on the ACS website.
Non-members can access the personal information we hold on them by contacting the ACS Privacy Officer (details above), either in writing or by email. The person seeking access will be asked to verify their identity before the information is released.
Contracts with Service Providers
Complaints concerning the collection, disclosure or handling of your Personal Information by ACS should be addressed to the ACS Privacy Officer (details above). Any complaint should include the date, time and circumstances of the matter, how you believe your privacy has been invaded and how you would like your complaint resolved.
The Privacy Officer will attempt to resolve the complaint within 5 business days but this timeframe may be extended if further information is required from the complainant and/or an involved third-party. In managing the complaint, the Privacy Officer will follow principles of procedural fairness.
If the complaint is not resolved to your satisfaction you can refer it to the Office of the Australian Information Commissioner. Such complaints generally are resolved through conciliation.