Updated: 10 March 2020
The Award Tracking Application (ATA) is strongly committed to protecting your privacy when you interact with us, our content, products and services.
Our goal is to provide Scouts Australia’s Management, Leaders, Youth Members and families with information about each Youth Member’s Award progress. We also provide reports to help Management and Leaders plan and assist Youth Members in attaining Awards. Sometimes this means that we use information that you provide to us about yourself to customise information displayed and reports. We do this to improve the meaningfulness and accuracy of the information displayed and reports. In providing our services to you, the ATA will be transparent about how and why we collect and use your information. In some cases, if you do not want us to collect or use your information in a particular way, then we will give you the opportunity to say so.
The ATA will review this policy regularly, and may update it from time to time. If we make changes, we will post those changes on the privacy page of the ATA’s application.
The ATA collects personal information about you:
Broadly, there are two types of information or data we collect:
You may be able to make changes to the information you provided us (for example, if you change your email address). We will make it clear how you do that.
This information helps us improve our services by learning what our audiences use and don’t use. It can also help us identify if there are any problems with our services that need fixing.
At this time the ATA does not use ‘cookies’. ‘Cookies’ are small files that are stored on your browser.
Most of the data we collect is aggregated, and this information is effectively anonymous to us.
In some cases, we may collect data that can be linked to you individually. For example, when you log in to the ATA as a registered user, we may store records of information such as the pages you viewed or links you click on.
Though surveys usually collect aggregate data, we will make it clear to you if any survey information is being collected in a way that could personally identify you.
The ATA will not disclose your personal information to third parties.
You have the right to request access to personal information that is held by the ATA about you. Requests for access will be dealt with by the ATA in accordance with the Freedom of Information Act 1982.
You also have the right to request the correction of any of your personal information that the ATA holds. The ATA will take reasonable steps to make appropriate corrections to personal information so that it is accurate, complete and up-to-date. To seek access to, or correction of, your personal information please contact:
We will never knowingly send you unsolicited commercial electronic messages. More information on the Spam Act 2003 is available from the regulator’s website: www.acma.gov.au/spam
The ATA will take all reasonable and practicable steps to ensure that your personal information is properly protected from misuse or loss, and unauthorised access, modification or disclosure.
The privacy and security features of the ATA include:
We encourage you to be vigilant about the protection of your own personal information when using third party digital services (such as social media platforms). As far as reasonably practicable, we will make sure that our relationships with those third parties include appropriate protection of your privacy.
The ATA employs a range of technical ways to ensure the security of the system and the data that is stored. Some of these are:
The ATA is hosted by Metawerx Pty Ltd in a secure Vocus Pty Ltd data centre. The data centre and server is ISO 27001 certified. A vulnerability management system is in place with daily upgrades according to Linux releases and upgrade Tomcat and other services manually after testing. Security Vulnerability reports are received weekly which are reviewed for any vulnerabilities which affect the software which is run. Very minimal software is used on the servers apart from Tomcat and MySQL/PostGreSQL. Systems are also run in AppArmor sandboxes, preventing key software from being able to effect the underlying operating system. An intrusion detection system is in place to report on lateral movements. There are 2 different types of proactive IDS systems and root-kits and unauthorised logins also scanned for. IPs are blocked based on heuristic TCP/IP traffic and IP address ranges using 4 separate blacklists. Any data breach is reported to the customer immediately after detection. This report is passed on to all affected parties.
The ATA does not use a “cookie” system at this time.
A data breach covered by the Award Tracking Application (ATA) occurs when personal information is lost or subjected to unauthorised access or disclosure. For good privacy practice purposes, this response plan also covers any instances of unauthorised use, modification or interference with personal information held by the ATA. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals and entities.
This response plan is intended to enable the ATA to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the notifiable data breaches (NDB) scheme that commenced on 22 February 2018. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.
The plan sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist the ATA to respond to a data breach.
Some data breaches may be comparatively minor, and able to be dealt with easily.
Directors should use their discretion in determining whether a data breach or suspected data breach requires escalatio. In making that determination, consider the following questions:
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
There are four key steps to consider when responding to a breach or suspected breach.
Steps 1, 2 and 3 should be undertaken either simultaneously or in quick succession. At all times, consider whether remedial action can be taken to reduce any potential harm to individuals.
Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.
Following serious data breaches, a post-breach review will be conducted to assess the ATA’s response to the breach and the effectiveness of this plan. The post-breach review report should identify any weaknesses in this response plan and include recommendations for revisions.
Step 1: Contain the breach:
Step 2: Assess the risks for individuals associated with the breach:
Step 3: Consider breach notification:
Step 4: Review the incident and take action to prevent future breaches:
The ATA welcomes feedback about privacy issues and will attend to all questions and complaints promptly.
You can contact the ATA about any privacy issues as follows:
Page last updated 10 March 2020