Award Tracking Application Privacy And Security Policy

Updated: 10 March 2020

The Award Tracking Application (ATA) is strongly committed to protecting your privacy when you interact with us, our content, products and services.

Our goal is to provide Scouts Australia’s Management, Leaders, Youth Members and families with information about each Youth Member’s Award progress. We also provide reports to help Management and Leaders plan and assist Youth Members in attaining Awards. Sometimes this means that we use information that you provide to us about yourself to customise information displayed and reports. We do this to improve the meaningfulness and accuracy of the information displayed and reports. In providing our services to you, the ATA will be transparent about how and why we collect and use your information. In some cases, if you do not want us to collect or use your information in a particular way, then we will give you the opportunity to say so.

The purpose of this Privacy Policy is to explain:

1. Application of this Privacy Policy

The ATA’s Privacy Policy applies to personal information collected by the ATA, whether we have asked for the information or not. The ATA is governed by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

The ATA will review this policy regularly, and may update it from time to time. If we make changes, we will post those changes on the privacy page of the ATA’s application.

2. Collection and use of personal information

2.1 Why we collect personal information

The ATA collects personal information about you:

2.2 How we collect information when you use the ATA

Broadly, there are two types of information or data we collect:

3. Disclosure of personal information

The ATA will not disclose your personal information to third parties.

4. Accessing your personal information

You have the right to request access to personal information that is held by the ATA about you. Requests for access will be dealt with by the ATA in accordance with the  Freedom of Information Act 1982.

You also have the right to request the correction of any of your personal information that the ATA holds. The ATA will take reasonable steps to make appropriate corrections to personal information so that it is accurate, complete and up-to-date. To seek access to, or correction of, your personal information please contact:

5. Use of your personal information to contact you

We will never knowingly send you unsolicited commercial electronic messages. More information on the Spam Act 2003 is available from the regulator’s website: www.acma.gov.au/spam

6. Protection of your personal information

The ATA will take all reasonable and practicable steps to ensure that your personal information is properly protected from misuse or loss, and unauthorised access, modification or disclosure.

6.1 Protection of your personal information

The privacy and security features of the ATA include:

We encourage you to be vigilant about the protection of your own personal information when using third party digital services (such as social media platforms). As far as reasonably practicable, we will make sure that our relationships with those third parties include appropriate protection of your privacy.

6.2 Technical Security Features

The ATA employs a range of technical ways to ensure the security of the system and the data that is stored. Some of these are:

6.3 Data Centre and Server Details

The ATA is hosted by Metawerx Pty Ltd in a secure Vocus Pty Ltd data centre. The data centre and server is ISO 27001 certified. A vulnerability management system is in place with daily upgrades according to Linux releases and upgrade Tomcat and other services manually after testing. Security Vulnerability reports are received weekly which are reviewed for any vulnerabilities which affect the software which is run. Very minimal software is used on the servers apart from Tomcat and MySQL/PostGreSQL. Systems are also run in AppArmor sandboxes, preventing key software from being able to effect the underlying operating system. An intrusion detection system is in place to report on lateral movements. There are 2 different types of proactive IDS systems and root-kits and unauthorised logins also scanned for. IPs are blocked based on heuristic TCP/IP traffic and IP address ranges using 4 separate blacklists. Any data breach is reported to the customer immediately after detection. This report is passed on to all affected parties.

7. Use of cookies

The ATA does not use a “cookie” system at this time.

8. Notifiable Data Breach Response Plan

A data breach covered by the Award Tracking Application (ATA) occurs when personal information is lost or subjected to unauthorised access or disclosure. For good privacy practice purposes, this response plan also covers any instances of unauthorised use, modification or interference with personal information held by the ATA. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals and entities.

This response plan is intended to enable the ATA to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the notifiable data breaches (NDB) scheme that commenced on 22 February 2018. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.

The plan sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist the ATA to respond to a data breach.

8.1 When should a data breach be escalated?

Some data breaches may be comparatively minor, and able to be dealt with easily.

Directors should use their discretion in determining whether a data breach or suspected data breach requires escalatio. In making that determination, consider the following questions:

8.2 ATA data breach response process

There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.

There are four key steps to consider when responding to a breach or suspected breach.

Steps 1, 2 and 3 should be undertaken either simultaneously or in quick succession. At all times, consider whether remedial action can be taken to reduce any potential harm to individuals.

Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.

Following serious data breaches, a post-breach review will be conducted to assess the ATA’s response to the breach and the effectiveness of this plan. The post-breach review report should identify any weaknesses in this response plan and include recommendations for revisions.

8.3 ATA’s Data Breach Response Check List

Step 1: Contain the breach:

Step 2: Assess the risks for individuals associated with the breach:

Step 3: Consider breach notification:

Step 4: Review the incident and take action to prevent future breaches:

9. Privacy complaints and enquries

The ATA welcomes feedback about privacy issues and will attend to all questions and complaints promptly.

You can contact the ATA about any privacy issues as follows:

Page last updated 10 March 2020