Welcome to our Privacy Policy. Your privacy is important to us.
Privacy and Confidentiality Policy
1.0 Purpose
ATEC is committed to protecting the privacy of personal information which the organisation collects, holds and administers.
Personal information refers to information or an opinion about an identified individual, or an individual who is reasonably identifiable:
● whether the information or opinion is true or not; and
● whether or not the information or opinion is recorded in a material form
The purpose of this document is to provide a framework for ATEC in dealing with privacy and confidentiality considerations.
Information management systems rely on any necessary restrictions to the free circulation of information being respected by those into whose hands the information is entrusted.
2.0 Scope
This policy refers to:
● All employees of ATEC
● All Board Directors
● Current and potential ATEC partners
● All volunteers, contractors and those engaged on short term projects
3.0 Statement of Policy
ATEC collects and administers a range of personal information for the purposes of conducting its business. ATEC is committed to protecting the privacy of personal information it collects, holds and administers.
ATEC recognises the essential right of individuals to have their information administered in ways which they would reasonably expect – protected on one hand, and made accessible to them on the other. These privacy values are reflected in and supported by our core values and philosophies in line with the Privacy Act 1988 (Cth). ATEC will also abide by Privacy Laws in countries in which it operates.
ATEC is bound by laws which impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as
ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 1 of 9
minimum standards in relation to handling personal information.
ATEC collects and administers a range of information for a variety of purposes. Some of this information is restricted in its circulation for commercial, privacy, or ethical reasons.
ATEC will, to the extent permitted by relevant applicable privacy laws, place the minimum of restrictions on the information it holds, but will ensure that such restrictions as are considered necessary are observed by its staff and volunteers.
ATEC is responsible for oversight and regular review of this policy to ensure compliance with evolving privacy regulations and emerging technologies.
4.0 Processes
4.1 Collection of Information
ATEC will:
● Only collect information that is necessary for the performance and primary function of ATEC
● Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered
● Use and disclose personal information only for our primary functions or a directly related purpose, or for another purpose with the person’s consent ● Store personal information securely, protecting it from unauthorised access ● Provide stakeholders with access to their own information, and the right to seek its correction
● Collect personal information only by lawful and fair means and not in an unreasonably intrusive way
● Collect personal information from the person themselves wherever possible ● If collecting personal information from a third party, be able to advise the person whom the information concerns, from whom their personal information has been collected
● Collect sensitive information only with the person’s consent or if required by law. (Sensitive information includes health information and information about religious beliefs, race, gender and others)
● Collect sensitive information about an individual if such collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
○ is physically or legally incapable of giving consent to the collection ○ physically cannot communicate consent to the collection
● If ATEC collects information during the course of its activities the following conditions must be satisfied:
○ the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities ○ at or before the time of collecting the information, ATEC informs the individual whom the information concerns that it will not disclose the information without the individual’s consent
○ the collection must be necessary for the establishment, exercise or defence of a legal or equitable claim
● ATEC will collect health information about an individual if:
ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 2 of 9
○ the information is necessary to provide a health service to the individual ○ the information is collected as required or authorised by or under law and in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation
4.2 Use and Disclosure
ATEC will:
● Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose. For other uses, ATEC will obtain consent from the affected person
● In relation to personal information which has been collected, use the personal information for direct marketing, where that person would reasonably expect it to be used for this purpose and has given their consent
● In each direct marketing communication with the individual, ATEC draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications
● Ensure that any overseas providers of services are as compliant with privacy as ATEC is required to be. Such use and disclosures of information overseas will only be made if:
○ the overseas recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles ○ the individual consents to the transfer
○ the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre contractual measures taken in response to the individual’s request
○ the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party
○ the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles
● In relation to the overseas transfer of personal information, if it is impractical for ATEC to receive the person’s consent to that transfer, ATEC must have sufficient reasons to believe that the person would likely give consent could they be contacted
● Provide all individuals’ access to personal information except where it is a threat to life or health or it is authorized by law to refuse and, if a person is able to establish that the personal information is not accurate, then ATEC must take steps to correct it. ATEC may allow a person to attach a statement to their information if ATEC disagrees it is inaccurate
● Where for a legal or other reason we are not required to provide a person with access to the information, consider whether a mutually agreed intermediary would allow sufficient access to meet the needs of both parties
● Make no charge for making a request for personal information, correcting the information or associating a statement regarding accuracy with the personal information
● Each written direct marketing communication with the individual must set out ATEC's business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or
ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 3 of 9
address at which the organisation can be directly contacted electronically. ● If the disclosure of sensitive information is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety and it is impracticable for ATEC to seek the individual’s consent before the use or disclosure and the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A1the organisation may make such a disclosure
● If ATEC has sufficient reasons to believe that an unlawful activity has been, is being or may be engaged in, and the disclosure of personal information becomes a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, the organisation may make such disclosures
● ATEC may further disclose personal information if its disclosure is mandated by an enforcement body or is required for the following:
○ the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law
○ the enforcement of laws relating to the confiscation of the proceeds of crime ○ the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct
○ the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal
4.3 Storage
ATEC will:
● Implement and maintain steps to ensure that personal information is protected from misuse and loss, unauthorized access, interference, unauthorized modification or disclosure1
● Before ATEC discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, establish that they are privacy compliant. ATEC will have systems which provide sufficient security ● Ensure that ATEC's data is up to date, accurate and complete
● Store personal information using encrypted servers and ensure that any cloud or third-party storage providers meet international security standards (such as ISO 27001 or SOC 2).
4.4 Destruction and de-identification
ATEC will:
● Destroy personal information once is not required to be kept for the purpose for which it was collected, including from decommissioned laptops and mobile phones
● Change information to a pseudonym or treat it anonymously if required by the person whose information ATEC holds and will not use any government related identifiers unless they are reasonably necessary for our functions
● Ensure that destruction of digital records, including those stored on blockchain or in AI systems, follows industry best practices and is verifiable and auditable.
4.5 Data Quality
ATEC will:
1 https://www.nhmrc.gov.au/about-us/publications/guidelines-approved-under-section-95a-privacy-act-1988 ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 4 of 9
● Take reasonable steps to ensure the information it collects is accurate, complete, up to date, and relevant to the functions we perform
● Regularly audit data quality, especially for information processed by automated or AI-driven systems, to mitigate bias or errors.
4.6 Data Security and Retention
ATEC will:
● Only destroy records in accordance with the organisation’s Records Management Policy.
4.7 Openness
ATEC will:
● Ensure stakeholders are aware of ATEC's Privacy Policy and its purposes ● Make this information freely available in relevant publications and on the organisation’s website
● On request by a person, ATEC must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information
4.8 Access and Correction
ATEC will:
● Ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, incomplete, misleading or not up to date ● If the individual and ATEC disagree about whether the information is accurate, complete and up to date, and the individual asks ATEC to associate with the information a statement claiming that the information is not accurate, complete or up to date, then ATEC will take reasonable steps to do so
● ATEC will provide to the individual its reasons for denial of access or a refusal to correct personal information
● ATEC can withhold the access of an individual to his/her information if: ○ providing access would pose a serious and imminent threat to the life or health of any individual
○ providing access would have an unreasonable impact upon the privacy of other individuals
○ the request for access is frivolous or vexatious
○ the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings
○ providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations
○ providing access would be unlawful
○ providing access would be likely to prejudice an investigation of possible unlawful activity
○ an enforcement body performing a lawful security function asks ATEC not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia or countries in which ATEC operates
ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 5 of 9
● Where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision making process, ATEC may give the individual an explanation for the commercially sensitive decision rather than direct access to the information
● If ATEC decides not to provide the individual with access to the information on the basis of the above mentioned reasons, ATEC will consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties
● ATEC may charge for providing access to personal information. However, the charges will be nominal and will not apply to lodging a request for access
5.0 Identifiers
● ATEC will not adopt as its own identifier of an individual an identifier that has been assigned by any third party. It may however adopt a prescribed identifier by a prescribed organisation in prescribed circumstances
● ATEC will not use or disclose the identifier assigned to an individual by a third party unless:
○ the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or
○ the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.
6.0 Anonymity
ATEC will allow people from whom the personal information is being collected to not identify themselves or use a pseudonym unless it is impracticable to deal with them on this basis
7.0 Confidentiality
7.1 ATEC Partners
Just as you are careful not to disclose confidential ATEC information, it’s equally important not to disclose any confidential information from our partners. Don’t accept confidential information from other companies without first having all parties sign an appropriate Non-disclosure Agreement approved by the CEO or Board. Even after the agreement is signed, try only to accept as much information as you need to accomplish your business objectives.
7.2 Competitors/Former Employers
We respect our competitors and want to compete with them fairly. But we don’t require their confidential information. The same goes for confidential information belonging to any ATEC staff's former employers. If an opportunity arises to take advantage of a competitor’s or former employer’s confidential information do not do this. Should you happen to come into possession of a competitor’s confidential information, contact your manager or the CEO immediately. If the confidential information involves digital assets, AI models, or proprietary algorithms, immediately
ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 6 of 9
notify the International Leadership Team (ILT) for assessment and appropriate action.
7.3 Outside Communications
Our policy is to be extremely careful about disclosing confidential proprietary information. Consistent with that, you should also ensure your outside communications (including online and social media posts) do not disclose confidential proprietary information or represent (or otherwise give the
impression) that you are speaking on behalf of ATEC unless you’re authorized to do so by the company. The same applies to communications with the press.
Finally, check with your CEO before accepting any public speaking engagement on behalf of ATEC. In general, before making any external communication or disclosure, you should consult the CEO for advice.
8.0 Intellectual Property
ATEC's intellectual property rights (our trademarks, logos, copyrights, trade secrets, “know-how”, and patents) are among our most valuable assets. Unauthorized use can lead to their loss or serious loss of value. You must respect all copyright and other intellectual property laws, including laws governing the fair use of copyrights, trademarks, and brands. You must never use ATEC's logos, marks, or other protected information or property for any business or commercial venture without pre-clearance from the CEO. We strongly encourage you to report any suspected misuse of trademarks, logos, or other ATEC intellectual property to Management.
Likewise, respect the intellectual property rights of others. Inappropriate use of others’ intellectual property may expose ATEC and you to criminal and civil fines and penalties. Please seek advice from the CEO before you solicit, accept, or use proprietary information from individuals outside the company or allow them to use or have access to ATEC proprietary information. You should also check with the CEO if developing a product that uses content not belonging to ATEC.
Photographs taken for and by ATEC may also be considered confidential. Ensure that those pictures don’t disclose confidential information. Approval must be sought before using an individual’s photograph for ATEC
There are, of course situations or areas of activity that may not be clear under this policy. Here you will need to apply your best judgment in making sure you do not disclose any confidential information. If you’re in a grey area, be cautious in what advice or insight you provide or, better yet, ask for guidance from your Manager or the CEO.
Finally, some staff may have family connections or other personal relationships with people employed by our competitors or business partners. As in most cases, common sense applies. Don’t tell your significant other or family members anything confidential, and don’t solicit confidential information from them about their company.
ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 7 of 9
9.0 Organisational Responsibilities
Board of Directors
• Responsible for reviewing and approving this policy
CEO
• Ensures internal review, approval and policy
development
• Ensures implementation of the Policy at an
organisational level
• Monitors changes in Privacy legislation
• Advising on the need to review or revise this policy as and when the need arises
Management
Team
• Responsible for the oversight and implementation of the Policy for their respective division teams
• The Management team are also the first point of call for any privacy and confidentiality related grievances from ATEC staff or volunteers
• Ensuring relevance and currency of the Policy and program related procedures
All Staff
Members,
Contractors,
Consultants
and
Volunteers
• Responsible for ensuring that all actions comply with the Policy and subsequent procedures
• Ensure grievances are reported immediately to relevant ATEC staff and using the appropriate reporting
procedures
10.0 Complaints or concerns
Complaints or concerns from ATEC members or other stakeholders about this policy shall be reviewed by ATEC in accordance with the ATEC Complaints Handling Policy and Procedure.
11.0 Related Documents
ATEC Records Management Policy
ATEC Code of Conduct
ATEC Policy 014 - Privacy and Confidentiality Policy April 2025 Page 8 of 9
12.0 Version Control
ATEC will review and update this policy on a regular basis inline with ATEC's policy register, to ensure relevance and applicability.
Written By:
Reviewed By: Approved By:
Next review
date:
Person
Head of
ATEC Board
International Ops
Date
03/02/2021 17/02/2021
03/02/2023
Person
Chief of Staff ATEC Board
Date
30/04/2025
30/04/2027
