NTT ICT is committed to managing the personal information it collects from you, in compliance with the Australian Privacy Principles of the Privacy Act 1988 (Cth) (Privacy Act) and any other applicable law. This document describes NTT ICT’s policy for the collection and management of personal information. Personal information is information which identifies an individual or information from which a person’s identity can reasonably be ascertained.
In this document, 'NTT ICT', 'we', 'us' and 'our' means NTT Com ICT Solutions (Australia) Pty Ltd ACN 059 040 998, NTT Com ICT DC Solutions (Australia) Pty Ltd ACN 100 796 405 and NTT Australia Pty Ltd ACN 081 031 432 (the ‘NTT ICT entities’).
Collection of personal information
NTT ICT collects personal information so we can inform our customers and prospective customers about our products and services and provide those products and services.
Directly from you:
NTT ICT collects personal information directly from you when we deal with you in person, when you send us correspondence, when you register to attend one of our conferences or events, and via our websites. Generally, the personal information we collect includes your name, contact details, customer details, job title, records of any communications and interaction with us, and the products or services you’re enquiring about. You can choose not to provide us with some or all of this information, but doing so may affect your ability to use our websites and our ability to provide you with the products and services you have requested.
Where you apply for a job with NTT ICT, in addition to your name, contact details, employment history and qualifications, we may also collect sensitive information about you, such as your criminal record. NTT ICT will only collect sensitive information with your consent and in compliance with the Privacy Act or any other applicable law.
From a third party:
NTT ICT may also collect your personal information from a third party who is an NTT ICT customer, such as your employer, so we can provide information, services or products to that NTT ICT customer, or from companies contracted by us to provide products and services to you. We may also collect your personal information for our direct marketing activities from publicly available records or from an entity to whom you’ve provided the information for direct marketing purposes.
Use of Personal Information
NTT ICT will only use your personal information:
- for the purposes of our or a third party’s legitimate commercial interest. Examples of legitimate commercial interests include:
- where the use of your personal information is necessary to enable us to comply with a legal or regulatory obligation (for example, where we are required to undertake vetting to comply with safety and security regulations, or where we are required to disclose personal information to a court or tax authority).
- making improvements to our products and services;
- providing you with the information you request;
- providing a product or service to a third party with whom you are associated or who is permitted to share your personal information with us;
- performing our obligations under a contract with you or a third party with whom you are associated, or to take steps to enter into a contract with you (for example, we will need to use your name and contact details in order to provide to you the products and/or services you have ordered);
NTT ICT may use your personal information:
- to provide professional and information technology services and software to you or the businesses with whom you are associated;
- to maintain contact with customers, prospective customers and others;
- to inform you of our products, services and seminars and other events;
- for business activities including marketing, product and service development and recruitment;
- for business operations and administration; or
- for business to business direct marketing.
Where we are permitted to do so by law, we may process your personal information for a purpose other than the purpose for which we collected it. In this case we will provide you with information on that other purpose and with any other information regarding that further processing.
Where NTT ICT uses personal information for business to business direct marketing, it does so in accordance with the Privacy Act. You may notify us if you do not wish for us to use your personal information in our direct marketing. In each written communication, we will set out our business address and telephone number and electronic contact details for you to contact us.
Disclosure of Personal Information
NTT ICT may disclose your personal information to third parties:
- as permitted by law;
- to our related bodies corporate or associated entities; or
- for any other purpose to which you consent.
Third parties who may receive your personal information from us include but are not limited to:
- other NTT ICT entities, in order to offer you a more consistent and personalised experience in your interactions;
- third parties who are contracted to NTT ICT, in order to provide part of the products and services we are contracted to provide to you or to a business with which you are associated;
- our service providers and other third parties who provide business, marketing and other services to us (for example, marketing organisations which carry out marketing initiatives or run customer surveys on our behalf);
- our professional advisers such as accountants, lawyers, insurance brokers and bankers;
- a third party appointed by or to us in relation to a reorganisation, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets or stock;
- regulators, courts/tribunals, law enforcement agencies and other governmental authorities of any country or any other recipients as required or permitted by any law; and
- other visitors of our website when you post comments or questions on our public forums which do not have restricted access. We urge you to exercise caution when deciding to post any personal information on our public forums.
DISCLOSURE OF PERSONAL INFORMATION OVERSEAS
NTT ICT maintains servers and systems in Australia and overseas. The nature of our business means that it is sometimes necessary for us to send your personal information overseas.
We may subcontract the processing of your data to, or otherwise share your data with, third parties (such as related bodies corporate and associated entities and service providers) in Australia or countries other than Australia, including but not limited to Japan, Singapore, France, Spain, United Kingdom, Germany, China, United Arab Emirates or the United States. NTT ICT takes reasonable steps to ensure that those overseas recipients protect your privacy and the security of your personal information and use it only for the purpose for which it is disclosed to them.
Notifiable Data Breach
A data breach is an occurrence where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus).
In the case of any data breach or suspected data breach, NTT ICT will undertake an assessment to determine if an eligible data breach has occurred in accordance with the Privacy Amendment (Notifiable Data Breaches) Act 2017. In doing so, NTT ICT will consider if the incident is likely to result in serious harm to any individuals.
Reasonable steps will also be taken to ensure that the assessment is completed within 30 days from when it was first suspected that an eligible data breach may have occurred.
If an eligible data breach has occurred, a notification statement will be provided to the Office of the Australian Information Commissioner (OAIC), and the affected individuals. Notification statement will contain the following:
- Organisation and contact details;
- a description of the eligible data breach that NTT ICT has reasonable grounds to believe has occurred;
- the kind of information concerned;
- recommendations concerning the steps that individuals can take in response to the eligible data breach; and
- if NTT ICT believes that the eligible breach also affects other organisations, it will provide the identity and contact details of those organisations.
Security and Retention of Personal Information
NTT ICT places a high degree of importance on digital security. We take reasonable steps to protect any personal information that we hold from misuse and loss. We also take reasonable steps to protect it from unauthorised access, modification and disclosure. Any information or data provided to NTT ICT is stored in a secure environment, with access restricted to authorised NTT ICT employees. NTT ICT’s systems have up to date hardware and software security measures.
We may keep an anonymised form of your personal information, which will no longer refer to you, for statistical purposes and without time limits, to the extent that we have a legitimate and lawful interest in doing so.
Anonymity and Pseudonymity
You have the option of not identifying yourself or of using a pseudonym when dealing with NTT ICT, however if you do so it will be impracticable for NTT ICT to provide you with information or business to business services, including those which require us to enter into a contract with you.
We will handle all of your requests regarding your personal information in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal information involved, there may be legal reasons why we cannot grant your request. Further explanation of those rights and some of the exceptions to them are set out below.
You may request access to your personal information held by NTT ICT. If you notify NTT ICT that your personal information is not accurate, we will take reasonable steps to correct that information if we agree it is inaccurate. Under the Privacy Act, NTT ICT must provide our written reasons if we refuse your request for access to, or correction of, the personal information held by us.
Please contact us to exercise these rights. We will consider your request and respond to you within 30 days. Regardless of whether you are a resident of the EU or another country, we may charge you a small fee and will require verification of your identity before providing a copy of your personal information. We will only grant your request where we are permitted by law to do so and where we do not have a lawful and legitimate reason to refuse.
If we hold or receive your personal information within the European Economic Area (EEA), we may transfer your personal information outside the EEA for the purposes described above. We may transfer your personal information to countries where under their local laws you may have fewer legal rights than within the EEA. We will take reasonable steps to ensure that the recipients protect your privacy and the security of your personal information and use it for the purpose for which it is disclosed to them. For example, our third party providers are bound by data transfer agreements which provide for security standards at least as strict as those set out in the EU Commission approved Standard Contractual Clauses. When we transfer your data outside of the EU we comply with our standard security protocols which include ISO 27001 certification and adherence to any additional standards which our customers may require. Please contact us for more information on these standards.
If we hold or receive your personal information within the European Economic Area (EEA), you have the right to:
- request information on and access to all the personal information we hold about you. We may not always be able to grant your request, for example, we will not provide you with access to your personal information if it contains personal information relating to others who have not consented to that disclosure or if your personal information is legally privileged;
- request that your personal information is corrected if it is inaccurate;
- object to, request restriction of or withdraw consent at any time in relation to, certain types of processing of your personal information which we carry out, including the right to opt-out of any direct marketing. Please note that your right to withdraw consent does not affect our lawful right to have processed the personal information based on your consent before you withdrew it. If you withdraw your full consent for us to use your personal information we may not be able to provide all or parts of the products and services you have requested from us. We may continue to use your personal information without your consent where required or permitted by any law;
- request that we delete your personal information. To do this we will remove the information that identifies you from the data we hold in our active systems (“anonymise”). However, a separate and restricted access copy of the identifying information will be kept for 7 years to meet the obligations we have under certain laws; and
receive a copy of your personal information in a machine readable, commonly used format or to request we transfer your personal information in such a format to a third party service provider.
How to contact us
Privacy and Data Protection Officer
Level 19, 321 Kent Street, Sydney
New South Wales, 2000
General information about privacy may be obtained from the Office of the Australian Information Commissioner at www.oaic.gov.au and on 1300 363 992. You may also contact the Office of the Australian Information Commissioner if your concerns about access to and correction of personal information are not resolved to your satisfaction.
If you are a resident of the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection authority. We invite you to contact us before doing so as we may be able to resolve any issues with you directly and quickly.