This Privacy Policy covers:

• What information we collect about you
• The circumstances under which we are permitted to share information
• How long we retain the information
• How you can request that the information be deleted and how you can make a complaint
  
• How you can get help in understanding this policy.
  

Statement of Affirmation

Identity Care Australia & New Zealand Ltd. (ABN 84 164 038 966), IDCARE Limited (4918799) and IDCARE Foundation Ltd (ACN 678 651 986) referred to herein as IDCARE, affirm our commitment to the privacy laws, regulations and principles of Australia and New Zealand.

About this Privacy Policy

This Policy is about your information and the information IDCARE requires about you to perform our services. This Policy informs you about the personal information we collect, retain, use, and share with others. It’s important that you understand this policy and how you can tell us if you object. If there is anything you do not understand or you would like to have some or all of the policy explained to you, please ask the IDCARE officer you speak to, or email us at privacy@idcare.org.

Business Purpose

Privacy laws mention terms like “business purpose” when it comes to collecting personal information. IDCARE’s primary business purpose is providing benevolent services to community members impacted by identity theft, cybercrimes, and scams. This includes case management (working with individuals to respond to risks), response and protection services (engaging others on your behalf to reduce risks relating to the misuse of your identity) and informing organisations on how they can improve their response efforts to reduce harm to people in the future. We also connect with the community and educate individuals and organisations about what’s occurring, how to prevent this, and how to respond.

Business Purpose

If all or some of the personal information in the following section is not collected, then IDCARE may not be able to provide you with accurate and relevant assistance.

What We Collect, Why and How

To enable us to perform our business purpose, IDCARE collects personally identifiable information in the following ways:

Case Management, General Enquiry, Subscriber Enquiry and Get Help Web-Forms

• Contact information – your first name, phone number and email address are collected to enable us to get in contact with you, including if the line drops out, and to assist you and to be able to provide you with information relevant to your matter.
• Basic demographic information – your postcode, country of residence, gender identity and age range are collected if you agree to provide it, for research and analysis purposes and to help us understand trends associated with scams, identity theft and cyber misuse.
• Other information – attributes relating to the exposure or misuse you experienced is collected to enable IDCARE to provide you with relevant information and assistance.
• Digital device and online information – attributes such as IP address, device identifiers, browser type, geo-location approximation, site usage statistics, and online site pathways to IDCARE’s Get Help Form, are collected to help us understand whether the crimes people confront are targeting specific devices, applications, and locations.
  

Case Management call recordings

Case management calls to and from IDCARE may be recorded. We tell people when this happens and give them the opportunity to not have the call recorded. If the call recording is turned off, clients will not be disadvantaged in using IDCARE’s services. We record calls so that we can help our Case Managers learn and develop. Senior staff and mentors review the content of case management calls, evaluate the response advice shared, the client reactions and impacts from advice provided, and the adequacy and accuracy of the content.

Website usage  

IDCARE’s websites (www.idcare.org and www.idcare.org.nz) store cookies on your computer. You may disable these cookies when on those sites and it will not impact your access and use of the IDCARE website. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customise your browsing experience and for analytics and metrics about our visitors to our websites and social media platforms.

Some internet search engines also collected limited information relating to access to IDCARE’s websites. This includes: Google Analytics (Universal Analytics) with anonymized IP; Google Analytics 4; Google Analytics Advertising Reporting Features; Google Analytics Demographics and Interests reports; and Sendgrid.  We use this information to improve your browsing experience and for analytics and metrics about visitors to our websites and their interaction with IDCARE web resources.

IDCARE utilises the third-party tool JotForm to create web hosted forms which are embedded on our website. These forms facilitate many of IDCARE’s web hosted tools (Individual and Small business cyber security assessments and scream at a scammer) and engagement avenues (Organisation incident response engagements and CROC engagements). The information entered into these tools is used to facilitate their associated use cases. Information entered by form responders, although stored within JotForm’s systems is solely managed by IDCARE. Any contact information entered into JotForm via an IDCARE form is not gathered, sold, or used by JotForm. For more information JotForm’s Privacy Policy is available here https://www.jotform.com/privacy/.

IDCARE utilises Zoho Analytics (Zoho) as a provider of web-based dashboarding software. Views created with Zoho may be embedded on the IDCARE website for specific case management, analytics and other commercial purposes (including public engagement, prevention and awareness campaigns). The information that informs these views is taken from client data in our case management system, however any personal identifiers (contact information) are removed before being sent to Zoho, ensuring your details are not gathered, sold or used by Zoho. Zoho has two data centres located in Australia (Melbourne and Sydney). More information related to Zoho’s privacy policy can be located here: https://www.zoho.com/privacy.html#long.  

IDCARE utilises Knack as a provider of cloud-based database management and portal software. Our end-solution for subscribers is hosted and accessed via the IDCARE website to deliver key insights, products. and commercial services. The information held in Knack is stored in their data centre in Sydney, Australia. More information related to Knack’s privacy policy can be located here: https://www.knack.com/privacy/.

Technical network and device remediation services and “eDiscovery”  

We can provide individuals and organisations with remediation services for devices (e.g. mobile phone, tablet or computer) and networks that have been impacted by cyber misuse; we call this Cyber First Aid. These remediation services are subject to additional Terms & Conditions, which are also consistent with the provisions of this Policy. To provide these remediation services we may collect further information, including:

• device security settings,
• application security settings (such as email and social media),
• hardware information such as:
  - device identification
  - serial numbers
  - MAC address
  - CPU
• browser security settings,
• log files,
• application information,
• anti-virus and anti-malware information,
• Operating system information and patch version

Upon completion of Cyber First Aid a Certificate of Completion may be issued. IDCARE does not share this Certificate with any third parties, it is sent to you via the email address you provide to IDCARE. You may share this Certificate with third parties such as banks or financial institutions as proof IDCARE has completed the Cyber First Aid process on the relevant device.  

This Certificate of Completion will contain:

• Your first name only
• Your IDCARE unique service identifier (case number)
• Device type and operating system
• A brief description of the processes carried out and any actions taken.

IDCARE may de-anonymise and aggregate the data collected during the Cyber First Aid process and provide summaries, reports and analysis to third parties including, but not limited to, subscribers and commercial partners.

Identity Verification  

If you would like IDCARE to speak to other organisations on your behalf, you may be required to provide consent for this to occur in writing and complete an identity verification process. This process requires IDCARE to view your identity documents or related information. We request this information so that we can assure ourselves of your identity in order to act on your behalf. Identity verification data is only obtained with your consent and will include some (not all) of the following types of information:

• Facial image
  
• Full name
  
• Date of birth
  
• Place of birth
  
• Telephone number
  
• Residential address
  
• Email address
  
• Employer’s name
  
• Driver licence number, card number, and expiry date
  
• Passport number and expiry date (if no Australian or New Zealand Driver Licence)
  
• Proof of Age Card (if no Australian or New Zealand Passport or Driver Licence)
  
• ImmiCard (if no Australian or New Zealand driver licence)
  
• New Zealand Certificate of Identity (if no New Zealand driver licence)
  
• Medicare number and Expiry Date.
  

Verification processes also rely on searching personally identifiable information, including sensitive biometric information, provided to IDCARE by individuals against third party information sources, including identity validation and verification services.

Client Portal  

IDCARE manages a Client Portal, directly or via third-party hosted commercial arrangements (such as Microsoft Azure services), which provides a single online identity management system for individuals who opt-in to that system. If you are offered access the Client Portal, you must first undertake an enrolment process as outlined in the Client Portal Terms & Conditions. These consistent with the privacy provisions of this Policy. Users of IDCARE’s Client Portal must first agree to these Terms & Conditions.

Any additional protection and response services offered via the Client Portal are subject to separate IDCARE or third party (if delivered by third parties) Terms and Conditions. Where such services rely on responses by third parties, such as Credit Reporting Agencies, law enforcement, financial institutions, and identity credential issuers, individual users will be subject to the third-party Terms & Conditions and Privacy Policy provisions. This will be made clear in the relevant IDCARE Terms & Conditions.

Monitoring and profiling alerts

With your consent, IDCARE may send you alerts in relation to changes detected in your personal information or account usage if detected by IDCARE monitoring, profiling, and protection services. The Alerting function requires users to permit IDCARE to send the change notifications to a confirmed mobile phone number and/or email account and/or via an App push notification. The Alerting function within the Client Portal is subject to its own Terms & Conditions but is also consistent with the provisions of this Policy where privacy matters are concerned.

Collection and use of sensitive information

Except as otherwise outlined in this policy, IDCARE does not generally request sensitive information. However, in providing specialist support services, IDCARE may collect, use and disclose sensitive information (for example, if you share sensitive information with us when using our services).  IDCARE will only collect sensitive information where it is reasonably necessary for its functions and activities or where we are legally required according to the appropriate legislation. We will obtain your consent before collecting sensitive information unless a lawful exemption applies.  IDCARE will only use or disclose sensitive information for the purpose for which it was collected, or for a directly related purpose that you would reasonably expect.

Collection and usage of biometric/facial imagery

IDCARE captures facial imagery as part of the identity verification process outlined above, if you have provided consent for IDCARE to act on your behalf to contact organisations. Because most identity theft involves the compromise of common identity credential information (such as driver licences and passports), the collection of facial imagery is an important addition to our identity verification process and is matched against third-party templates in a manner that does not involve the retention by that third-party of the templated biometric (i.e.. the measure of an individual’s face). We do this to reduce the risk of threat actors impersonating you in order to access further information about you via IDCARE services (something we know impacts other organisations) or deceive IDCARE into contacting other organisations with information about you.  

Verification involves requesting of third parties whether the biometric template IDCARE has collected about you is consistent with the biometric template and the related personally identifiable information that is held by the third-party (such as name, date of birth, driver licence or passport number and address). Third parties that receive these requests from IDCARE include Government identity credential issuers, financial institutions, telecommunications providers, and digital identity issuers and verifiers. IDCARE may deny access to specific services or request an individual to provide alternative information to assist the verification assessment if inconsistencies are found and cannot be resolved.  

Sharing of personally identifiable information with third parties (“Sharing Provision”)

IDCARE may share personally identifiable information with third parties, such as law enforcement, financial institutions, Government agencies (including identity document issuing agencies) and other identity repair response organisations in the following circumstances:

• where you have consented for IDCARE to share such information; and/or
  
• where it is assessed by IDCARE to be a situation where an individual has an immediate threat to their life (for example, a client is assessed to be at imminent risk of self-harm and IDCARE reports this instance to local law enforcement or another service provider to conduct a physical welfare check); and/or
  
• where IDCARE is permitted or required by law, such as if IDCARE has been issued with a subpoena, warrant or related legal request from a Court or relevant law enforcement body, or IDCARE reasonably believes the use or disclosure of the information is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body.
  

Identity protection and alerting services

Third parties may search against IDCARE’s verification holdings where agreements are in place between IDCARE and:

• the third party and such searching is conducted in a manner consistent with this Privacy Policy and the Terms & Conditions of any relevant IDCARE service the individual has provided consent to use; or
  
• IDCARE is otherwise permitted or required by law, such as where it has a reasonable belief that disclosure is reasonably necessary for enforcement related activities conducted by an enforcement body.
  

Cost-recovered services

Services that are cost recovered are subject to their own Terms & Conditions which are consistent with this Policy. Cost recovered services may be delivered solely by IDCARE or in conjunction with a third party and requires such users to make payment and provide personally identifiable information to IDCARE in order for IDCARE to perform this service, such as name, contact details, and payment information.  

Payment is made via a third-party payment processing platform. 128-bit encryption is used in the processing of such payments and at no point does IDCARE collect, store, or share such payment information. Users of this service must agree to the terms and conditions of the third-party payment platform including their own Privacy Policy (a relevant link has been provided on this payment gateway).

Personally identifiable information protection

IDCARE will take all reasonable care to protect personally identifiable information provided by clients. IDCARE annually undertakes risk assessments in relation to our collection, storage, sharing, and destruction of personal information (guided by the ISO 31000 standard on risk management).  
IDCARE operates a “defence in depth” approach to the information it collects, stores, and communicates, including, but not limited to:

• All data transmitted over the internet is done over HTTPS,
  
• Cloudflare is used extensively to block potentially malicious requests,
  
• Rate limits on APIs are implemented at both the code level and via Cloudflare,
  
• Regular security scans are performed to identify code or configuration vulnerabilities,
  
• Firewalls are employed to limit access to services running on Microsoft Azure,
  
• All handling of personal information by staff is subject to specific policies and guidelines which are reviewed regularly for compliance,
  
• Data at rest is encrypted,
  
• Staff are regularly assessed and educated about cyber security threats and threat responses,
  
• Any and all investigations regarding malicious code, sites and dark net actions are performed using external networks, interfaces and unattributable settings.
  

Retention of personally identifiable information

You may request at any time that information IDCARE has about you be permanently deleted (see next section).  

IDCARE only retains personal information for the purposes of assisting you and protecting and responding to risks relating to such information. We retain records for 7 years in accordance with best practice document retention guidelines. Case information is anonymised and retained for statistical analysis, such as time series analysis. This information is backed-up periodically and stored in a non-networked or Internet-enabled environment.

If IDCARE receives unsolicited information we will determine whether it would have been permitted to collect the information. If not we will destroy the information as soon as practicable.

Access, deletion, correction, feedback and complaints

If you wish to access information collected by IDCARE relating to your circumstances, seek correction of information held about these circumstances, have your personally identifiable information deleted, or make a complaint about how we have dealt with your matter, please send a written request, including your case number, to:

• Privacy Officer IDCARE PO Box 412 Caloundra QLD 4551 Australia
  

Requests may also be emailed using our feedback form, with the words “Attn: Privacy Officer” in the subject line accessed at www.idcare.org or by emailing direct privacy@idcare.org.  

To assist IDCARE in responding to your request we would be grateful if you could provide your IDCARE Case Number (if relevant) and the estimated date of your engagement with IDCARE.

If we have not resolved your issue to your satisfaction and within our responsibilities, complaints about IDCARE and the handling of your personal information may be made to the relevant Privacy Commissioners in Australia and New Zealand: (www.oaic.gov.au / ph: 1300 363 992 and www.privacy.org.nz / ph: 0800 803 909). These organisations have extensive materials about your privacy rights and response considerations.