Privacy Policy

1. Introduction

ACT Cyber Pty Ltd (ABN 86 688 456 957) ("ACT Cyber", "we", "us", "our") is committed to protecting the privacy of personal information we collect, hold, use and disclose. This Privacy Policy explains how we manage personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the 13 Australian Privacy Principles (APPs).

As a cybersecurity consultancy delivering services to Australian Government, regulated sectors and commercial clients, ACT Cyber operates as if it were an APP entity under the Privacy Act, irrespective of any small business exemption that might otherwise apply.

This Privacy Policy applies to:

• visitors to our website (www.actcyber.com.au and related subdomains);
• prospective and existing clients who contact us or engage our services;
• subcontractors, suppliers, partners and other counterparties; and
• personnel and prospective personnel.

2. Personal information we collect

Personal information we may collect includes:

1. Information you provide directly — name, organisation, role, business contact details (email, phone), and any information you include in enquiries, briefs, engagement discussions or contracting documents.
2. Information collected automatically when you visit our website — IP address, browser type and version, operating system, pages viewed, time on site, referring URL, and device characteristics, as further described in our Cookie Notice.
3. Information from third parties — publicly available information (for example, business directories, the ABN register, AusTender, LinkedIn), referees during due diligence, mutual contacts, and government agencies where authorised by law.

We do not collect sensitive information (within the meaning of the Privacy Act) through our website. Where engagement-related sensitive information is necessary, it is collected directly, with consent, and used only for the purpose disclosed at collection.

For the purposes of this Privacy Policy, "sensitive information" has the meaning given in section 6 of the Privacy Act — including information about an individual’s health, racial or ethnic origin, political opinions, religious beliefs or affiliations, sexual orientation or practices, criminal record, biometric or genetic information, and information about an individual’s membership of a professional or trade association or trade union.

3. Why we collect personal information

We collect, hold, use and disclose personal information for purposes including:

• responding to enquiries and providing requested information;
• scoping, contracting and delivering professional services;
• engaging with subcontractors, suppliers, partners and clients;
• tender submissions, panel registrations and procurement processes;
• internal business administration, including invoicing and records management;
• complying with legal, regulatory and contractual obligations;
• direct marketing of related professional services, subject to opt-out;
• security monitoring of our own systems and investigating suspected misuse; and
• any other purpose disclosed at the time of collection.

4. Disclosure

We may disclose personal information to:

• service providers acting on our behalf (legal, accounting, banking, IT and platform providers, professional indemnity insurers) under contractual confidentiality obligations;
• web infrastructure providers (currently Cloudflare for bot challenge verification via Turnstile, and aggregate visitor analytics via Web Analytics) where the disclosure is technically necessary to deliver Website functionality and is limited to short-lived, non-identifying request metadata;
• prime delivery partners and other consortium members where ACT Cyber is engaged under a contracted delivery arrangement;
• subcontractors and associates engaged to assist on specific work, under written confidentiality obligations;
• government agencies and regulators where required or authorised by law (including under the Privacy Act, the Notifiable Data Breaches scheme, tax law, security clearance verification, and Defence-related obligations); and
• a successor entity in the event of a business transfer, restructure or insolvency event.

We do not sell personal information.

5. Cross-border disclosure

ACT Cyber holds personal information predominantly within Australia, using Microsoft 365 and Microsoft Azure services hosted in Australian regions. However, certain administration, support, and platform-level functions provided by our vendors may be accessed from outside Australia by personnel of those vendors. ACT Cyber selects vendors with documented security and compliance arrangements (including IRAP assessments where applicable) and contractual obligations that align with the APPs.

The Website also uses Cloudflare services (Turnstile for bot challenge verification, Web Analytics for aggregate visitor measurement). Cloudflare operates a global edge network and may process request metadata (IP address, user-agent string, page URL, challenge response) at edge locations outside Australia, including in the United States. Cloudflare is a US-listed company subject to its own privacy and data protection commitments.

By providing personal information to ACT Cyber, you acknowledge and consent to the disclosures described in this Policy, including any cross-border disclosure that may occur. Where personal information is disclosed to overseas recipients, we take reasonable steps to ensure they do not breach the APPs in relation to that information, except where APP 8.2 applies.

6. Security

ACT Cyber implements appropriate technical and organisational measures designed to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. These measures include:

• an Information Security Management System aligned to ISO/IEC 27001 and the Australian Government Information Security Manual (ISM);
• Microsoft cloud platforms configured to the ISM control baseline;
• AGSVA-cleared personnel for engagements requiring security clearance;
• encryption in transit and at rest for personal information held in our systems;
• access control on a least-privilege basis, with logging and monitoring; and
• personnel and contractors under written confidentiality and acceptable use obligations.

No system is perfectly secure. If ACT Cyber experiences an eligible data breach within the meaning of the Notifiable Data Breaches scheme, we will assess and respond in accordance with our breach response procedures and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.

7. Data quality

ACT Cyber takes reasonable steps to ensure that personal information we hold is accurate, up-to-date, complete and relevant to the purpose for which it is held or used. If you believe information we hold about you is inaccurate or out of date, you may request correction under section 12.

8. Retention

We retain personal information for as long as needed for the purposes for which it was collected, and for any further period required to meet legal, contractual, regulatory or assurance obligations (including Defence-related records-retention obligations where applicable). Personal information that is no longer required is securely destroyed or de-identified in accordance with our records management practices.

9. Government identifiers

ACT Cyber does not adopt, use or disclose Commonwealth, State or Territory government-related identifiers (including the Tax File Number, Medicare number, Department of Veterans’ Affairs file number, Centrelink Reference Number, or any driver licence number) as its own identifier of an individual. Where such identifiers are collected for a lawful and specific purpose (for example, taxation, banking or contracting), they are used solely for that purpose and not as a general identifier.

10. Automated decision-making

ACT Cyber does not use computer programs to make, or to do things that are substantially and directly related to making, decisions that could reasonably be expected to significantly affect the rights or interests of an individual. Decisions affecting individuals are made by the Principal Consultant or a cleared Associate Consultant exercising professional judgment.

This statement reflects the disclosure requirements introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), which commences on 10 December 2026. Should ACT Cyber introduce any automated decision-making practices, this Privacy Policy will be updated in advance of doing so.

11. AI use

For information about how ACT Cyber uses AI-assisted tools, the categories of work for which AI is and is not used, and the safeguards applied to information processed using such tools, please refer to our AI Use Statement.

12. Your rights

Under the Privacy Act, you have the right to:

• request access to the personal information we hold about you;
• request correction of personal information that is inaccurate, out of date, incomplete, irrelevant or misleading; and
• make a complaint about how we have handled your personal information.

We will respond to access and correction requests within a reasonable period (typically 30 days). We may decline a request in limited circumstances permitted under the Privacy Act, in which case we will provide written reasons and information about complaint avenues.

13. Direct marketing

We may use your business contact details to provide information about ACT Cyber services that may be of professional interest to you. You can opt out of direct marketing communications at any time by:

• using any unsubscribe mechanism in the communication; or
• contacting us using the details in section 18.

We will action opt-out requests within a reasonable period and at no cost to you.

14. Anonymity and pseudonymity

Where lawful and practicable, you may interact with ACT Cyber anonymously or under a pseudonym. Certain interactions — including contracted services, tender submissions, security clearance verification, invoicing and any interaction requiring legal identification — require accurate identifying information.

15. Complaints

If you believe ACT Cyber has breached the Privacy Act, the APPs or this Privacy Policy, please contact us in the first instance using the details in section 18. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner:

• Website: www.oaic.gov.au
• Telephone: 1300 363 992
• Email: enquiries@oaic.gov.au

16. Children

Our website and services are directed at business audiences. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will take reasonable steps to delete it.

ACT Cyber will comply with the Children’s Online Privacy Code, currently under development by the Office of the Australian Information Commissioner, once it is in force.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is available on our website and includes the "last updated" date shown at the top of this document. Material changes that affect how we handle your personal information will be communicated through reasonable means.

18. Contact

For privacy matters, including access requests, correction requests, complaints or enquiries: