Privacy and Information Security Policy

One of our main priorities is the privacy of our customers and visitors.

INTRODUCTION
This privacy policy applies between you, the visitor to this website (whether directly as our customer or as personnel of our customer), and us, the owner and provider of this website. This privacy policy applies to our use of any and all data collected by us or provided by you in relation to your use of the website and the provision of our services to you.
We take our privacy obligations seriously and we’ve created this privacy policy to explain how we collect and treat your personal information. Personal information is that information which is identifiable as being about you.

LAWS AND STANDARDS WE COMPLY WITH
We comply with:
a) the National Privacy Principles established by the Privacy Act 1988 (Cth);
b) to the extent the European Union’s General Data Protection Regulation 2016/679 (‘GDPR’) applies to us and our use of your information, the GDPR; and
c) to the extent necessary to assure our government clients of our commitment to information security, the Information Security Manual, issued by the Australian Signals Directorate, and the complimentary principles of the Protective Security Policy Framework issued by the Attorney General’s Department, and we are certified accordingly with SOC 1, 2, and 3, ISO 27001 globally and IRAP for Australia.

TYPES OF PERSONAL INFORMATION WE COLLECT
The personal information we collect may include the following:
a) name;
b) mailing or street address;
c) email address;
d) social media information;
e) telephone number and other contact details;
f) age;
g) date of birth;
h) credit card information;
i) information about your business or personal circumstances;
j) information in connection with client surveys, questionnaires and promotions;
k) your device identity and type, I.P. address, geo-location information, page view statistics, advertising data and standard web log information;
l) information about third parties (including Referral Information (as defined in our Terms of Service)); and
m) any other information provided by you to us via this website or our online presence, or otherwise required by us or provided by you.

HOW WE COLLECT PERSONAL INFORMATION
We endeavour to ensure that information we collect is complete, accurate, accessible and not subject to unauthorised access.
We may collect personal information either directly from you, or from third parties, including where you:
a) contact us through our website;
b) communicate with us via email, telephone, SMS, social applications (such as LinkedIn, Facebook or Twitter) or otherwise;
c) use our automated referral system or manual referral service;
d) interact with our website, social applications, services, content and advertising; and
e) invest in our business or enquire as to a potential purchase in our business.
We may also collect personal information from you when you use or access our website or our social media pages. This may be done through use of web analytics tools, ‘cookies’ or other similar tracking technologies that allow us to track and analyse your website usage. Cookies are small files that store information on your computer, mobile phone or other device and enable and allow the creator of the cookie to identify when you visit different websites. Cookies may be used to serve relevant ads to website visitors through third party services such as Google Adwords. These ads may appear on this website or other websites you visit.
If you do not wish information to be stored as a cookie, you can disable cookies in your web browser.
USE OF YOUR PERSONAL INFORMATION
We collect and use personal information for the following purposes:
a) to provide services or information to you;
b) for record keeping and administrative purposes;
c) to provide information about you to our contractors, employees, consultants, agents or other third parties for the purpose of providing services to you;
d) to improve and optimise our service offering and customer experience;
e) to comply with our legal obligations, resolve disputes or enforce our agreements with third parties;
f) to send you marketing and promotional messages and other information that may be of interest to you and for the purpose of direct marketing (in accordance with the Spam Act). In this regard, we may use email, SMS, social media or mail to send you direct marketing communications. You can opt out of receiving marketing materials from us by using the opt-out facility provided (e.g. an unsubscribe link);
g) to send you administrative messages, reminders, notices, updates, security alerts, and other information requested by you; and
h) to consider an application of employment from you.
We may disclose your personal information to cloud-providers, contractors and other third parties located inside or outside of Australia. If we do so, we will take reasonable steps to ensure that any overseas recipient deals with such personal information in a manner consistent with how we deal with it.
We’ve endeavoured to ensure that our use and collection of your data is clear and as transparent as possible, but in the interests of keeping this policy concise it’s not possible to list every circumstance in which we will use your data.

SECURITY
We take reasonable steps to ensure your personal information is secure and protected from misuse or unauthorised access. Our information technology systems are password protected, and we use a range of administrative and technical measure to protect these systems. However, we cannot guarantee the security of your personal information.
LINKS
Our website may contain links to other websites. Those links are provided for convenience and may not remain current or be maintained. We are not responsible for the privacy practices of those linked websites and we suggest you review the privacy policies of those websites before using them.

REQUESTING ACCESS OR CORRECTING YOUR PERSONAL INFORMATION
If you wish to request access to the personal information we hold about you, please contact us using the contact details set out below including your name and contact details. We may need to verify your identity before providing you with your personal information. In some cases, we may be unable to provide you with access to all your personal information and where this occurs, we will explain why. We will deal with all requests for access to personal information within a reasonable timeframe.
Where you are a resident of the European Union and the GDPR applies to your personal information, you have the right to ask for ‘subject access request’ or ‘SAR’ being a copy of your personal data held by us. Where we do hold such data about you we will provide you with a copy of the data we hold about you. This will be in a commonly used machine-readable file where you request us to e-mail the information to you. We will also give you a description of the data, tell you why we are holding it and tell you who we could have disclosed it to.
If you think that any personal information we hold about you is inaccurate, please contact us using the contact details set out below and we will take reasonable steps to ensure that it is corrected. We will also stop processing data on your request and you may also request that we delete the data held about you.
If you would like a copy of the information which we hold about you or believe that any information we hold on you is inaccurate, out of date, incomplete, irrelevant or misleading, please email us using the contact details set out in the ‘Contact Us’ section below.
We reserve the right to refuse to provide you with information that we hold about you, in certain circumstances set out in the Privacy Act 1988 (Cth).

CHANGE OF CONTROL
If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our user databases, together with any personal information and non-personal information contained in those databases. This information may be disclosed to a potential purchaser under an agreement to maintain confidentiality. We would seek to only disclose information in good faith and where required by any of the above circumstances.

TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA (‘EEA’)
Information that we collect in the EEA may from time to time be stored, processed in or transferred between parties located in countries outside of the EEA which may not have as stringent data protection laws as found in the EEA.
Some of our third party service providers may be also located outside the EEA. If we transfer your data outside the EEA in this way (where you are a resident of the European Union and the GDPR applies to your personal information) we will ensure that the third party provider we use is compliant with the GDPR and that your privacy continues to be protected as outlined in this privacy policy.
If Article 27 of the GDPR applies to us, we will appoint a representative within the European Union in accordance with the GDPR. Please contact us and we will let you know the representative’s contact details.

INFORMATION SECURITY MANAGEMENT SYSTEM
The Information Security Manual (Controls) sets out what an Information Security Policy is to contain. To demonstrate our commitment to treating your information in the manner that you would expect if you are a government agency that is required to comply with the ISM, the following explains our approach to protecting your information in accordance with the standards of the ISM.
Internal Policies
In addition to the other information security measures set out in this policy, B Online Learning maintains the following internal information security documents:
• Disaster Recovery Plan;
• Incident Response Plan;
• Information Security Policy
• Risk Management Policy;
• System Security Plan;
• Vulnerability Assessment Guide; and
• Web Hosting Security Policy.
Every effort is made to keep these policies up to date and aligned with this policy.
Accreditation Processes
Our accreditation officer is our CISO. We have developed and implemented an accreditation framework which ensures that accreditation activities are conducted in a repeatable and consistent manner across the company. As the website owner, we are responsible for the secure operation of our system and managing the residual risks of our system. If modifications are undertaken to the system we will need ensure that the changes are undertaken and documented in an appropriate manner, and that any necessary reaccreditation activities are completed.
Personnel Responsibilities
Our CISO facilitates communication between security personnel, ICT personnel and business personnel to ensure alignment of business and security objectives. Our CISO also delivers information security awareness and training programs to our personnel. We have a series of standard operating procedures to ensure that personnel understand their duties and undertake their duties appropriately and with minimal confusion.
Configuration Control
Our CEO is responsible for approving, releasing and implementing changes to the system and the software or relevant configurations. Changes that could introduce vulnerabilities, new security risks or increase security risks in a gateway are always appropriately considered and documented before being implemented. The security of the system is audited regularly to ensure its integrity.
Access Control
You will be given a unique URL which will be password protected and authorise your access to the software. You are uniquely identifiable and authenticated on each occasion that access is granted to the software. Our databases have strong user identification and authentication processes in place to ensure that only the necessary personnel can access the information we store.
Networking and Connections with Other Systems
Our system is standalone and does not connect with other systems, which greatly reduces vulnerability to being compromised. The system does not require any external interface connections to function. We use software-based application firewalls to limit both inbound and outbound network connections.
Physical Security and Media Control
As we operate primarily online and given the nature of our business, our premises are not vulnerable to physical security breach and security zones are not required. We do of course keep our headquarters physically secure to the extent reasonable and necessary.
Emergency Procedures and Cyber Security Incident Management
We have emergency procedures in place which ensure our virtual systems are secure if evacuation of our headquarters is required. We record cyber security incidents in a register so that we can monitor and audit the nature and frequency of any cyber security incidents and so that corrective action can be taken.
Change Management
We are constantly reviewing the system in accordance with our change management procedures so that we can ensure the integrity and quality of the system. We identify the need for change by monitoring security vulnerabilities and through our users identifying problems with the system. We perform regular upgrades to the system at no cost to our customers.
Information Security Awareness and Training
All of our personnel have been provided with information security awareness training and are provided with regular updates as necessary to keep them informed of any changes to our procedures. We also have disciplinary procedures in place in the unlikely event that any of our personnel violate our standards.

COMPLAINTS
If you wish to complain about how we handle your personal information or held by us, please contact us using the details set out below including your name and contact details. We will investigate your complaint promptly and respond to you within a reasonable time.
For data which is subject to the GDPR, you have the right to lodge a complaint with the local regulator in your jurisdiction in Europe if you do not feel we have adequately upheld your rights under GDPR.

CONTACT US
For further information about our privacy policy or practices, or to access or correct your personal information, or make a complaint, please contact us using the details set out below:
Email: privacy@bonlinelearning.com
By providing personal information to us, you consent to our storage, maintenance, use and disclosing of personal information in accordance with this privacy policy.
We may change this privacy policy from time to time by posting an updated copy on our website and we encourage you to check our website regularly to ensure that you are aware of our most current privacy policy.