This Privacy Policy covers:

• What information we collect about you
•  The circumstances under which we are permitted to share information
• How long we retain the information
• How you can request access, deletion, correction, feedback and make a complaint
  

Statement of Affirmation

The IDCARE Group, which includes Identity Care Australia & New Zealand Limited (ABN 84 164 038 966), My Data Care Pty Ltd (ABN 35 643 544 950), IDCARE Limited New Zealand (NZBN 942 904 107 0109), and IDCARE Foundation (ABN 678 651 986), referred to herein as IDCARE, affirms our commitment to the privacy laws, regulations and principles of Australia and New Zealand.

About this Privacy Policy

This Policy informs you about the personal information we collect, retain, use, and share with others. It is important that you understand this policy and how you can tell us if you object. If there is anything you do not understand or you would like to have some or all of the policy explained to you, please ask the IDCARE officer you speak to, or email us at privacy@idcare.org.

The purposes for which we collect, hold, use and disclose personal information

The purpose for which IDCARE collects, holds, uses and discloses personal information is to advance our mission of reducing the harm caused by identity theft, cybercrimes, and online scams. This includes:

• working with individuals and organisations impacted by identity theft, cybercrimes, and online scams to respond to risks
• engaging others on your behalf, with your consent, to reduce risks relating to the misuse of your personal information
• advising government and private organisations of the impacts of these harms, and how they can improve their response efforts to reduce harm to people in the future
  
• connecting with the community and educating individuals and organisations about what’s occurring, how to prevent this, and how to respond.
• feedback provided on IDCARE Group services may be used to assist with product and service development, account management and market engagement activities, such as marketing and promotional activities. Where this occurs, feedback shall be de-identified and the name of the organisation, if represented, not disclosed, unless the comments or feedback were made publicly or written consent provided by an authorised representative of the organisation.

The kinds of information we collect, why and how

The kinds of personal information that IDCARE collects, and why and how we collect it is set out below. You are not obliged us to provide us with this information; the information that you provide helps us to provide you with accurate and relevant assistance.

Case Management, General Enquiry, Subscriber Enquiry and Get Help Web-Forms

• Contact information – your first name (you may choose to use a pseudonym), phone number and email address are collected to enable us to get in contact with you, including if the line drops out, and to assist you and to be able to provide you with information relevant to your matter.
• Basic demographic information – your postcode, country of residence, gender identity and age range are collected if you agree to provide it, for research and analysis purposes and to help us understand trends associated with scams, identity theft and cyber misuse.
• Sensitive information - Except as otherwise outlined in this policy, IDCARE does not generally collect sensitive information. However, IDCARE may collect and use sensitive information if you share sensitive information with us when using our services because it will help us to support you. We will obtain your consent before collecting sensitive information unless a lawful exemption applies. IDCARE will only collect sensitive information where it is reasonably necessary.  IDCARE will only use or disclose sensitive information for the purpose for which it was collected, or for a directly related purpose that you would reasonably expect, or where if are legally required to disclose it.
• Other information – attributes relating to the exposure or misuse you experienced is collected if you agree to provide it, to enable IDCARE to provide you with relevant information and assistance. This information is also used for research and analysis purposes, to help us understand and respond to identity theft, cyber misuse and online scams.
  
• Digital device and online information – attributes such as IP address, device identifiers, browser type, geo-location approximation, site usage statistics, and online site pathways to IDCARE’s Get Help Form, are collected to help us understand whether the crimes people confront are targeting specific devices, applications, and locations.
  
• Case Management call recordings – Case management calls to and from IDCARE may be recorded. We tell people when this happens and give them the opportunity to not have the call recorded. If the call recording is turned off, clients will not be disadvantaged in using IDCARE’s services. Senior staff and mentors review the content of case management calls to help our Case Managers learn and develop, evaluating the response advice shared, the client reactions and impacts from advice provided, and the adequacy and accuracy of the content. Call recordings may also be used for research and analysis on cybercrime and scam methods and tactics, in order to improve our services and support.
  

Wellbeing support

We provide wellbeing support to individuals who are experiencing or at risk of serious mental health impacts due to online scams, cybercrime or identity theft. This phone-based support is an extension of case management services and calls are subject to the same conditions and processes outlined under Case Management call recordings, above. The provision of wellbeing support may include the collection of relevant health information if you choose to disclose it. Any health information shared with us will be held and handled in accordance the applicable privacy and health records laws. This service is subject to additional Terms & Conditions, which are also consistent with the provisions of this Policy.

Website usage  

IDCARE’s websites (www.idcare.org and www.idcare.org.nz) store cookies on your computer. You may disable these cookies when on those sites and it will not impact your access and use of the IDCARE website. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customise your browsing experience and for analytics and metrics about our visitors to our websites and social media platforms.

Some internet search engines also collected limited information relating to access to IDCARE’s websites. This includes Google Analytics (Universal Analytics) with anonymized IP; Google Analytics 4; Google Analytics Advertising Reporting Features; Google Analytics Demographics and Interests reports; Sendgrid. We use this information to improve your browsing experience and for analytics and metrics about visitors to our websites and their interaction with IDCARE web resources.

IDCARE utilises the third-party tool JotForm to create web hosted forms which are embedded on our website. These forms facilitate many of IDCARE’s web hosted tools (Individual and Small business cyber security assessments and scream at a scammer) and engagement avenues (Organisation incident response engagements and CROC engagements). The information entered into these tools is used to facilitate their associated use cases. Information entered by form responders, although stored within JotForm’s systems is solely managed by IDCARE. Any contact information entered into JotForm via an IDCARE form is not gathered, sold, or used by JotForm. For more information JotForm’s Privacy Policy is available here https://www.jotform.com/privacy/.

IDCARE utilises Zoho Analytics (Zoho) as a provider of web-based dashboarding software. Views created with Zoho may be embedded on the IDCARE website for specific case management, analytics and other commercial purposes (including public engagement, prevention and awareness campaigns). The information that informs these views is taken from client data in our case management system, however any personal identifiers (contact information) are removed before being sent to Zoho, ensuring your details are not gathered, sold or used by Zoho. Zoho has two data centres located in Australia (Melbourne and Sydney). More information related to Zoho’s privacy policy can be located here: https://www.zoho.com/privacy.html#long.

IDCARE utilises Knack as a provider of cloud-based database management and portal software. Our end-solution for subscribers is hosted and accessed via the IDCARE website to deliver key insights, products. and commercial services. The information held in Knack is stored in their data centre in Sydney, Australia. More information related to Knack’s privacy policy can be located here: https://www.knack.com/privacy/.

Technical network and device remediation services and “eDiscovery” (Cyber First Aid)

We provide remediation services for devices (e.g. mobile phone, tablet or computer) and networks that have been impacted by cyber misuse; we call this Cyber First Aid. These remediation services are subject to additional Terms & Conditions, which are also consistent with the provisions of this Policy. To provide these remediation services we may collect further information, including:

• device security settings,
• application security settings (such as email and social media),
• hardware information such as:
  - device identification
  - serial numbers
  - MAC address
  - CPU
• browser security settings,
• log files,
• application information,
• anti-virus and anti-malware information,
• Operating system information and patch version

Upon completion of Cyber First Aid a Certificate of Completion may be issued. IDCARE does not share this Certificate with any third parties, it is sent to you via the email address you provide to IDCARE. You may share this Certificate with third parties such as banks or financial institutions as proof IDCARE has completed the Cyber First Aid process on the relevant device.

This Certificate of Completion will contain:

• Your first name only
• Your IDCARE unique service identifier (case number)
• Device type and operating system
• A brief description of the processes carried out and any actions taken.

Identity Verification  

If you would like IDCARE to speak to other organisations on your behalf, you may be required to provide consent for this to occur in writing and complete an identity verification process. This process requires IDCARE to view your identity documents or related information. We request this information so that we can assure ourselves of your identity in order to act on your behalf. Identity verification data is only obtained with your consent and will include some (not all) of the following types of information:

• Facial image
  
• Full name
  
• Date of birth
  
• Place of birth
  
• Telephone number
  
• Residential address
  
• Email address
  
• Employer’s name
  
• Driver licence number, card number, and expiry date
  
• Passport number and expiry date (if no Australian or New Zealand Driver Licence)
  
• Proof of Age Card (if no Australian or New Zealand Passport or Driver Licence)
  
• ImmiCard (if no Australian or New Zealand driver licence)
  
• New Zealand Certificate of Identity (if no New Zealand driver licence)
  
• Medicare number and Expiry Date.
  

Verification processes also rely on searching personally identifiable information, including sensitive biometric information, provided to IDCARE by individuals against third party information sources, including identity validation and verification services.

Client Portal  

IDCARE manages a Client Portal, directly or via third-party hosted commercial arrangements (such as Microsoft Azure services), which provides a single online identity management system for individuals who opt-in to that system. If you are offered access the Client Portal, you must first undertake an enrolment process as outlined in the Client Portal Terms & Conditions. These consistent with the privacy provisions of this Policy. Users of IDCARE’s Client Portal must first agree to these Terms & Conditions.

Any additional protection and response services offered via the Client Portal are subject to separate IDCARE or third party (if delivered by third parties) Terms and Conditions. Where such services rely on responses by third parties, such as Credit Reporting Agencies, law enforcement, financial institutions, and identity credential issuers, individual users will be subject to the third-party Terms & Conditions and Privacy Policy provisions. This will be made clear in the relevant IDCARE Terms & Conditions.

Alerts to individuals

With your consent, IDCARE may send you alerts in relation to changes detected in your personal information or account usage if detected by IDCARE monitoring, profiling, and protection services. The Alerting function requires users to permit IDCARE to send the change notifications to a confirmed mobile phone number and/or email account and/or via an App push notification. The Alerting function within the Client Portal is subject to its own Terms & Conditions but is also consistent with the provisions of this Policy where privacy matters are concerned.

Collection and usage of biometric/facial imagery

IDCARE captures facial imagery as part of the identity verification process outlined above, if you have provided consent for IDCARE to act on your behalf to contact organisations. Because most identity theft involves the compromise of common identity credential information (such as driver licences and passports), the collection of facial imagery is an important addition to our identity verification process and is matched against third-party templates in a manner that does not involve the retention by that third-party of the templated biometric (i.e. the measure of an individual’s face). We do this to reduce the risk of threat actors impersonating you in order to access further information about you via IDCARE services (something we know impacts other organisations) or deceive IDCARE into contacting other organisations with information about you.
‍
Verification involves requesting of third parties whether the biometric template IDCARE has collected about you is consistent with the biometric template and the related personally identifiable information that is held by the third-party (such as name, date of birth, driver licence or passport number and address). Third parties that receive these requests from IDCARE include Government identity credential issuers, financial institutions, telecommunications providers, and digital identity issuers and verifiers. IDCARE may deny access to specific services or request an individual to provide alternative information to assist the verification assessment if inconsistencies are found and cannot be resolved.

Sharing with third parties

Sharing of personal information with third parties

IDCARE may share personal information with third parties in Australia and New Zealand, such as law enforcement, financial institutions, Government agencies (including identity document issuing agencies) and other identity repair response organisations in the following circumstances:

• where you have consented for IDCARE to share such information; and/or
  
• where researchers from Tertiary institutions that have partnered with IDCARE to conduct relevant research on cyber crime, identity misuse and online scams, have signed a confidentiality agreement to have limited access to information under specific conditions, including that their research will never identify an individual without consent;
  
• where IDCARE has provided a government-funded service to businesses (at no cost to them) and the government requires the business details to be shared with government, or their contractors, for quality assurance monitoring and verification;
  
• where it is assessed by IDCARE to be a situation that an individual has an immediate threat to their life (for example, a client is assessed to be at imminent risk of self-harm and IDCARE reports this instance to local law enforcement or another service provider to conduct a physical welfare check);
  
• where IDCARE is permitted or required by law, such as if IDCARE has been issued with a subpoena, warrant or related legal request from a Court or relevant law enforcement body, or IDCARE reasonably believes the use or disclosure of the information is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body.
  

Sharing of de-identified and aggregated information with third parties

IDCARE uses de-identified and aggregated data received during case management, cyber first aid and incident support services, for research and analysis purposes, to monitor trends associated with online scams, identity theft and cyber crime. This data cannot be used to identify an individual. We use this data in our cyber resilience outreach and media, and in statistical analyses, summaries and reports that are provided to third parties (including Australian and New Zealand government agencies and private organisations).

Sharing of verification holdings with third parties

Third parties may search against IDCARE’s verification holdings where:

• agreements are in place between IDCARE and the third party and the searching is conducted in a manner consistent with this Privacy Policy and the Terms & Conditions of any relevant IDCARE service the individual has provided consent to use; or
  
• IDCARE is otherwise permitted or required by law, such as where it has a reasonable belief that disclosure is reasonably necessary for enforcement related activities conducted by an enforcement body.
  

Sharing of payer details for cost-recovered services

Services that are cost recovered are subject to their own Terms & Conditions which are consistent with this Policy. Cost recovered services may be delivered solely by IDCARE or in conjunction with a third party. Personally identifiable information is collected in order to process the payment, such as name, contact details, and payment information.

Payment is made via a third-party payment processing platform. 128-bit encryption is used in the processing of such payments and at no point does IDCARE collect, store, or share such payment information. Users of this service must agree to the terms and conditions of the third-party payment platform including their own Privacy Policy (a relevant link has been provided on this payment gateway).

How we hold and protect personal information

IDCARE will take all reasonable care to protect personally identifiable information provided by clients. Our information is held in an encrypted state, leveraging georedundancy across Australian data centres. Firewalls protect these data centres and role-based access control manage our internal stakeholders’ access to this data. All sensitive information is stored within Australian Data centres.

IDCARE is certified against ISO27001. IDCARE annually undertakes risk assessments in relation to our collection, storage, sharing, and destruction of personal information (guided by the ISO 31000 standard on risk management). Regular external testing (penetration testing, security reviews, and auditing) reviews the effectiveness of our security controls. Role based access control is leveraged across systems and administration tooling to ensure proper access control is in place. IDCARE operates a “defence in depth” approach to the information it collects, stores, and communicates, including, but not limited to:

• all data transmitted over the internet is done over HTTPS
  
• Cloudflare is used extensively to block potentially malicious requests
  
• rate limits on APIs are implemented at both the code level and via Cloudflare
  
• regular security scans are performed to identify code or configuration vulnerabilities
  
• firewalls are employed to limit access to services running on Microsoft Azure
  
• all handling of personal information by staff is subject to specific policies and guidelines which are reviewed regularly for compliance
  
• data at rest and in transit is encrypted
  
• staff are regularly assessed and educated about cyber security threats and threat responses
  
• all investigations regarding malicious code, sites and dark net actions are performed using external networks, interfaces and unattributable settings.
  

Retention of personally identifiable information

You may request at any time that information IDCARE has about you be permanently deleted (see next section).

IDCARE only retains personal information for the purposes of assisting you and protecting and responding to risks relating to such information. We retain records for 7 years in accordance with best practice document retention guidelines. Case information is anonymised and retained for statistical analysis, such as time series analysis. This information is backed-up periodically and stored in a non-networked or Internet-enabled environment.

If IDCARE receives unsolicited information we will determine whether it would have been permitted to collect the information. If not we will destroy the information as soon as practicable.

Access, deletion, correction, feedback and complaints

If you wish to access your personally identifiable information held by IDCARE, seek correction of this information, have your personally identifiable information deleted, or make a complaint about how we have dealt with your matter, please send a written request, including your case number, to:

• Privacy Officer IDCARE PO Box 412 Caloundra QLD 4551 Australia
  

Requests may also be emailed using our feedback form, with the words “Attn: Privacy Officer” in the subject line accessed at www.idcare.org or by emailing direct privacy@idcare.org.  

To assist IDCARE in responding to your request we would be grateful if you could provide your IDCARE Case Number (if relevant) and the estimated date of your engagement with IDCARE.

If we have not resolved your issue to your satisfaction and within our responsibilities, complaints about IDCARE and the handling of your personal information may be made to the relevant Privacy Commissioners in Australia and New Zealand: (www.oaic.gov.au / ph: 1300 363 992 and www.privacy.org.nz / ph: 0800 803 909). These organisations have extensive materials about your privacy rights and response considerations.