What is this Notice about?
This Notice explains how we collect and use your information in a number of different situations. The Notice consists of this Overview section, and various other sections describing the processing that we may undertake dependant on the relationship(s) we may have with you. Words which are underlined have specific definitions. You can find the definitions in the section titled Definitions.
The information in this Notice is important, so we have tried to make it very easy to navigate. Use the links to locate the sections that are relevant to you. These will help you find out more about how we collect, use and share information in our relationship or interaction with you.
What is this Overview section about?
This Overview section addresses the way in which we manage information that we collect about you.
It describes how we collect, hold, use and disclose information that we collect about you from time to time.
It details whether we are likely to disclose your information outside of Australia.
It also describes your rights in relation to your information, how to request access to your information, and how to make a complaint.
You can find more information about the specific kinds of information we collect, and the reasons we have for collecting that information, in the other various sections of this Notice (as they relate to the relationship we have with you).
How do you use my information?
The sections of this Notice will help you understand how we manage and use your information in our relationship or interactions with you.
We will only use or disclose your information for the purposes for which we collected it, unless we:
- reasonably consider that we need to use it for another reason and that reason is related to the original purpose;
- are required or authorised by law, a court/tribunal, or for law enforcement purposes to use or disclose your information; or
- obtain your consent to use it for another purpose
If the way that information will be managed differs from the details provided in this Notice or is incompatible with the original purpose the data was collected for, additional information regarding this processing will be provided to you.
If necessary, we will collect consent from you and advise you of the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your relationship with us that you agree to any request for consent from us. Please see the below section "What if I don’t provide you with my information?” for more information about declining to consent.
Please note that we may process your information without your knowledge or consent, in compliance with the information set out in this Notice, where this is required or permitted by applicable law.
We may amend the content of the Notice from time to time to keep it up to date with current legal requirements and the way we operate our business.
What is the basis on which you justify processing my information?
In order to carry out any processing of your information, we need to ensure that we have a particular reason to do so. We have set out the specific reasons we have for processing your information in the various sections of this Notice.
As set out in the Australian privacy laws:
- Collecting your information must be reasonably necessary to carry out one or more of our functions or activities; and
- Generally, we can only use or disclose your information:
- For the purpose for which it was collected (the primary purpose); or
- For another purpose if you give your specific consent; or
- For a purpose that is directly or indirectly related to the primary purpose, that you would reasonably expect us to use the information for (a secondary purpose); or
- Where required or authorised by law or by a court/tribunal, or for law enforcement purposes; or
- Where a "permitted general situation" exists.
We can use or disclose your information for a permitted general situation even where that is unrelated to the primary purpose.
The permitted general situations are:
- The protection of life, health or safety;
- Responding to allegations of unlawful activity or serious misconduct;
- Assisting with locating missing persons;
- Establishing, exercising, or defending against, a legal claim; and
- Participating in a confidential Alternative Dispute Resolution process (i.e. a mediation).
Will you process any of my sensitive information, and if so, what are the grounds on which you justify processing that information?
In some cases we may need to process your sensitive information. Each separate Notice will identify whether we intend to process your sensitive information for a particular activity we undertake, and the relevant reasons for processing.
We may collect sensitive information if one of the following situations applies:
- You consent to us collecting your sensitive information, and the information is reasonably necessary for us to carry on one of our functions or activities; or
- We are authorised or required to collect your sensitive information, by law or by order of a court/tribunal; or
- A permitted general situation applies (see the above section); or
- A permitted health situation applies (see below).
We can generally use your sensitive information in the same circumstances as for personal information. However, any secondary purposes for processing your sensitive information will be directly related to the primary purpose.
We may also use or disclose your sensitive information if a permitted health situation applies.
In brief, the permitted health situations relevant to us may include:
- Providing a health service to you;
- Collecting or using/disclosing for the purposes of compiling or analysing statistics, and/or managing the provision of a health service;
- Disclosing to a person who is responsible for you (i.e. your caregiver).
What if I don’t provide you with my information?
In some cases, you will be free to withhold information from us, however if you do withhold specific information we may not be able to continue our relationship with you, if we believe we require the relevant information to support the effective and efficient administration and management of that relationship.
For example, for employees, we require your information in order to pay you. This includes identity information, contact, payroll information and Tax File Number information. If this is not provided, we may be unable to manage our contractual relationship.
In addition, for representatives of suppliers or customers, if we do not have your identity and contact information, we will not be able to communicate with you regarding the relevant commercial transaction between the Company and that supplier or customer.
How do you keep my information secure?
The Company is committed to protecting the security of the information you share with us or we otherwise process about you. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.
We are also obliged to destroy or de-identify your information once it is no longer required.
Where do you get my information from?
In most cases, we receive the information directly from you. You either provide this to us at the outset of our relationship or do so at another time during your interactions with us. This will include information that you input into a form or through any self-service function, as well as information that you give to the Human Resources team, your Company contact and to any member of our workforce.
In addition to the information that you provide to us, we may generate some further information internally. This will usually be generated by Human Resources, line management or your Company contact, as appropriate.
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by us or a third party provider of the relevant service on our behalf.
We may also obtain some information from third parties.
If you are a representative of a supplier or a customer, we may receive your information directly from that company or from your colleagues. We may also use third parties to carry out credit-worthiness, anti-money laundering, anti-bribery and corruption and other due diligence checks. We process credit-related information and credit-eligibility information about individuals in accordance with our Credit Reporting Policy.
If you are an employee, we may obtain references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or from a third party that we engage to carry out a background check (where permitted by applicable law).
When do you share my information with others?
Within the Company, your information can be accessed by or may be disclosed internally on a need-to-know basis.
Your information may also be accessed by third parties, including suppliers, advisers, national authorities and government bodies who may be located in Australia or overseas – see external recipients below. We have sought to identify these parties in this Notice.
In addition, there are circumstances where we may need to disclose your information to third parties, to help manage our business and deliver our services. We may disclose your information to third parties if:
- We sell or buy any business, in which case we may disclose your personal information to the prospective seller or buyer of such business;
- BAE Systems plc (our ultimate parent company located in the United Kingdom), or substantially all of its assets, are acquired by a third party, in which case personal information held by it or us about you will be transferred to that third party;
- We are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal information with our regulators and law enforcement agencies in Australia and around the world, or to our legal advisers;
- It is necessary to protect the rights, property, or safety of BAE Systems Australia Limited or any member of the BAE Systems group of companies, our customers, suppliers or others, in which case we may disclose your personal information to our legal advisers and other professional services firms; and
- They provide services to us connected with your relationship with us.
In some instances these third parties (or any others, for example, a benefits provider), carry out their tasks on our behalf and upon our instructions for the reasons that we have set out in this Notice. In this case your information will only be disclosed to these parties to the extent necessary to provide the required services.
Internal recipients of your information may include:
- local, and global departments, including line management and team members;
- local and executive management responsible for managing or making decisions in connection with your relationship with the Company or when involved in a process concerning your relationship with the Company;
- system administrators (locally and globally); and
- internal audit to provide assurance to the Group’s Audit Committee on the company’s internal controls, as required by the UK Corporate Governance Code for UK Listed entities; and
- where necessary for specific projects and assignments, by staff in such relevant teams (whether local or global); and
- where necessary for the performance of specific tasks or system maintenance by staff in teams such as the Finance and IT departments (whether local or global).
External recipients of your information may include:
- service providers;
- tax authorities,
- regulatory authorities,
- our insurers,
- IT administrators,
- consultants and other professional advisors,
- payroll providers
- administrators of our benefits programs, and
- our Customers
Information contained in our IT systems may be accessible by providers of those systems, their associated companies and sub-contractors (such as those involved with hosting, supporting and maintaining the framework of our Human Resource information systems).
We expect these third parties to process any information given to them in accordance with the contractual relationship we have with them and applicable law, including with respect to data confidentiality and security.
In addition, we may share information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
Is any of my information transferred overseas?
Depending on the relationship we have with you and the purpose for which we collected your information, we may need to disclose your information outside of Australia. Such recipients may either be BAE Systems group companies, or parties external to BAE Systems.
Internal to the BAE Systems group
We may share your information within the BAE Systems group of companies as set out in this Notice. Some of the people who access your information may not be in the same country as you and may be outside of Australia.
Specifically, recipients of your information within the BAE Systems group globally are most likely to be located in the United Kingdom. The Notice(s) applicable to your relationship with us will identify any other specific countries to which we may transfer your information, where practicable.
Any transfers within the BAE Systems group are covered by an intra-group agreement which gives specific contractual protections to ensure that your information receives an adequate and consistent level of protection wherever it is transferred within the group.
External to the BAE Systems Group
In addition, some of the external organisations we share your information with may be located outside of Australia, depending on the relationship we have with you, the purpose for which we collected your information, and where our service providers are located.
We may use or disclose your information to such entities if:
- we have obtained your informed consent; or
- we reasonably believe that the overseas recipient is subject to a scheme that is at least substantially similar to Australia’s, and that you can take enforcement action under that scheme; or
- if a permitted general situation exists; or
- we are required by an Australian law or court/tribunal to do so; or
- use or disclosure is necessary for law enforcement.
We will always take steps to ensure that any transfer of information outside Australia is carefully managed to protect your privacy rights:
- we will only transfer information to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights,
- transfers to service providers and other third parties will be protected by contractual commitments or other legally acceptable mechanisms that ensure an adequate level of protection, and
- any requests for information we receive from law enforcement or regulators will be carefully checked for authenticity before information is disclosed.
If you have any questions regarding overseas transfers, please contact us for further details.
How long do you retain my information?
We will retain your information for as long as is reasonably necessary for the purposes explained in this Notice.
In some circumstances we may retain your information for longer periods of time than is needed for those purposes described in this Notice. For instance: where the original purpose is no longer relevant but a related secondary purpose still exists; where we are required to do so in accordance with legal, regulatory, tax or accounting requirements; to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.
We maintain policies governing the creation, retention and disposal of records in our care. These policies set out our requirements for the management of records, including guidance on keeping information as current as possible, securely deleting records and irrelevant or excessive data, and storing information anonymously or in a manner which no longer identifies you.
How do you manage information about other individuals, other than myself?
Apart from information relating to you, you may also provide us with information of third parties, for instance, your family or dependants, or your colleagues. Where this may be the case, we have set this out in this Notice.
Before you provide information about others to us, you must first inform these individuals that you intend to provide their details to us and of the processing to be carried out by us, as detailed in this Notice.
Do you conduct any direct marketing?
Direct marketing means communicating directly with you to promote goods and services.
Generally, we do not engage in direct marketing. However, from time to time we may run business development campaigns or promotions which involve an element of direct marketing. For example, we may offer you the option of signing up to receive regular emails from us which provide news about our strategic campaigns and products. You have the right to opt out of receiving these direct marketing communications.
More details may be found in the specific sections of this Notice that relate to marketing.
What are my rights?
Right to remain anonymous or use a pseudonym
You have the option to remain anonymous or use a pseudonym in your dealings with us. However, please be aware that this may impact on our ability to conduct our relationship with you.
Right to access your information
You have the right to request access to any of your information that the Company may hold. We will comply with your request where it is reasonable and practicable to do so. We will endeavour to reply within a reasonable timeframe.
You should note however that we do not always need to comply with your requests, but if this is the case, we will ensure that we provide you with a written explanation as to why we have declined to comply.
We may charge you a fee in certain circumstances where we incur administrative costs in facilitating access to your information.
Right to correct information
The Company aims to ensure that all information is correct. You also have a responsibility to ensure that changes to your information are notified to the Company as soon as possible so that we can ensure that your data is up-to-date.
You have a right to request that we correct inaccurate information. We may seek to verify the accuracy of the information before rectifying it.
You should note that we do not always need to comply with your requests. If this is the case, we will provide you with a written explanation as to why we have declined to comply.
In the event that we do correct your information, you also have a right to request that we make a notification about the corrected data to any third parties to whom we have disclosed your information.
Right to complain
If you have a concern or complaint about how we have processed your information, as a first step, you should contact us. We will endeavour to respond to you within 30 days after hearing from you. In our response we will outline our findings, and/or the next steps in handling your complaint.
You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at any time, if you consider that the processing of your information by us infringes applicable law.
Although you are not obliged to approach us before you lodge a complaint with the OAIC, we encourage you to contact us first in the event that we can assist you to resolve any issues or concerns.
How do I exercise my rights?
If you wish to exercise your rights, including requests for access and correction, please contact us.
We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information or change account details where we know we are dealing with the right individual.
We will not ask for a fee to process your request. We may however charge a reasonable fee to cover administrative costs incurred in facilitating access to your information.
We will endeavour to respond to all valid requests within 30 days. It may however take us longer if the request is particularly complicated or you have made several requests. We will endeavour to let you know if we think a response will take longer than 30 days. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way.
How do I contact you for more information?
Please visit the Contact Us section of this Notice.
How do you manage changes to this Notice?
We may amend this Notice from time to time, for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business.