Axess Recoveries & Collections

Data breach

Data Breach Policy

Axess is required to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure.

Purpose

Axess Recoveries & Collections Pty Ltd ACN 053 976 668 is committed to protecting personal information it collects. This policy supports our Privacy and Credit Reporting Policy and explains the public-facing steps we take where a data breach is suspected or confirmed.

A data breach may involve loss of personal information, unauthorised access to personal information, or unauthorised disclosure of personal information.

Security of data

Axess is obliged under the Australian Privacy Principles to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Axess is also required to protect credit eligibility information.

Staff are required to follow data security requirements and procedures for customer information, including requirements set out in privacy, credit reporting, induction and information handling procedures.

Response steps

Where a suspected or actual data breach is identified, Axess follows a response process based on five steps.

  1. Identify: suspected or actual breaches are reported and escalated to management responsible for the response plan.
  2. Contain: reasonable steps are taken to contain the breach and prevent further compromise.
  3. Assess: the type of information, individuals affected, likely harm, cause, remedial options and systemic risk are assessed.
  4. Notify: where required by law, affected individuals and the Office of the Australian Information Commissioner are notified.
  5. Review: policies, systems, training, access controls and response plans are reviewed to reduce recurrence risk.

Assessment

Assessment may consider the type of information involved, whether the information can be recovered or secured, the number and identity of affected individuals, possible financial, economic, social or emotional harm, whether the breach was accidental or deliberate, whether a third party was involved, whether criminality is evident, and whether the information was encrypted, de-identified or difficult to access.

Notification

If Axess forms a reasonable belief that a data breach is likely to result in serious harm to affected individuals, Axess will prepare the statement required by the Privacy Act 1988 and provide notifications required under the Notifiable Data Breaches scheme.

Notifications may include a description of the breach, the kind of information involved, recommendations about steps affected individuals should take, our contact details, our response to contain the breach and prevent recurrence, and information about complaint avenues.

Contact

Privacy and data breach enquiries can be directed to the Compliance Manager at compliance@axessrc.com.au or PO Box 1003, Spring Hill QLD 4004.