Your privacy is important to you; which in turn means that it is important to us. Iron Mountain is in the business of handling information securely and we have spent years working out the best ways to protect your personal information.
The bottom line is that we will only disclose your personal information that we have collected to others if you have given us permission, or if the disclosure relates to the main reason we collected the information and you would reasonably expect us to do so.
2. The kind of information we collect
As a customer of our information management services, you may have provided us with personal information to store in either a physical or digital format or to process by way of scanning.
If you are a job applicant or a potential employee of Iron Mountain, then we may be provided with your CV, birth date, contact details and other background information. We may store this information in a secure physical location or in a local data centre.
Contractor or Supplier
If you are an individual contractor of Iron Mountain, or a representative of a supplier, then Iron Mountain will collect your name, contact details, bank details, background checks and any medical information that you have consented to provide and which is reasonably necessary for you to carry out your functions.
3. How we hold, use or store your information
Where we store your information as a part of our services or to enable us to provide the services, we have developed security measures at each physical site and have developed and implemented global standard operating procedures that cover the handling and storage of your information. These procedures are in turn localised to effectively ensure Australian standards are adhered to. Internally we have developed a set of standards to ensure our policies and procedures meet or exceed industry and government legislative requirements.
In some cases you may be using services that involve digital storage of your information, whether it is in the form of cloud storage, or as a result of us carrying out scanning or data restoration services. In these cases we may use the following measures:
Firewalls and access logging tools that protect against unauthorised access to your data and our network.
Secure work environments and workflow systems that prevent unauthorised access and copying of your personal information.
Secure server and closed network environments.
Encryption of data.
Virus scanning tools.
Ongoing security reviews.
Where we scan information on your behalf, the scanned images will be retained on our data servers until sent to you and will then be deleted 30 days thereafter. Where we provide data restoration services, these services may be performed by authorized personnel outside of Australia only as reasonably necessary to provide the services. The data restoration services will be undertaken on an Australian network. These personnel will be subject to Iron Mountain’s security measures and controls and Australia’s privacy laws. All Iron Mountain data servers are located in Australia.
We use customer relationship management (“CRM”) software to store the personal information collected directly from you and to assist us to provide marketing activities to you.
Wherever your personal information is stored, it will only be accessed by authorised personnel only to provide technical support or to carry out other functions reasonably necessary to provide the services. This information will not be disclosed or used in any other way without your express authorisation.
The digital landscape is constantly changing, so while these measures have been successful to date, the nature of the medium means that they cannot be relied upon to always be effective. We will keep striving to maintain the security of your digital personal information.
Suppliers and candidates
We will store the information that you provide us in a secure physical location or on our data servers which are located within Australia.
4. Why we collect personal information
We collect personal information from you, or store any information that you give to us, in order for us to carry out the services we have been contracted to provide. We will also use the personal information in order to provide you with news of updated products and services, provide you with news of any marketing campaigns and where it is reasonably necessary for any other related business or marketing purposes.
Having your personal information makes it easier for Iron Mountain to discuss our services with you and to contact you in a timely manner should we need to.
Other reasons we collect personal information are to:
Manage our business, including hiring staff.
Comply with our legal obligations.
Deal with you as a contractor providing services to Iron Mountain.
5. How we collect personal information
Directly from you
You may also have provided us with personal information when you requested us to undertake the conversion of documents from a physical format to a digital format.
We may receive personal information from your employers. Or, if you are a potential candidate, we may receive your CV and other background checks from a recruitment agent.
You may also have directed others to provide personal information to us on your behalf, for example, the results of medical checks and police background checks, if you are a contractor.
If we have knowledge of the personal information provided to us (as opposed to being provided with material for the purposes of storage) we will take reasonable steps to make sure you are aware that we have your personal information, how we received it and how we will manage it.
Through our website and emails
If you visit the Iron Mountain website, we may collect various non-personal information, such as internet protocol (IP) addresses, the date and time of website visits, the web pages reviewed, any links that you access through emails sent to you and any documents downloaded and the type of browser and operating system used to access the website.
Where such information is collected, it may be used and disclosed by us, but only in an anonymous, aggregated form where no individuals are identified. While this information is not of a personal nature, it may become so when analysed or aggregated together with other information, which could lead to the identification of an individual. If this was to happen, we will inform you that we hold information that is capable of identifying you.
6. How to access your personal information
You are entitled to request access to the personal information that we may hold (subject to the exceptions which may apply under the Privacy Act, such as where access to such information may pose a threat to someone’s life), or you may simply want to know what sort of personal information we hold and for what purposes and how we collect, hold, use and disclose that information. If so, you should direct a written request to our Privacy Officer at Privacy.Au@ironmountain.com and we will respond within a reasonable time. If we refuse to provide you with access to your personal information, we will provide you with reasons for the refusal.
If you are a representative of a customer and we hold personal information that we collected directly from you then, there is generally no cost for accessing the personal information we hold about you, unless the request is complex or resource intensive. If there is a charge, it will be reasonable and we will let you know what it is going to be so that you can agree to it before we go ahead. If you feel that the information that we hold is incorrect or outdated, then we will take all reasonable steps to correct that information.
However, where that information is held as part of the materials that you store with us, access to that information will be charged at your standard rates for retrieval and refiling.
7. Who we may share information with
We have partnered with several trusted partners to provide digital services. We also use third party providers to assist with marketing and communication to our customers. In the event of non-payment of Iron Mountain’s invoices, we may provide personal information to third party debt collectors.
We have taken all reasonable measures to ensure that these partners and providers do not breach the obligations under the Privacy Act. The partners and providers limit their access to your personal information to the extent necessary to do their job.
Some of these partners may have data centres in other locations outside of Australia. For example, personal information that we have collected directly from you, your personnel or from other representatives of your company are stored on servers in North America. The content management suite of digital services that we sell is backed up to servers in either North America or Japan. By providing your personal information to us, you consent to the transfer of that information to our third party partners who are located outside of Australia for that purpose.
8. Legal disclosure of personal information
We may disclose personal information in circumstances where we are obliged to do so under Australian law, for example, where we have been provided with a subpoena or warrant that requires access to the information.
9. Data breaches and mandatory notification
Iron Mountain will comply with the data breach notification laws in respect of personal information provided directly to it, where it is able to assess whether an eligible data breach (as defined in the Privacy Act) has occurred and which has the potential to cause serious harm to an individual.
Where Iron Mountain is not able to assess what, if any, harm may be caused by a suspected or actual data breach, for example, in circumstances where Iron Mountain provides storage and other related services for a customer and Iron Mountain does not know and is not in a position to discover whether such storage or other related services involves the processing of personal information, then Iron Mountain will take all reasonably necessary steps to assist the customer to uphold the customer’s obligations to notify any affected individuals and the Office of the Australian Information Commissioner. This will include timely notification to the customer and a description of the actual or suspected data breach.
10. What happens if we no longer need your personal information?
Where Iron Mountain no longer provides services to you or where the personal information is no longer reasonably necessary for us to carry out the services, then the information will be securely destroyed in one of our many secure destruction facilities or will be permanently deleted from our system.
11. Marketing by Iron Mountain
We market our services using email, mail and phone. We will provide you with clear advice as to how you may opt out of any marketing activities that we conduct, but where you do not opt out; you will be taken to having consented to us marketing our services to you.
Any queries or complaints in relation to how we collect, use, disclose, store or destroy your personal information should be directed to the Privacy Officer at Privacy.Au@ironmountain.com. We will take your query or complaint seriously and respond within a reasonable time to address your concerns or questions.
14. More information
For any more information about the Privacy Act or your rights, please visit the website of the Office of the Australian Information Commissioner, at www.oaic.gov.au.