We are committed to respecting your privacy and complying with our privacy obligations in accordance with the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (the "Privacy Act"). We also comply with the EU General Data Protection Regulation ("GDPR") in relation to all personal data that we collect, hold, disclose and otherwise process, if the personal data is protected by the GDPR ("GDPR Data"). It is our policy to collect and process personal information only in an open, secure and transparent way.
We can be contacted using the following details:
DocuStream Pty Limited
Level 2, 151 Macquarie Street
SYDNEY NSW 2000
The Privacy Act defines “personal information” as information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.
Article 4(1) of the GDPR defines "personal data" as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Information entered into instructions form Creation formsOur policy is only to process personal information via the Platform that is required to create instructions forms and generate legal documents. Lawyers enter the client's name and client's contact person name into a form when creating the instructions form. Lawyers also enter their own name, their law firm name and their email address into that same form. This information is used to generate an online instruction instructions form.
Matter DetailsIf you launch Contract Instructor from within your legal practice management system, matter details saved in that system will be made available for you or your clients to access when completing the instructions form.
Who we share personal information withWe will only disclose personal information that we collect via the Platform to third parties as follows:
- To our suppliers who host our files and databases in the cloud – we store backup copies of our computer files, software and databases in the cloud with Amazon Web Services who hosts those files, that software and those databases (including any personal information contained in them);
- Handling claims, legal disputes and complaints – in which case we may disclose your personal information to our insurers, lawyers, accountants and other professional advisors;
- In order to identify our users- when we are contacted with questions or concerns regarding the Platform;
- In order to record billing details and process payments from our users – in which case we will provide Clients’ bank account and credit card details to our bank and merchant facility providers;
- For professional advice - when providing information to our legal, accounting or financial advisors/representatives or debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
- If we sell the whole or part of our business or merge with another entity – in which case we will provide to the purchaser or other entity the personal information that is the subject of the sale or merger; and
- Where required by law.
- To obtain or maintain insurance;
- The prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
- To protect or enforce our rights or defend claims;
- Enforcement of our claims against you or third parties;
- The enforcement of laws relating to the confiscation of the proceeds of crime;
- The protection of the public revenue;
- The prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
- The preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of the court or tribunal; and
- Where disclosure is required to protect the safety or vital interests of our employees or users of the Platform.
SecurityWe take reasonable steps to protect personal data that we hold from unauthorised access, modification and disclosure and implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as follows:
- We perform security testing, and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management and firewalls;
- We maintain physical security measures in its buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms;
- We require all of our employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements;
- We carry out security audits of our systems which seek to find and eliminate any potential security risks in electronic and physical infrastructure as soon as possible; if appropriate in the circumstances, taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, pseudonymising and/or encrypting personal information;
- We implement passwords and access control procedures into our computer systems;
- We have data backup, archiving and disaster recovery processes in place;
- We have anti-virus and security controls for email and other applicable computer software and systems in place; and
- We have processes in place to ensure integrity and resiliency of systems, servers and personal information.
Contractors and offshore providersWe may transfer your personal information to our contractors and service providers who assist us with hosting, developing and supporting the platform, and to assist us with the operation of our business, where we consider it necessary, provided that we comply with applicable law, including the provisions of Australian Privacy Principle 8 (Cross-border disclosure of personal information), and GDPR (in relation to GDPR Data). The servers that host our Platform are located in Australia.
We engage third-party sub-processors in connection with the hosting of the Platform and its ancillary services ("Sub-processors"). These Sub-processors may include partners, software developers, subsidiaries, suppliers and hosting providers.
If you use the platform, you are deemed to have given your general written consent and authorisation for us to engage our current Sub-processors.
GDPR offshore transfersWe will not transfer GDPR Data about a person to any country or organisation outside of the European Union, except:
- as reasonably necessary for us to provide or procure the provision, or maintain or improve, the instructions form creation, instruction collection and document generation functions of the platform; or
- as instructed by the person.
Retention and de-identification of personal dataWe will not keep personal data in a form which permits identification of any person for longer than is necessary for the purposes for which the personal data is processed. We will only process personal data that is entered into the Platform, and only thereafter for the purposes of deleting or returning that personal data to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person's vital interests). We will, following your cessation of use of the Platform, delete all of the personal data uploaded and/or entered into the Platform by you. Where a user requires that the personal information is to be returned, it will be returned to the data subject (as applicable) after the end of the provision of services relating to the processing (Processing Conclusion Date) and to the extent feasible, and we will thereafter delete all then remaining existing copies of that personal information in our possession or control as soon as reasonably practicable thereafter, but in any event not more than 30 days after the Processing Conclusion Date, unless applicable law requires us to retain the personal information in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.
Your rights under the GDPRSubject to the provisions and exceptions set out in the Privacy Act and/or GDPR, you have a number of rights, including:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- Rights in relation to automated decision making and profiling.
Notifiable data breachesSince 22 February 2018, data breaches that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner (OAIC), except where limited exceptions apply. For the purposes of the GDPR, certain types of data breaches must also be reported to affected individuals if the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms. In addition, the GDPR requires organisations to report certain types of data breaches to the relevant supervisory authority. We have prepared a response plan for addressing data breaches that may occur and have allocated responsibility for managing breaches to a relevant individual or team. We will notify you of any data breach that may affect you where we are required to do so in accordance with our legal obligations. Our contact details
The Platform is owned and operated by DocuStream Pty Ltd (ABN 18 602 580 290) of Level 2, 151 Macquarie Street, Sydney NSW Australia. If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us at the following address:
Our Privacy Officer’s details are as follows:
DocuStream Pty Ltd (ABN 18 602 580 290)
Level 2, 151 Macquarie Street, Sydney NSW Australia
We will use our best endeavours to resolve any privacy complaint within 10 Business Days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.
If you are not satisfied with the outcome of a complaint you make refer the complaint to the OAIC who can be contacted using the following details:
Call: 1300 363 992 Email: firstname.lastname@example.org Address: GPO Box 5218, Sydney NSW 2001
If you have any complaint relating to GDPR Data, you may lodge a complaint with any relevant supervisory authority.