Personal and Sensitive Information Handling
Personal and Sensitive Information Handling – Explainer for SYPAQ Candidates
SYPAQ treats information security and privacy seriously and adheres to its obligations under the Privacy Act 1988 (Cth) (The Privacy Act), including the Australian Privacy Principles established in Schedule 1 of The Privacy Act.
When you apply for a role through SYPAQ by completing and submitting the candidate registration form, and partaking and completing any subsequent screening processes, SYPAQ may collect from you and store ‘Personal Information’ and ‘Sensitive Information’ as defined in The Privacy Act.
By partaking in this candidate application process, you expressly consent to SYPAQ collecting and storing (as is reasonably necessary for its functions or activities) any Sensitive Information and Personal Information which you provide to us during this process. This may include any Sensitive Information or Personal Information provided to SYPAQ in your resume, as well as information rendered by you to SYPAQ during the completion of any candidate registration form and completion of any subsequent screening (including any personal identification documents).
SYPAQ carries out this collection and storage of Personal Information and Sensitive Information for the necessary purpose of assessing your suitability as a candidate for engagement by SYPAQ.
SYPAQ’s internal systems are approved by Defence Australia (previously known as the Australian Department of Defence) for the storage of information up to and including information classed as “Official: Sensitive”. Personal Information and Sensitive Information collected from you is stored on SYPAQ’s internal systems which are located in Australia wherever possible.
SYPAQ implements various security controls to safeguard protection of the confidentiality, integrity and control of information as required by our membership of the Defence Industry Security Program, including compliance with the ACSC’s Essential Eight (https://www.cyber.gov.au/acsc/view-all-content/essential-eight).
Some aspects SYPAQ’s candidate application and screening process makes use of platforms which are provided to SYPAQ from external service providers. SYPAQ makes use of these platforms where they are necessary for it’s functions, including, the candidate application and screening process.
The following external service provider platforms may be used as part of the candidate registration and screening processes:
In some scenarios, SYPAQ uses external software providers that host information for SYPAQ externally to Australia. This includes Bullhorn, which may stores Personal Information relating to your employment with SYPAQ to facilitate normal business activities such as payroll and obtaining work with SYPAQ’s clients. Copies of identity documentation are not stored in these external systems.
SYPAQ provides the following information regarding these external service providers to you based on SYPAQ’s current best knowledge and understanding as it relates to them. The following information is provided to you based on information and representations made by these external service providers themselves, not by SYPAQ.
SYPAQ utilises VerifyNow to conduct Identity Verification, Police Checks, and Qualification Checks on our behalf. VerifyNow provides SYPAQ with the results of the screening, however SYPAQ does not receive copies of identity documentation submitted by a candidate to VerifyNow.
SYPAQ temporarily stores the results of checks conducted by VerifyNow on our internal systems in order to make an assessment of the candidates screening. Once the candidate screening process has been completed and an associated outcome recorded, SYPAQ destroys information on the candidate provided by VerifyNow (for example, the police check).
VerifyNow was founded by the Management Team of Cogent Business Solutions, A key Security Vetting service provider to the Australian Government. Cogent runs systems secured and certified in accordance with the Australian Government Information Security Manual (ISM) PROTECTED standard and is a full Defence Industry Security Program (DISP) member.
VerifyNow’s office premises are housed within a DISP accredited environment.
VerifyNow works within a centralised ISO 27001 certified environment which addresses all Australian Cyber Security Centre’s (ACSC) Essential Eight (E8) mitigation strategies as well as ISO 27001 controls.
Endpoints that connect to this environment are centrally managed and all ACSC E8 mitigation strategies are implemented on endpoints to a high maturity level. Endpoints do not receive or process data, as all data stays within the secure environment.
All data is housed in Australian data centres, where it is is encrypted at rest and in transit, and does not leave Australian shores unless a necessary exception occurs (e.g. an international police check).
VerifyNow run a segregated system for client access to screening information pack submissions and management. This comprises a separate custom-built web-based platform leveraging an Australian development partners forms-as-a-service engine for form submissions. This platform is secured in accordance with AWS E8 Guidance.
Penetration tests are undertaken annually or bi-annually depending on requirements and system changes. Formal Security Awareness training is conducted for all staff at least annually.
VerifyNow is an accredited by the Australian Criminal Intelligence Commission (ACIC) to access the Nationally Coordinated Criminal History Checking (NCCHC) service. As part of becoming an accredited body, VerifyNow is required to:
- Retain each NCCHC application and any identity documents presented by the applicant for a minimum of 12 months.
- Destroy each NCCHC application and any identity documents presented by the applicant within 3 months after the 12 month retention period.
- Destroy the NCCHC results within 12 months of receipt of the check.
- Protect Personal Information against misuse, interference, loss, unauthorised access, modification or disclosure.
- Develop, document and maintain and Information Security Policy the clearly describes how it protects information.
SYPAQ uses DocuSign to capture information related to your potential employment via our Candidate Registration Form (CRF) and to confirm your right to work in Australia. The only identity documents submitted via DocuSign are those that are required to verify your right to work in Australia.
If you choose to do so, as an alternative to using DocuSign for this purpose, you may instead elect to have your documentation which relates to your right to work in Australia verified via a video call instead of submitting the identity documentation through DocuSign. In this case a SYPAQ team member will visually verify your documentation and record the outcome.
Once your right to work in Australia has been confirmed, SYPAQ stores your Candidate Registration Form and records the outcome of your right to work assessment in our application tracking system, Bullhorn, and then will destroy any local copies of the CRF and identity documents held on our systems.
DocuSign is configured to automatically delete all records after 12 months. After this period any identity documents submitted as part of right to work checks are permanently destroyed.
All data submitted by you during the candidate application and screening process to DocuSign is stored in Australian data centres.
SYPAQ uses Bullhorn to track the status of your application. Bullhorn is used to store information submitted with your original application, such as your resume, along with the recorded outcome of your right to work in Australia check and other screening checks.
At no point is any identity documentation or Sensitive Information stored in Bullhorn, unless such information was included in the Resume you submitted to SYPAQ. As noted above, provision of any Sensitive Information to SYPAQ made during the candidate registration process (including submission of a resume as part of this process which contains Sensitive Information) is taken to be express consent to the collection of this information for SYPAQ’s reasonably necessary functions.