Effective date: 15 June 2026
11.1 Purpose
This policy establishes our procedures for responding to suspected or confirmed security incidents, cyber threats, unauthorised access events, and eligible data breaches.
11.2 Reporting obligations
Users, contractors, staff and authorised representatives must promptly report: suspected unauthorised access to systems or accounts; phishing attempts or credential compromise; malware, ransomware or suspicious activity; accidental disclosure of confidential information; or any event reasonably suspected to compromise the confidentiality, integrity or availability of data. Reports should be made through the designated support or security channels as soon as practicable, at [email protected].
11.3 Investigation and response
On becoming aware of a suspected incident, we may investigate and assess its severity and scope; restrict or suspend affected systems or accounts; preserve evidence and system logs; engage external cybersecurity specialists where necessary; undertake containment and remediation; and document the incident and corrective actions taken.
11.4 Breach notification
Where required under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth), we will assess a suspected eligible data breach, taking all reasonable steps to do so within 30 days of becoming aware of grounds to suspect it, and, where there are reasonable grounds to believe an eligible data breach has occurred, notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable. Notifications may include the nature of the breach, the kinds of information affected, recommended protective steps, and the steps we have taken. Where you are responsible for affected Client Data, we will assist you to meet your own notification obligations.
11.5 Limitation
While we implement commercially reasonable safeguards, you acknowledge that no system is completely secure, that incidents may occur despite reasonable precautions, and that internet-based services carry inherent risks. To the maximum extent permitted by law and subject to the ACL, we exclude liability for indirect, incidental, consequential or unforeseeable loss arising from cybersecurity incidents, unauthorised access, service interruptions or data breaches, except where liability cannot lawfully be excluded.

