Board Benchmarking’s full Privacy Policy can be found below. You can jump to a particular section by clicking on the links below.
Board Benchmarking is a division of Insync Surveys (ABN 58 108 768 958) (Board Benchmarking).
Last updated: 10 February 2021
Your privacy and the personal information you provide has always been important to us. As our client, or someone who has received services or care from our client, or who is in a business relationship with our client, your ability to trust that your personal information is being protected is fundamental to our reputation. If you or your organisation has trusted us sufficiently to provide us with information, including your views on certain matters, we believe it is incumbent on us to act in a way that demonstrates that we are worthy of that trust. That includes taking all reasonable steps to protect personal information provided to us. Protecting that information and continually building your trust will also ensure that our reputation and ongoing success is enhanced.
We respect your right to be aware of who has information about you, what they are doing with it and why, and who else they are sharing it with. We have developed a privacy compliance culture that ensures supporting systems, policies and processes, work together to constantly deliver this overarching objective, whilst complying with the myriad of regulatory requirements that underpin the legal minimums.
The key legislation that shapes most of our policy is the Privacy Act 1988 (Cth), however we also comply with all applicable laws and regulations in all the jurisdictions where we operate, to the extent they are not inconsistent with Australia’s Privacy Act and this specifically includes the European Union (EU) where we comply with the General Data Protection Regulation (GDPR).
This Privacy Policy explains how Board Benchmarking collects and handles your personal information, and applies to all of our Services, including our websites, in all jurisdictions. We have developed this Privacy Policy to provide you with clear answers to your questions so you can understand how your personal information and data is collected, held, processed, shared and, ultimately, deleted, by Board Benchmarking.
This policy references the GDPR which contains requirements additional to those in the Privacy Act along with requirements that are essentially the same, but worded differently. Where the latter occurs, Board Benchmarking uses the Australian Privacy Act definitions to ensure consistency. Where there are no equivalent requirements (such as the ‘right to be forgotten’) Board Benchmarking uses the GDPR requirements.
One example where we use the Privacy Act definition versus the GDPR one relates to personal information. The GDPR applies to ‘personal data’. This means ‘any information relating to an identified or identifiable natural person’ (Article 4). This has similarities with the definition of ‘personal information’ in the Privacy Act, which is defined as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’ (s 6(1) of the Privacy Act).
Our basic principles to ensure compliance with both regulatory regimes are as follows:
We may update this Privacy Policy from time to time and the most current version will be posted on our website. We encourage you to periodically review this page for the latest information on our privacy practices. If you have any questions or concerns about our Privacy Policy, or with the handling of your personal information, please contact our Privacy Officer via the contact form in section 17 of this policy.
We believe, consistent with the requirements of the Privacy Act and GDPR, that your consent to our use of your personal information must be given freely, is current and specific, informed and be an unambiguous indication of your wishes and/or agreement to the processing of that information. For this reason many of our Services will ask you to provide your consent as appropriate for the Service provided.
Unless permitted by applicable law, or by the appropriate parent or guardian, you must not permit any person under the age of 16 years to access our Services. We do not intentionally gather personal information from minors. If a minor submits personal information to Board Benchmarking and we learn that the personal information is the information of a person under 16 without the requirement permissions, we will delete the information. If you believe that we may have any personal information of a minor please contact our Privacy Officer via the contact form in section 17 of this policy.
We collect information relating to you and your use of our Services from a variety of sources. Some of this information is collected directly from you and some of this information is collected from your interaction with our Services, or the Client. How and what information we collect about you will depend on the way that you use our Services, for example, whether you are an Administrator, Respondent, an Individual Feedback User or Visitor.
We may collect the following information about Administrators, Respondents, or Individual Users:
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. For Administrators, Respondents, the Company, which is our Client will be the controller of your personal information and Board Benchmarking will be the processor. For Visitors, Board Benchmarking will generally be the controller of your personal information.
The security of your personal information is very important to us. We take reasonable steps to ensure that your personal information is fully encrypted, both at rest and in transit. We follow generally accepted security standards, to protect the personal information submitted to us, both during transmission and once it is received. Board Benchmarking’s surveys utilise 256-bit TSL encryption over HTTPS communications.
With respect to our secure client portals, no personal data is stored on client machines at any time throughout the process and no software is required to be downloaded. Details regarding cookies and tracking is fully disclosed in the Cookies Policy section below.
Please note that transmitting information over the Internet is never completely secure. Although we do our best to protect your personal information, we cannot guarantee that your personal information is absolutely secure in all situations. No one can.
Where we also collect personal information via paper surveys and face to face/virtual focus groups and/or interviews:
Security is a collaborative effort, so we always recommend that you keep your password for logging in to our services a secret and the use of a secure password credentials manager.
For further information on technology and security, visit our website and if you have further questions about the technology and security of our platforms, contact our Technology Team via the contact form in section 17 of this policy.
If you suspect there has been any unauthorised access, immediately contact our Privacy Officer via the contact form in section 17 of this policy.
Regardless of your location your personal information including survey data is collected and securely housed within the Microsoft Azure Cloud in Australia. This service includes ISO 27001 and Australian IRAP certifications. For backup, availability, redundancy and recovery, two locations are maintained.
Where you are located outside of Australia, or the Services involve one of our partners located outside of Australia, then your Personal Information may be disclosed to third parties in order for us to provide our Services. Such overseas recipients may be located in a large number of different countries which are likely to include the UK, USA and EU countries. It is not practicable to list every country where such overseas recipients may be located.
Information may also be shared with suppliers and clients from time to time using secure cloud-based services which are professionally managed, audited, and tested according to documented processes. Our contractual arrangements with our partners requires them to store any personal information that we provide to them in a secure manner. We also take reasonable steps to ensure that our partners comply with their contractual obligations.
Except where an exception applies under the Privacy Act or GDPR Board Benchmarking will take reasonable steps to ensure that overseas recipients to whom Board Benchmarking discloses personal information do not breach the Australian Privacy Principles stated in the Privacy Act or the GDPR.
For further information on technology and security, visit our website and if you have further questions about the technology and security of our platforms, contact our Technology Team via the contact form in section 17 of this policy.
As we find it important to retain identifiable data for future research purposes, personal information (e.g. your name and email address) will, if practicable, be stored separately from your responses with internal measures in place to help ensure the identity of the Respondents cannot be readily revealed from the other information. Where we use Respondent details within our Services, we keep passwords and emails separate to survey responses, unless a Respondent volunteers that information as part of their survey response (e.g., contact information is entered by Respondent for an optional follow up).
We use your personal information for a variety of purposes. How and what information we collect about you will depend on the way that you use our Services, for example, whether you are an Administrator, Respondent, or Visitor. In each case, the information we collect, and process is reasonably necessary for our business, including providing you with the Services you would expect from us. We do not collect any information that is not required.
When you use our services as an Administrator or Individual User, you undertake that you will not use any reports or reporting portals in a way, or with the intention, to identify an individual or an individual’s responses.
When you use our Services as a Respondent, we may use your personal information to:
When you use our Services as a Visitor, we may use your personal information to:
In most cases, it will be very difficult for us to provide you with our Services if you do not provide us with your real name and contact details (primarily email). In many situations we might have difficulty interacting with you anonymously, or via a pseudonym, are when you use our Services as a Respondent.
If lawful and practicable, you may use a pseudonym (or simply not identify yourself) when dealing with us. For example, if you have a complaint or concern about our site, or a general question about our Services or this Privacy Policy, you are welcome to contact us without identifying yourself. In some cases, however, if you do not provide us with information, we may not be able to provide you with our products or Services or respond adequately to you.
We will share your personal information with third parties only in the ways that are described in this Privacy Policy. In most cases, the information that we disclose to our employees will be directly necessary to provide our Services to you. However, there may be occasions where we need to disclose your personal information to our employees, service providers, professional advisors or other third parties, including to:
When you use our Services as a Respondent, we may also disclose your personal information for the purposes of:
Providing the Services: When you respond to Surveys, we will disclose that information to the Client. How your responses are displayed and what information may be used to analyse and report your responses (either in an aggregate or individual form) may vary from survey to survey. It is important that you read the Protection Of Your Responses notice before responding to a survey so you understand how your survey responses will be used and the ways they might be shared (if at all).
Creating aggregated de-identified data: We may create aggregated de-identified data for any purpose derived from data we hold about you. For example, we may create aggregated de-identified data to share with partners for business or research purposes, or for provision of our Services such as our survey benchmarks.
Fulfilling Client requests: Because the Client is normally the controller of your personal information, we normally hold and process your personal information on behalf of the Client. There may be occasions when the Client instructs us to disclose your personal information to a third party, such as a consultant or a new service provider. If instructed by the Client to transfer your personal information to a third party, we will sign a data transfer agreement with the Client and the third party if required, to ensure that they continue to observe the Protection of Your Responses Notice for each survey.
Preventing harm: We may also disclose your personal information to the Client or relevant authorities if your use of our Services indicates an imminent risk of harm to you or to others around you.
The law that applies to you in your location may confer upon you rights regarding your personal information, including the right to access, correct, delete, port, limit or stop the use or disclosure of your personal information.
We will respond to requests to access and correct (if necessary) your personal information as soon as possible. You have the following options when exercising your rights:
Access, correction, and deletion: If you want to review, correct (if necessary), or delete the information that we have collected and hold about you, please contact our Privacy Officer via the contact form in section 17 of this policy.
Data exports: If you request an export of the information that we hold about you, we will provide you with the data in a standard CSV or Excel format. To request a data export, please contact our Privacy Officer via the contact form in section 17 of this policy.
Newsletter and other communications: If you subscribe to our newsletter(s) or other communications, you may choose to stop receiving those communications by using the unsubscribe instructions included our emails. If there are any ‘unsubscribe’ issues please contact us via our general enquiry form.
Other queries or requests: If you have a question or want to make a request that is not listed above, please contact our Privacy Officer via the contact form in section 17 of this policy.
We retain your personal information for as long as we provide our Services to the Client and until the Client requests us to delete your personal information, or as needed to comply with our legal obligations, resolve disputes or enforce our legal rights. We may keep your personal information in our encrypted and archived backups for up to 90 days from this point.
We will retain your personal information for as long as is necessary to provide our Services to you, or to comply with our legal obligations, resolve disputes, and enforce our legal rights. We may keep your personal information in our encrypted and archived backups for up to 90 days from this point.
You may request that we erase your personal information in some circumstances. This includes where the information is no longer necessary for the purpose for which it was collected, or where you withdraw your consent and there is no other legal ground for processing your data. If you provide us with a written request to do so we will take reasonable steps to erase your personal information including copies of that information. There are some exceptions to this right. Please contact our Privacy Officer via the contact form in section 17 of this policy for further information and to get support to complete this erasure process where necessary.
There is no equivalent ‘right to be forgotten’ under the Privacy Act, however Board Benchmarking will take reasonable steps to destroy the personal information or to ensure it is de-identified if the information is no longer needed for any purpose permitted under the Privacy Act.
Please contact our Privacy Officer if you have any requests in relation to your personal information and/or any complaints about our compliance with this Privacy Policy or relevant privacy laws. We will treat your request and any complaint seriously. We will also investigate any alleged breach, including how it occurred, and how best to prevent future breaches (if relevant). You can contact our Privacy Officer via the contact form in section 17 of this policy.
If you have any complaints regarding our compliance with our Privacy Policy, the Privacy Act or legislation that is relevant to you in your location, please contact our Privacy Officer via the contact form in section 17 of this policy. However, if you are dissatisfied with our handling of your complaint, you may raise your complaint with the Office of the Australian Information Commissioner by contacting them at: https://www.oaic.gov.au/about-us/contact-us.
We and our marketing partners, affiliates, and service providers, use technologies such as cookies, beacons, tags, and scripts, to analyse trends, administer the Website, track users’ movements around the Website, and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual and aggregated basis.
We use cookies to remember users’ settings and preferences, and for session management. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our Services, but your ability to use some features or areas of our Services may be limited.
We use and require session cookies for filling out surveys and for authentication to access our secure cloud portals. Authentication cookies are retained for the length of a session by default and you can optionally choose to retain cookies to remain logged in for longer periods to selected services.
If you send or disclose any sensitive personal information (e.g., information related to racial or ethnic origin, sexual orientation or physical or mental health condition) to us when using the Services, you consent to our processing and use of such sensitive personal data as necessary to provide the Services. If you do not consent to our processing and use of such sensitive personal information, you must not submit sensitive personal information to us. You may subsequently modify or withdraw your consent to processing of sensitive personal data in accordance with applicable laws in certain jurisdictions and according to this Privacy Policy.
If you do not want the Client to send us sensitive personal information about you, you must make such request directly to the Client.
We display Customer or user testimonials and other endorsements on our Websites. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial or any other endorsement, please contact us via the contact form in section 17 of this policy.
We recognise the obligation to notify affected individuals, as well as the Australian Information Commissioner, of an ‘eligible data breaches’ as defined for the purposes of Part IIIC of the Privacy Act. Likewise, within the EU we comply with the requirements of the GDPR (Article 33-34) where we must advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals.
If you have any questions, concerns or complaints about our Privacy Policy or our data collection or data processing practices, or if you want to report any data privacy concerns or data security issues, please contact us at the address or via the form below, where we will assist or refer your question, concern or complaint to the appropriate party.
Board Benchmarking
Attention: Privacy Officer – Level 27, 367 Collins Street, Melbourne, VIC, 3000, Australia.
Or you can contact us via the form below:
"*" indicates required fields
In this Privacy Policy, a reference to:
Administrator means any person who has log in credentials to a secure Client Portal to review and share survey results;
Client or Company means, in relation to you, the person or entity that has contracted with Board Benchmarking to allow you to use Board Benchmarking’s Services. The Client or Company will generally be (i) your employer, or an identified subgroup (i.e., division, department, etc.) within your employer, or (ii) a Client or Company that considers you their client or customer or stakeholder;
Data means any content or data that you or third parties submit to Board Benchmarking when using the Services;
GDPR means the European Union’s General Data Protection Regulation in force since 25 May 2018.
Individual user means a person authorised by you who has access to a feature in our Services which allows individuals to view survey results, share those results with others, create action plans, and share those action plans with other individuals in their Company;
Board Benchmarking, we, us, or our means Board Benchmarking, a division of Insync Surveys Pty Ltd (ABN 58 108 768 958) of Level 27, 367 Collins Street, Melbourne VIC 3000, Australia, and any of its related bodies corporate;
Protection of Your Responses Notice means the notice given to Respondents at the time of responding to a survey conducted for a Client, including the degree of confidentiality and/or anonymity that the Respondent will have when responding to a survey;
Respondent means any person who accesses our Services to respond to one or more of our surveys (either wholly or partially);
Services means all products (including related mobile applications), services and Websites offered by Board Benchmarking;
Visitor means any person who visits our Websites;
Websites means, collectively, www.boardbenchmarking.com as well as the other websites and portals that Board Benchmarking operate and that link to this Privacy Policy; and
“You” or “your” means either an Administrator, Respondent, Individual User or Visitor, as applicable.
Talk to a Governance Expert.
Schedule a call