Erris 2.0
Erris 2.0

Privacy Policy

ERRIS CYBER Privacy Policy 

1. Purpose 

This Privacy Policy explains how Erris Cyber collects, uses, holds, and discloses personal information. It reflects our commitment to handling personal information responsibly, transparently, and in accordance with applicable privacy legislation. 

As a cybersecurity consultancy, we understand that privacy and security are deeply interconnected. We apply the same rigour to protecting personal information that we bring to protecting our clients' systems and data. 

This policy applies to all personal information collected or held by Erris Cyber in connection with our business operations, client engagements, and website, regardless of how or where it is stored. 

2. Our Commitment 

Erris Cyber is committed to: 

  • Handling personal information with respect, care, and transparency. 
  • Collecting only the personal information we genuinely need for a specific, lawful purpose. 
  • Keeping personal information accurate, secure, and up to date. 
  • Giving individuals meaningful control over their personal information, including the right to access and correct it. 
  • Complying with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and — where applicable to our New Zealand operations and clients the New Zealand Privacy Act 2020. 

3. What Personal Information We Collect 

The types of personal information Erris Cyber may collect include: 

  • Client and prospective client information:  names, job titles, contact details, organisational affiliations, and correspondence. 
  • Personnel information for employees and contractors: identity documents, employment history, qualifications, remuneration details, background screening results, and emergency contact details. 
  • Vendor and supplier information:  names, contact details, and relevant business information of individuals at our suppliers and partners. 
  • Website visitors:  technical information such as IP addresses, browser type, and pages visited, collected through cookies and analytics tools. 
  • Sensitive information:  in limited circumstances, such as background screening for personnel working in government or high-security environments, we may collect sensitive information (including criminal history checks) with the individual's consent and only to the extent required. 

We do not collect personal information we do not need, and we do not collect personal information about individuals without their knowledge except where permitted by law. 

4. How We Collect Personal Information 

Erris Cyber collects personal information: 

  • Directly from individuals when they contact us, engage our services, apply for employment or contracting roles, or visit our website. 
  • From third parties such as referees, background screening providers, or client organisations, where this is necessary and appropriate. 
  • In the course of delivering services where our work involves accessing client systems or environments that contain personal information belonging to the client's customers, employees, or other individuals. 

Where we collect personal information in the course of a client engagement, we do so as a service provider acting on the client's instructions and in accordance with the client's privacy obligations. In these circumstances, responsibility for compliance with applicable privacy law in relation to that information rests primarily with the client. 

5. Why We Collect and Use Personal Information 

Erris Cyber collects and uses personal information for the following purposes: 

  • Delivering cybersecurity consulting services and fulfilling our contractual obligations to clients. 
  • Managing our relationships with clients, suppliers, and partners. 
  • Recruiting, onboarding, and managing employees and contractors. 
  • Conducting background and security screening for personnel working in sensitive environments. 
  • Meeting our legal, regulatory, and contractual obligations, including mandatory reporting obligations. 
  • Communicating with individuals about our services, events, and insights where they have consented or where we have a legitimate business reason to do so. 
  • Improving our services and managing our business operations. 

We do not use personal information for purposes beyond those for which it was collected, except where the individual has consented or where permitted by law. 

6. Disclosure of Personal Information 

Erris Cyber does not sell, rent, or trade personal information. We may disclose personal information to: 

  • Technology partners and service providers such as cloud hosting providers, IT support services, and background screening agencies, where they assist us in delivering our services or operating our business. These providers are required to handle personal information in accordance with our instructions and applicable privacy law. 
  • Client organisations where sharing personal information (such as consultant credentials or background screening results) is necessary to meet contractual or security requirements. 
  • Regulators and authorities where we are required to do so by law, court order, or regulatory obligation, including mandatory data breach notification under the Privacy Act 1988 (Cth). 
  • Professional advisers such as lawyers and accountants, where necessary and subject to confidentiality obligations. 

Where personal information is disclosed to recipients located outside Australia including in New Zealand or other jurisdictions where our technology partners operate we take reasonable steps to ensure that the recipient handles that information in a manner consistent with the Australian Privacy Principles. 

7. Security of Personal Information 

Erris Cyber protects personal information using security measures commensurate with the sensitivity of the information and consistent with our Information Security Policy. These measures include: 

  • Encryption of personal information in transit and at rest. 
  • Access controls and multi-factor authentication for systems holding personal information. 
  • Regular review of access rights and security controls. 
  • Secure disposal of personal information when it is no longer required. 

In the event of a data breach that is likely to result in serious harm to affected individuals, Erris Cyber will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). Where the breach involves personal information subject to the New Zealand Privacy Act 2020, we will also notify the New Zealand Privacy Commissioner as required. 

8. Retention & Disposal 

Personal information is retained only for as long as it is needed for the purpose for which it was collected, or as required by law or contract. When personal information is no longer required, it is disposed of securely in accordance with Erris Cyber's Records Management Policy. 

9. Access & Correction 

Individuals have the right to request access to personal information Erris Cyber holds about them, and to request correction of information that is inaccurate, incomplete, or out of date. Requests can be made by contacting us using the details in Section 11. 

We will respond to access and correction requests within a reasonable timeframe and in accordance with our obligations under the Privacy Act 1988 (Cth) and, where applicable, the New Zealand Privacy Act 2020. We may decline a request in limited circumstances permitted by law, and will provide reasons for any such decision. 

We do not charge a fee for making an access or correction request, though we may charge a reasonable fee for providing access where the request involves significant time or resources. 

10. Complaints 

If you believe Erris Cyber has mishandled your personal information or breached applicable privacy obligations, we encourage you to contact us in the first instance so we can address your concern promptly and directly. 

If you are not satisfied with our response, you may lodge a complaint with: 

  • Office of the Australian Information Commissioner (OAIC) oaic.gov.au | 1300 363 992 
  • Office of the New Zealand Privacy Commissioner (for matters involving New Zealand personal information) privacy.org.nz | 0800 803 909 

11. Contact Us 

For privacy-related enquiries, access or correction requests, or complaints, please contact: 

Erris Cyber | info@erris.com.au Suite 3, Level 27, Governor Macquarie Tower, 1 Farrer Place, Sydney NSW 2000 

12. Policy Review 

This policy is reviewed annually, or following any significant change to Erris Cyber's operating environment, a material privacy incident, or a change in applicable legislation. The Directors of Erris Consulting Pty Ltd are responsible for approving revisions to this policy. 

Authorised by the Directors of Erris Cyber Suite 3, Level 27, Governor Macquarie Tower, 1 Farrer Place, Sydney NSW 2000 | erris.com.au 

  • Spotlight: AI Risk
  • Privacy Policy

Erris

Suite 3, Level 27 Governor Macquarie Tower, 1 Farrer Pl, Sydney NSW 2000

Copyright © 2025 Erris - All Rights Reserved.

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept