Cogito Group is committed to protecting the privacy and confidentiality of your information.

 

About this policy

Cogito Group complies with the requirements of the Privacy Act 1988. The act incorporates both:

  • The Australian Privacy Principles (APPs); and
  • The Australian Government Agencies Privacy Code

All Cogito products and services are also subject to the Trusted Digital Identity Framework about the information
it manages when you use the SercureSME system. You can find out more information about privacy rights and
responsibilities at the website of the Office of the Australian Information Commissioner.

The privacy policy deals with:

  • Our collection, storage, access to, use and disclosure of personal information;
  • Your rights to access and correct information we hold about you; and
  • How you can make a complaint if you feel your privacy has been interfered with.

This privacy policy is available at no cost. If you need access to this policy in an alternative format, contact
our Privacy Officer. We review this privacy policy from time to time to keep it up to date. Check this policy
periodically for changes.

How is Privacy Managed?

Cogito Group is bound by the following privacy principle’s which regulate the way we handle your personal and
sensitive information:

  1. The Privacy Act 1988 (Privacy Act) which includes 13 Australian Privacy Principles
  2. The Privacy Act 2020 which includes 13 New Zealand Privacy Principles
  3. The United Kingdom’s Data Protection Act 2018, which is the UK’s implementation of the General Data
    Protection Regulation

 

Personal Information

Definition of Personal Information

‘Personal information’ is to mean any information or opinion about an identified individual, or an individual who
is reasonably identifiable, whether the information or opinion is true or not and whether the information or
opinion is recorded in a material form or not.

How is Personal Information Collected?

We collect personal information, in accordance with APP 3 – collection of solicited personal information:

  • Directly from you;
  • Indirectly from you; and
  • From third parties

We will only collect sensitive information with your consent.

We collect, hold, use and disclose personal information for the purposes for which it was collected, related
purposes, and other purposes including:

  • Providing the services that our clients have requested.
  • Maintaining, managing and developing our relationship with clients and potential client.
  • Service development, security and risk management.
  • Marketing our services, administering, and operating purposes.
  • Organisation of events.
  • Assessing and considering applications from prospective employees, contractors, and service providers.
  • Developing and managing relationships with our employees, contractors, and service providers.

Directly from you

We will collect personal information directly from you when you use Cogito products and services to:

  • Register for Cogito products
  • Increase the identity strength associated with your Cogito account; and
  • Update your personal information.

If you do not consent to provide or share your personal information, you will not be able to create a Cogito
account.

If you will not or cannot verify your identity by creating a Cogito account, alternative options will be
available from the agency or service you are attempting to access.

Indirectly from you

We will record information about your device and system interactions when you use the SecureSME service to:

  • Manage your SecureSME account;
  • Monitor application use and system performance; and
  • Investigate and verify the operation of the SecureSME system.

From third parties

We collect your personal information from federal and state government authorities to verify and validate the
identity documents you provide to register your SecureSME account or increase your identity strength level.

For example, we will verify:

  • Australian Passport or travel documents with the Department of Foreign Affairs and Trade;
  • Driver’s licences with the state or territory roads and traffic authority that issued the document; and
  • Medicare cards with Services Australia.

Unidentified information

We may de-identify your personal information, to compile reports and analyse statistical data related to using
the SecureSME system. We will use this data to understand use across the community and to enhance the SecureSME service, but no individual will be reasonably identifiable.

How we hold personal information

We protect your personal information in our systems against loss, unauthorised access, use modification or
disclosure and other misuse.

We use a range of physical and technological controls to ensure that only staff who need to access your personal
information perform the task.

We apply industry-best security methods to protect the personal information we hold, including:

  • Information technology and physical security audits;
  • Penetration testing;
  • Industry best practice risk management; and
  • System security technologies.

To protect the confidentiality of your personal information, the personal information used to create, verify,
authenticate, and manage your account is stored separately from other records cogito group holds about you, such as your tax records.

Your personal information will be stored securely in Australia.

We will retain records of information associated with your account while your registration remains active.

The personal information we receive about you will, in almost all cases, be treated as a Commonwealth record. We
are bound by the Archives Act 1983, which governs the management, retention, and disposal of Commonwealth
records.

How you can access or correct personal information held about you

You can access and update certain information we hold about you through your SecureSME account or by asking us.

We will take reasonable steps to correct personal information that we hold about you when you ask us to. We want
to ensure the information we hold is accurate, up to date, complete, relevant and not misleading.

If you are unable to access personal information about yourself via SecureSME or from us, you can lodge a request
for those documents under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI
Act).

We will respond to a request within 30 days.

If we refuse your request to correct or amend your information, we will give you a written notice that sets out
the reasons for the refusal, unless it is unreasonable to do so.

We will advise you how to complain about a refusal.

We will not charge you for making an amendment request or for correcting personal information about you.

Complaints

If you would like more information about the way we manage personal information, would like to request access to
or correction of personal information that we hold about you, or wish to make a complaint, please contact our
Privacy Officer at:

  • Post – Attention “Privacy Officer” PO Box 4294, Kingston ACT 2604; or
  • Telephone – 1800 COGITO (264486)

We will respond to complaints within a reasonable period of time (usually 30 days). If you disagree with our
decision, you may refer your complaint to:

Australia

The Office of the Australian Information Commissioner by visiting www.oaic.gov.au, calling 1300 363 992 or by
emailing enquiries@oaic.gov.au.

New Zealand

The Office of the Privacy Commissioner by visiting https://privacy.org.nz/your-rights/making-a-complaint/,
calling 0800 803 909 or by emailing enquiries@privacy.org.nz.

United Kingdom

Information Commissioner’s Office (ICO) by visiting https://ico.org.uk/make-a-complaint/, calling 0303 123 1113
or by emailing casework@ico.org.uk

 

Direct Marketing

If you are a client or have otherwise expressed interest and provided us with your contact details, we may
send emails to you with information about Cyber Security developments (such as publications, alerts and
newsletters) and marketing our services (such as seminar invitations).

We may use an “email management system” to automate the management and dispatch of these emails. The system operates by inserting tracking codes in the emails that we send to you. The tracking code allows us to collect personal information about you, such as whether you received and opened an email, and whether you clicked through to any links to our website. The personal information that the email management system collects and holds about you is used by us to:

  • Ensure that you only receive correspondence that you have informed us that you wish to receive.
  • Insert your personal information into our communications with you.
  • Determine whether the information that we send to you is suitable for your interests, information needs
    and profile.
  • Ensure that the email address that you have provided us is still operational.
  • Determine whether emails that we send to you are received by you.
  • Update a request that you make to us to unsubscribe from a publication that we send to you.
  • Review the effectiveness and relevance of our emails to you by collecting other statistical information.

If you do not wish for us to send you such emails, please let us know by contacting our Privacy Officer on 1800 COGITO (264486). You can also unsubscribe from our email notifications by clicking on the ‘Unsubscribe’ button at the bottom of our email notifications and following the prompts or by emailing us by clicking the ‘Contact Us’ button.

Published on: 27 March 2025