Everything ICT
Legal

Privacy Policy

Everything ICT Pty Ltd (ABN 77 626 459 489)

Effective date: 1 March 2025  ·  Governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles

1. Overview

Everything ICT Pty Ltd (ABN 77 626 459 489) ("Everything ICT", "we", "us", "our") is a Brisbane-based managed service provider (MSP) operating in Queensland and throughout Australia. We are committed to protecting the privacy of individuals whose personal information we handle.

This Privacy Policy explains how we collect, use, hold, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs") contained in Schedule 1 of that Act.

This Policy applies to all personal information we collect through our website (everythingict.com.au), our service delivery activities, and our interactions with clients, prospective clients, suppliers, and job applicants.

By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.

2. What Personal Information We Collect

The types of personal information we may collect include:

  • Contact information: name, business name, email address, phone number, and postal address
  • Professional information: job title, role, organisation, industry sector, and staff count
  • Enquiry and communication records: the content of emails, contact form submissions, phone calls, and meeting notes
  • Service-related information: details about your current IT environment, software systems, and infrastructure required to deliver our services
  • Financial information: billing details, bank account or payment card details for invoicing purposes (processed through our payment providers)
  • Website usage data: IP address, browser type, pages visited, and referring URLs collected automatically when you visit our website
  • Employment information: if you apply for a role with us, résumés, qualifications, referee details, and right-to-work documentation

We do not intentionally collect sensitive information (such as health information, racial or ethnic origin, political opinions, or religious beliefs) unless you provide it voluntarily in the context of describing your organisation's compliance requirements. Where sensitive information is provided, we handle it with a higher standard of care consistent with the APPs.

3. How We Collect Personal Information

We collect personal information in the following ways:

  • Directly from you: when you complete our contact or IT Audit request form, call or email us, or engage us as a client
  • During service delivery: when we access client systems, networks, or documentation as part of providing managed IT, cyber security, or consulting services
  • From publicly available sources: such as company websites, LinkedIn, or ASIC records, where relevant to a prospective business relationship
  • Through our website: using cookies and analytics tools (see Section 10)
  • From third parties: such as referral partners, with your knowledge, or where permitted by law

We collect personal information only by lawful and fair means, and not in an unreasonably intrusive way (APP 3).

4. Why We Collect and Use Personal Information

We collect and use personal information for the following primary purposes:

  • Responding to enquiries and providing quotes or proposals
  • Delivering managed IT, cyber security, cloud, Microsoft 365, and IT consulting services
  • Billing, invoicing, and payment processing
  • Communicating with you about your services, including scheduled maintenance, security incidents, and service updates
  • Sending you resources, guides, or newsletters where you have opted in or where it is otherwise permitted under the Spam Act 2003 (Cth)
  • Improving our services, website, and internal processes
  • Meeting our legal and regulatory obligations, including under the Privacy Act 1988, the Spam Act 2003, and sector-specific frameworks such as the NDIS Practice Standards and the Aged Care Quality Standards
  • Assessing job applications

We will only use personal information for a secondary purpose if you have consented, if you would reasonably expect us to, or if permitted by law (APP 6).

5. Personal Information in Client Environments

As a managed service provider, we may access IT systems and data belonging to our clients during the course of service delivery. This may include systems that contain personal information about your employees, customers, residents, participants, or tenants.

When we access such systems, we act as a service provider to you (the data controller). We:

  • Access client data only to the extent necessary to deliver the contracted service
  • Do not use client data for any purpose other than delivering services to that client
  • Take reasonable technical and organisational measures to protect client data from unauthorised access, loss, or disclosure
  • Notify clients promptly if we become aware of a data breach affecting their environment
  • Where required, enter into data processing agreements with clients who operate under sector-specific privacy obligations (such as NDIS providers and Aged Care operators)

Clients remain responsible for their own Privacy Act compliance in respect of the personal information they hold. Everything ICT can assist clients with privacy risk assessments and compliance planning as part of our IT consulting service.

6. Disclosure of Personal Information

We do not sell, rent, or trade personal information. We may disclose personal information to third parties in the following circumstances:

  • Service providers: third-party vendors who assist us in delivering our services, including cloud hosting providers (Microsoft Azure), email and communication platforms (Microsoft 365), CRM and PSA tools, and accounting software. These providers are contractually required to handle personal information in accordance with applicable privacy laws.
  • Technology vendors: where necessary to resolve a support ticket or procure a solution on your behalf, we may share relevant details with software vendors such as Microsoft or other relevant technology partners.
  • Professional advisers: our lawyers, accountants, and insurers, where necessary and subject to confidentiality obligations.
  • Regulatory and law enforcement bodies: where required or authorised by law, including in response to a court order, subpoena, or regulatory request.
  • Business transfers: if Everything ICT is involved in a merger, acquisition, or asset sale, personal information may be disclosed as part of that transaction, subject to the acquirer agreeing to handle it consistently with this Policy.

We do not otherwise disclose personal information to third parties without your consent unless an exception under the Privacy Act applies.

7. Overseas Disclosure

Some of the third-party service providers we use may store or process data overseas. This includes:

  • Microsoft: cloud infrastructure and Microsoft 365 services, with data centres in Australia and globally
  • Communication and collaboration tools operating from the United States or Europe
  • Cybersecurity platforms with global threat intelligence infrastructure

Before disclosing personal information overseas, we take reasonable steps to ensure the recipient handles it in a way that is consistent with the APPs (APP 8). Where data is processed by Microsoft in Australia-based data centres, no overseas disclosure occurs for that data. For tools that process data offshore, we rely on contractual protections (including Standard Contractual Clauses where applicable) to ensure an adequate level of privacy protection.

8. How We Protect Personal Information

We take the security of personal information seriously and implement reasonable technical and organisational measures consistent with our own cyber security standards, including:

  • Multi-factor authentication (MFA) on all systems holding personal information
  • Role-based access controls limiting access to personal information to staff who need it
  • Encryption of data in transit (TLS) and at rest where applicable
  • Endpoint detection and response (EDR) on all company devices
  • Regular security awareness training for all staff
  • Documented incident response procedures aligned with our Notifiable Data Breaches obligations

No method of transmission over the internet is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

9. Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we experience an eligible data breach, one that is likely to result in serious harm to individuals whose information is involved, we will:

  • Contain the breach and assess its scope as quickly as practicable
  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable after becoming aware
  • Notify affected individuals directly where we have their contact details, or via a public notice where direct notification is not practicable

If we identify a potential breach in a client environment during the course of service delivery, we will notify the affected client as soon as practicable so they can fulfil their own NDB obligations.

10. Website Cookies and Analytics

Our website uses cookies and similar technologies to improve your browsing experience and analyse website traffic. We may use:

  • Strictly necessary cookies: required for the website to function (e.g., session management)
  • Analytics cookies: to understand how visitors use our site (e.g., Google Analytics or equivalent). This data is aggregated and anonymised where possible.

You can disable cookies through your browser settings. Disabling cookies may affect the functionality of some parts of our website. We do not use cookies for targeted advertising.

11. Retention of Personal Information

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Typical retention periods include:

  • Client records: for the duration of the service relationship and for 7 years after termination, consistent with Australian tax and corporate record-keeping obligations
  • Enquiry records: for 2 years from the date of the enquiry if no service relationship results
  • Employment applications: for 12 months if unsuccessful, unless you request earlier deletion
  • Website analytics data: in accordance with the retention settings of the analytics platform used (typically 26 months)

When personal information is no longer required, we take reasonable steps to destroy or de-identify it securely.

12. Accessing and Correcting Your Personal Information

Under APP 12 and APP 13, you have the right to:

  • Request access to the personal information we hold about you
  • Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading

To make an access or correction request, contact our Privacy Officer at solutions@everythingict.com.au. We will respond within 30 days. We do not charge for access requests, but may charge a reasonable fee for providing access if the request is complex or time-consuming. We may decline a request if an exception under the Privacy Act applies (for example, where providing access would unreasonably impact another person's privacy), and will explain the reason in writing.

13. Privacy Complaints

If you believe we have handled your personal information in a way that does not comply with the Privacy Act or this Policy, you may lodge a complaint with us.

Please direct complaints to our Privacy Officer at solutions@everythingict.com.au or by post to Level 3, 196 Wharf Street, Brisbane QLD 4000. Please describe your concern in as much detail as possible.

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we require additional time, we will notify you.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

14. Children's Privacy

Our website and services are directed to businesses and professionals. We do not knowingly collect personal information from individuals under the age of 18. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The current version will always be available at everythingict.com.au/privacy.

Material changes will be notified to active clients by email. Your continued use of our website or services following an update constitutes acceptance of the revised Policy.

16. Contact Our Privacy Officer

For all privacy-related enquiries, access requests, correction requests, or complaints, please contact:

  • Privacy Officer: Everything ICT Pty Ltd
  • Email: solutions@everythingict.com.au
  • Phone: 1300 622 922
  • Post: Level 3, 196 Wharf Street, Brisbane QLD 4000

This Privacy Policy was prepared in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (Schedule 1), the Notifiable Data Breaches scheme (Part IIIC), and the Spam Act 2003 (Cth). Clients operating under the NDIS Practice Standards, Aged Care Quality Standards, or the Health Records and Information Privacy Act 2002 (NSW) should seek independent legal advice regarding their own privacy obligations. Nothing in this Policy constitutes legal advice.

For privacy enquiries:

Questions about your data?

Contact our Privacy Officer directly.

Get in Touch