Personal information collected by Colourworks Australia Pty Limited (‘Colourworks’) is managed in accordance with this Privacy Policy. Colourworks is committed to protecting the privacy of individuals whose personal information we hold, and to complying with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.
WHY we collect personal information
We need to collect and use personal information to run our business — to do things like:
- fulfil orders for goods and services.
- operate our online services.
- provide commercial credit and finance.
- provide training, product, and service information.
- manage customer and other business relationships.
- deal with inquiries and feedback.
improve our products and services. - conduct events, promotions, competitions, and research.
- promote and market our company, products and services.
- understand our customers and community and tailor our products, services, marketing, offers, invitations, and communications to suit their needs; and
recruit staff and manage contractors.
WHAT kinds of personal information do we collect?
We collect personal information about our consumer customers, business contacts, job applicants, and others. Depending on the circumstances, we may collect their names and contact details, and information about their:
- transactions with us,
- use of our products and services.
- subscription preferences.
- interests and skill levels.
- participation in events, promotions and competitions that we offer,
- job applications; and
- other interactions and communications with us.
We may collect financial, credit-related and identity verification information about people to provide them or related entities with commercial credit or finance, lend equipment, operate product trade-in programs, or to comply with legislation like anti-money laundering laws and counter-terrorism laws.
We collect information about how people use our digital properties (including websites, social media sites, apps and electronic communications) and third-party websites (digital interactions). Also, if people share an image with us, we may collect the metadata (such as camera details and geolocation data) attached to that image. Usually, the digital interactions data and image metadata we collect is anonymous. However, where a person signs up for one of our services, we may link their digital interactions data and image metadata (past and future) to them. In that case we will treat all such data as personal information.
We provide opportunities for people to share additional information with us if they wish, such as product wish lists, imaging interests, experience level, preferences, product reviews, and social network profiles.
HOW we approach Direct Marketing
We like being direct and we don’t like imposing.
We will only send direct marketing communications to people if we have their consent, or the law otherwise permits. We may use any personal information we have collected about a person to tailor those communications to reflect their needs.
We will always provide a simple way to opt out of any direct marketing from us.
WHO do we usually disclose personal information to?
We need to share some personal information we hold with other businesses to enable them to help us with services like data storage, business processes, deliveries and so on. We only disclose what is necessary for them to do their job, and they are contractually obliged to keep your details safe.
Where we use cloud-based platforms to store or process personal information — including Microsoft 365 services such as OneDrive and SharePoint — those platforms are governed by appropriate data processing agreements and comply with applicable data protection standards. We take care to ensure that any third-party service providers we use meet our security and privacy requirements.
Where possible, Colourworks stores personal information on servers located within Australia. Our primary platforms, including Microsoft 365 and uniFLOW Online, utilise Australian-based data centres. In limited circumstances, certain processing functions may involve servers located overseas. Where this occurs, we take reasonable steps to ensure that personal information is protected to a standard that is at least comparable to the Australian Privacy Principles, including through appropriate contractual arrangements with our service providers.
HOW do we protect personal information?
We know how important it is to keep personal information secure, so we have a range of processes and controls in place, including:
- using secure servers and other appropriate measures to protect electronic data.
- multi-factor authentication (MFA) required for access to all company systems and work accounts.
- endpoint protection and device management controls across all company-issued devices.
- approved cloud storage platforms (Microsoft 365 OneDrive and SharePoint) as the primary repository for company and client information.
- measures to control internal access, including least-privilege access principles, physical access restrictions, network structures, and access tracking.
- secure third-party online payment methods.
- mandatory cyber security awareness training for all staff, conducted on a regular basis.
- when information is no longer needed, we ensure it is destroyed, deleted, or de-identified in a secure manner.
HOW long do we retain personal information?
We retain personal information only for as long as it is needed for the purposes for which it was collected, or as required by law. The retention period will vary depending on the nature of the information and the purpose for which it is held. When personal information is no longer required, we will take reasonable steps to destroy or permanently de-identify it.
If you would like to know more about how long we retain specific types of information, or if you would like to request deletion of your personal information, please contact our Privacy Officer.
Accuracy of personal information
We take reasonable steps to ensure that the personal information we hold is accurate, complete, and up to date. If your personal information changes, or if you believe the information we hold about you is inaccurate or incomplete, please contact our Privacy Officer so we can update our records.
Devices returned to or traded in through Colourworks
Where a Canon device is returned to or traded in through Colourworks, we will ensure that all data stored on that device is securely erased before it is repurposed, resold, or disposed of. This includes any stored documents, scan data, address book entries, authentication credentials, and network configuration data held in the device’s memory or hard drive.
We recommend that customers back up or retrieve any required data from a device before returning it, as data cannot be recovered once erasure has been completed.
Devices returned to other providers
Where a device is being returned directly to another provider — for example, non-Canon devices being returned to their respective suppliers or financiers — the responsibility for ensuring data is erased from that device rests with the customer and/or the receiving provider. Colourworks has no involvement in, and accepts no responsibility for, the data erasure process for devices not returned through Colourworks.
We recommend that customers request written confirmation from the receiving provider that all data has been securely erased from any device returned to them. Customers should also consider performing a factory reset or initiating the device’s built-in data overwrite function prior to returning the device, where this is possible.
Colourworks takes data security seriously. In the event of a data breach that is likely to result in serious harm to affected individuals, Colourworks will comply with its obligations under the Notifiable Data Breaches (NDB) scheme, which forms part of the Privacy Act 1988 (Cth). This means we will:
- assess suspected data breaches promptly to determine whether notification is required.
- notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable where a breach meets the threshold for notification.
- notify affected individuals where it is required or appropriate to do so, providing guidance on the steps they can take to protect themselves.
- take steps to contain the breach and prevent further unauthorised access or disclosure.
We maintain an incident register and follow a documented incident response process to ensure breaches are managed consistently and effectively.
HOW can I get in touch about my personal information?
If we hold personal information about you, you have rights to access it and/or ask us to correct it if it’s wrong. All you need to do is contact our Privacy Officer.
Please also contact our Privacy Officer if you have any concerns or complaints about how we’ve handled your personal information. They will investigate and respond in writing as quickly as possible. If you’re not satisfied after that, it is your right under the privacy legislation to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
Here’s how you can reach our Privacy Officer:
Colourworks Australia Pty Limited
Unit 1, 7 Pambalong Drive
Mayfield West NSW 2304
1300 351 594
privacy@colourworks.com.au
Personal information collected by Colourworks Australia Pty Limited and its wholly owned subsidiaries is managed in accordance with this Privacy Policy.
This policy may be updated from time to time. The current version is available on our website and upon request.
Note: This policy has been updated from the previous version dated October 2022. Key updates include the addition of data breach notification obligations under the NDB scheme, an expanded description of security controls, a new data retention section, reference to cloud storage platforms, and updated review date.