Privacy Policy – Passtab

This Privacy Policy describes how we at Invision Marketing Services (IMS) collect, use, and manage Personal Information (PI) that is collected and stored using Passtab.

Customers that are located within the European Union, click here to see our EU Privacy Notice.

Introduction

Passtab is used to collect and collate information about visitors, staff, contractors, students and others (Registrants) who arrive at and/or depart from premises of an organisation.

Passtab has an Administrator and a Visitor Module. The Administrator can access PI via web browser-enabled devices, including computers, tablets, and smartphones. The Visitor Module is used to record arrivals, departures, and movements of Registrants.

How we collect PI

We collect PI when we create a Passtab Administrator. We collect:

a. Account name
b. Email address
c. Password
d. Organisation name and address
e. Contact Phone Number
f. Contact Name

We also collect PI when a Registrant uses the Visitor Module to register arrival or departure from premises. The Administrator (not IMS) determines what information is collected; depending on category of Registrant, it may typically include:
a. Arrival and departure time
b. Category of Registrant
c. The access point for arrival and departure
d. A PIN associated with a Registrant
e. Employer (if a contractor)
f. Reason for visit
g. Electronic signature
h. Photo image
i. Phone number
j. Certificate expiry date
k. Items booked out to the Registrant

How we use PI

We use Administrator-related PI to manage, service, and invoice our accounts.

We monitor PI relating to Registrants to maintain optimum system performance.

In addition, Administrators (not IMS) use PI they have collected to manage their facility. This includes managing emergencies by allowing Administrators and delegated staff to view the database of Registrants who are on or off the premises.

How we manage PI

PI is stored on a secure server provided by Amazon Web Service that is physically located in Australia. Communication between the Administrator account and the server is encrypted in transit. Access to the secure server is restricted to authorised IMS personnel and we do not disclose PI to overseas recipients.

We do not combine PI with other data or modify it. We do not disclose PI to third parties unless directed by the Administrator, or required by law or government regulation, or with your explicit consent. When an account is closed, we delete its PI after one month.

We manage the passwords for Administrators. Administrators have password-protected access to all PI relating to Registrants. Administrators can also delegate password-protected access to other people. Registrants do not have access to PI when using the Visitor Module.

Administrators can view, download and store PI. Security for viewed and downloaded data is the responsibility of Administrators. It is also the responsibility of Administrators to advise Registrants of their privacy policy in relation to viewed and downloaded data, and if necessary this Privacy Policy.

Reporting Breaches of Privacy

We are committed to ensuring the privacy of all PI we collect. Certain compulsory obligations have been placed on organisations under the Privacy Act 1988 (Cth) to notify specific types of data breaches (Notifiable Data Breaches “NDB”) to individuals affected by the breach as well as to the Office of the Australian Information Commissioner (OAIC). A NDB is one that is likely to result in serious harm to any individual to whom the information relates.

The requirements under the NDB do not apply to IMS however, we are committed to ensuring the protection of all PI and we have therefore committed to comply with the obligations and have updated our internal privacy program accordingly.

In the event of a PI data breach of either Administrator Information or Registration Information, IMS will notify the party affected within 7 days of IMS becoming aware of the breach, and provide:
a. Our identity and contact details;
b. A description of the data breach;
c. The kinds of information that is suspected of being obtained;
d. Recommendations about the steps you should take to limit the impact of the breach;
and
e. Advice as to whether we have contacted the OAIC about the breach.

How to access your PI

You have a right to access your PI that we hold and ensure that it is correct. For information on how to access your PI at IMS please contact our privacy officer with your request:

Laura Hunt
Operations and Data Protection Manager
Invision Marketing Services Pty Ltd
Suite 8, 410 Burwood Highway, Wantirna South, Victoria, 3152
Within Australia: 03 9800 1489
Outside Australia: +61 3 9800 1489
Email: laurahunt AT invision.net.au (Replace AT with @)

We will endeavour to respond to your request within three business days.

Changes to our Privacy Policy

Our Privacy Policy complies with the Australian Privacy Principles contained within the Privacy Act 1988 (Cth). We may amend this Privacy Policy to reflect changes in legislation or our business. If we amend the policy we will post the change on our website.

Response to Requests

If you are not satisfied with our response to your request for information you may wish to contact the the Office of the Australian Information Commissioner:
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
www.oaic.gov.au

This privacy statement was updated on: 20/04/2021

Privacy Notice European Union – Passtab

This Privacy Notice describes how we at Invision Marketing Services (Invision) collect, use, and manage Personal Data that is collected and stored using Passtab for customers in the European Union. This notice is compliant with the EU General Data Protection Regulation (GDPR).

Introduction

Passtab is used by our customers to register people who arrive at and/or depart from their premises. Our customers collect personal data – using Passtab – so that they are able to identify individuals in order to comply with their security and emergency management policies.

Invision uses Passtab to process personal data in accordance with instructions provided by our customers.

Our customers view, retain, erase and download their personal data that has been collected using Passtab in accordance with their instructions.

Invision is a data processor and our customers are data Controllers. The relationship between invision and our customers is governed by the GDPR Addendum to the Passtab Terms and Conditions of use.

Passtab includes an administrator module. Our customers, using the administrator module, can access Personal Data via web browser-enabled devices, including computers, tablets, and smartphones.

Personal Data we collect

We collect Personal Data in accordance with instructions provided by our customers. The customer (not Invision) determines the categories of the personal data that is collected.

Depending on the requirements dictated by the security and emergency management policies of the customer, Personal Data that is collected on behalf of the customer may typically include:
• Visitor name and contact information
• Arrival and departure time
• Category of visitor
• The access point used for arrival and departure
• A PIN associated with a visitor
• Employer (if the visitor is a contractor)
• Reason for visit
• Electronic signature
• Photo image
• Information relating to certificates

When we create a customer account, we also collect the name and contact details of the customer’s nominated representative.

Consent for collection of Personal Data

As the Controller, the customer is responsible for obtaining consent for collection of Personal Data for the visitors to their organisation. In accordance with the GDPR Addendum of the Passtab Terms and Conditions of use, Invision is solely a processor of Personal Data on behalf of the customer.

Passtab includes technical features that the customer may use to facilitate the obtaining of consent from data subjects.

We collect Personal Data to fulfil a contract with the customer to provide visitor registration and related services.

How we use Personal Data

We monitor de-identified statistics generated in the course of processing Personal Data in order to maintain optimum system performance.

We do not combine Personal Data with other data, modify it, or disclose it to third parties. We do not contact data subjects unless required by a provision of the GDPR. When an account is closed, we delete its Personal Data after 60 days.

We note, for the avoidance of doubt, that the customer (not Invision) may use Personal Data, that has been collected and subsequently downloaded from Passtab, to comply with their security and emergency management policies. Use of Personal Data outside the Passtab system by customers is governed by the respective privacy notices of those customers.

We use account-related Personal Data to manage, service, and invoice our accounts.

How we manage Personal Data

Personal Data is stored on a secure server provided by Amazon Web Service that is physically located in the EU. Communication between the Administrator account and the server is encrypted in transit. Data is also encrypted at rest.

Access to the secure server is restricted by password to authorised Invision personnel.

We note, again for the avoidance of doubt, that customers can view, download and store Personal Data from the Passtab system. Security for viewed and downloaded data is the responsibility of customers. It is also the responsibility of customers to advise data subjects of their privacy policy in relation to viewed and downloaded data, and if necessary, this Privacy Policy.

Customers have password-protected access to all Personal Data in the Passtab system and are responsible for delegation of password-protected access to other people.

Your Rights

You have the right to access any Personal Data that we hold about you and to request information about:
• The nature of Personal Data we hold about you
• Why and how we process your Personal Data
• The recipients to whom Personal Data has or will be disclosed
• For how long we intend to retain your Personal Data
• If we did not collect the data directly from you, information about the source

Note, however, that Invision is a processor for our customers. Our customers determine which categories of data to collect and are responsible for obtaining your consent. Moreover, customers have complete access to all data relating to their account in the Passtab system – Invision does not have any personal data in addition to that which our customers can view and download.

Therefore, in the first instance, requests for access to, or erasure of Personal Data or should be sent to our customer – which will be the organisation where you registered as a visitor.

If you are not able to contact the customer, or are not satisfied with the response you receive, please contact us with your request using the contact information below.

Data Security

Passtab data security features include:
• Contracting Amazon Web Servcies (AWS) to host the Passtab database and the Invision CRM database
• Databases being physically located in the European Union
• Data backup being controlled by the AWS ‘back-up and restore’ system
• All data being continually replicated across fault-tolerant and self-healing database servers for maximum reliability
• Encrypting all data that is transmitted between the app/browser and server using the industry standard TLS 1.2 protocol
• Encryption of all data at rest
• Use of customer passwords that are minimum of six characters

Invision organisational data security measures include:
• Password protected access for staff
• Scheduled data protection training for staff
• Scheduled data protection assessments for staff
• Scheduled audit of the end-to-end process with a focus on data security
• Processing of all personal data within the Passtab system
• Appointment of a Data Protection Officer

Personal Data is not transferred outside the European Union.

Retention of Personal Data

Our customers manage your Personal Data within the Passtab system. Therefore, our customers determine how long to retain Personal Data in accordance with their respective policies and data retention and erasure policies.

If you have any questions relating to the retention of Personal Data, in the first instance, please contact our customer – which will be the organisation where you registered as a visitor.

If you are not able to contact the customer, or are not satisfied with the response you receive, please contact us with your request using the contact information below.

How to access your Personal Data

For information on how to access your Personal Data at Invision please contact our Data Protection Officer at our registered office with your request:

Laura Hunt
Operations and Data Protection Manager
Invision Marketing Services Pty Ltd
Suite 8, 410 Burwood Highway, Wantirna South, Victoria, 3152
Within Australia: 03 9800 1489
Outside Australia: +61 3 9800 1489
Email: laurahunt AT invision.net.au (Replace AT with @)  

We will endeavour to respond to your request within three business days.

Changes to our Privacy Notice

Our Privacy Notice complies with the EU General Data Protection Regulation Privacy 2016/679 applicable at 25 May 2018. We may amend this Privacy Notice to reflect changes in legislation or our business. If we amend the notice, we will post the change on our website (www.poc.passtab.com).

This privacy statement was updated on: 26/05/2022