Privacy policy
Who this covers
InfoSek Consulting (ABN 79 778 034 907), a sole-practitioner consultancy run by Ben Jackson ("InfoSek", "I", "me"). This policy describes how I handle personal information across the consulting business and this website, and it sets out the terms on which you may use the site. It describes my practices; your rights arise under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), available from the Office of the Australian Information Commissioner at oaic.gov.au.
A note on scope, offered plainly: InfoSek falls within the Privacy Act's small business exemption. I comply with the APPs regardless. It is the standard I hold clients to, and it would be a strange look for a privacy adviser to claim an exemption from privacy law.
What I collect
What I hold depends on how we interact:
- Website enquiries: your name, organisation, role and email address, your phone number if you provide it, and the content of your message. The form is the only way this site collects information from you directly. Serving you the pages at all necessarily involves technical request data, such as your IP address, being processed by the hosting provider; that is described under service providers below, and I add nothing on top of it.
- Client engagements: the names, roles, and work contact details of client personnel I deal with; and personal information contained in the material a client asks me to review. Depending on the engagement's scope, that material can include employee information (names, roles, system access records, security training records), customer or end-user information held in the client's systems, system and access logs that identify individuals, incident and investigation records, and personal information appearing in the policies, registers, tickets, and correspondence provided for review.
- Business records: correspondence, engagement notes, contracts and engagement terms, deliverables and working papers, invoices and payment records, and insurance records.
- What I don't seek: I do not ask for sensitive information (as the Privacy Act defines it). If engagement material happens to contain it, I handle it only to the extent the engagement requires and with additional care.
What this website does not do
This site sets no cookies, runs no analytics, and does not track you. Your browser talks only to this site's own domain; nothing is loaded from any other origin. There is no advertising and there are no tracking pixels. Those statements are design requirements of the site, verified at every release, and this policy is updated if any of them changes.
How I collect
Directly from you when you contact me or engage me, and from clients when they provide material as part of an engagement. Where I receive personal information about individuals who are unaware of the collection, I take reasonable steps to ensure they are informed, usually through the client's own privacy notices, or I handle the information only to the extent the engagement requires.
How I use personal information
To respond to enquiries, deliver engagements, keep proper business records, and meet legal obligations. I do not use personal information for marketing lists, I do not sell it, I do not profile you, and I make no automated decisions about anyone.
Disclosure and service providers
Three providers touch personal information in the course of running InfoSek, and here is exactly what each one does:
- Cloudflare, Inc. hosts and serves this website, terminates the encrypted connection your browser makes, and runs the code that handles contact form submissions. Your request data, including your IP address, and anything you submit through the form is processed on Cloudflare's global network in the course of being delivered to me. Cloudflare is a US company operating infrastructure worldwide.
- Slack Technologies, LLC (US-hosted) is the channel that delivers contact form submissions to me, into a private channel only I can access. Client engagement material is never routed through Slack.
- Google Workspace runs my business systems: email, documents, and records, including engagement material. Google may store or process data in facilities outside Australia, including in the United States, under its own commitments.
Beyond those providers, I disclose personal information only to my insurer where genuinely necessary, or where the law requires it. I do not disclose client information to anyone else without the client's agreement.
Where information lives
Website requests and form submissions are processed on Cloudflare's global network. Enquiry messages are delivered through Slack's US-hosted service. Business records live in Google Workspace, which may store or process data outside Australia, including in the United States. Before personal information goes to any overseas provider, I rely on that provider's contractual and security commitments, and I remain accountable for it under APP 8.
Security
Access is limited to me. I work from hardened laptops and mobile devices, use a password manager, and enforce multi-factor authentication on every system that supports it. Information is encrypted in transit and at rest as provided by the platforms I use. Security is also, as it happens, the job.
Retention
I keep personal information only as long as it is needed, and for defined periods where records serve a purpose:
- Financial and client records, including invoices, payment records, contracts, and engagement terms, are kept for five years, consistent with Australian tax record-keeping requirements.
- Engagement artefacts, such as assessments, reports, and working papers created during an engagement, are retained for up to five years after the engagement ends. They are my record of what was actually delivered and advised, which protects both parties if that is ever disputed, and they may be required for professional indemnity insurance purposes.
- Everything else is kept only as long as it is useful, then destroyed or de-identified.
Data breaches
If I suspect a data breach involving personal information, I contain it and begin assessing it promptly. Where I have reasonable grounds to suspect an eligible data breach, I complete that assessment within 30 days, and usually sooner. If I conclude an eligible data breach has occurred under the Notifiable Data Breaches scheme, I notify the OAIC and affected individuals as soon as practicable. Where the information belongs to a client engagement, I also notify that client without undue delay.
Your rights
You can request access to the personal information I hold about you, and correction of anything inaccurate, out of date, incomplete, irrelevant, or misleading (APP 12 and APP 13). There is no charge for asking, and I respond within 30 days. You can deal with me anonymously for general enquiries where practicable; engagements generally require knowing who you are. If you believe I have mishandled your personal information, complain to me first at privacy@infosek.com.au and I will respond in writing within 30 days. If you are not satisfied, you can complain to the OAIC (oaic.gov.au). Separately, Australian law provides a statutory tort for serious invasions of privacy; if you believe your privacy has been seriously invaded, you may wish to seek independent legal advice.
Where the EU or UK GDPR applies
InfoSek serves Australian businesses, and in the ordinary course the GDPR does not apply to my handling of personal information. If I ever handle the personal data of individuals in the EU or UK in a way that attracts the EU or UK GDPR, the following applies to that handling only: I process personal data on the legal bases of contract performance, legal obligation, or legitimate interests, and on consent where nothing else fits; you have the GDPR rights of access, rectification, erasure, restriction, portability, and objection, and I honour them on the same 30-day footing as above; personal data breaches attracting Article 33 are notified to the relevant supervisory authority within 72 hours where feasible; and you may complain to your local supervisory authority (EU) or the UK Information Commissioner's Office. These provisions create no rights or obligations under Australian law.
Using this website (terms)
These terms cover this website only; client engagements are governed by their own written agreements. Content on this site is general information and professional commentary, current when written. Get advice on your specific circumstances before acting on any of it. The content is mine; link to it freely, and ask before republishing it wholesale. I aim to keep the site available and accurate but make no promises about either, and I exclude liability for reliance on the site to the extent the law allows; nothing here limits rights you hold under the Australian Consumer Law. These terms are governed by the laws of Victoria, Australia.
Changes
I update this policy when my practices or the law change. Changes take effect when posted here.
Contact
privacy@infosek.com.au · InfoSek Consulting, ABN 79 778 034 907.
Last updated: July 2026