Employee Privacy Policy — ASI AI Solutions

Policy Owner: People & Culture / Legal

Approved By: Chief Operating Officer

Effective Date: 1 January 2026

Review Date: 1 January 2027

Classification: Internal

Version: 1.0

1. Purpose

This policy describes how ASI AI Solutions collects, holds, uses, and discloses personal information about its employees (and prospective employees), and the rights of employees in relation to their personal information. The Company is committed to protecting employee privacy in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable state laws.

2. Scope

This policy applies to the personal information of all current and former employees (permanent, fixed-term, casual), prospective employees (job applicants), contractors, and volunteers. It covers personal information collected during recruitment, employment, and post-employment.

3. Legislative Framework

Legislation	Relevance
Privacy Act 1988 (Cth)	Australian Privacy Principles (APPs) governing the collection, use, disclosure, storage, and access to personal information. Note: the employee records exemption (s 7B(3)) exempts certain employee records from the APPs where the act or practice relates directly to the employment relationship. The Company nonetheless applies the APPs as best practice.
Workplace Surveillance Act 2005 (NSW)	Regulates surveillance of employees (camera, computer, and tracking surveillance) in NSW workplaces.
Surveillance Devices Act 2007 (NSW)	Regulates the use of listening devices, optical surveillance devices, tracking devices, and data surveillance devices.
Health Records and Information Privacy Act 2002 (NSW)	Health Privacy Principles governing the handling of health information by NSW organisations.
Fair Work Act 2009 (Cth)	Record-keeping obligations (s 535) and pay slip requirements (s 536). Confidentiality of family and domestic violence leave records.
Taxation Administration Act 1953 (Cth)	Obligations regarding Tax File Numbers (TFNs) — collection, use, storage, and disposal.

4. What Personal Information We Collect

4.1 Types of Information

The Company collects and holds the following categories of personal information about employees:

Category	Examples
Identity & contact	Full name, date of birth, address, phone number, personal email, emergency contacts, next of kin.
Employment	Position, employment history, contract, start/end dates, salary, superannuation details, bank account, Tax File Number.
Qualifications & screening	Educational qualifications, professional memberships, referee reports, background check results (police check, right to work).
Performance	Performance reviews, goals, development plans, disciplinary records, PIP documentation.
Leave & attendance	Leave applications and balances, timesheets, absenteeism records.
Health information (sensitive)	Medical certificates, workers' compensation claims, pre-employment medical assessments, EAP referrals (de-identified), fitness for duty assessments, disability and reasonable adjustment information.
Diversity data (sensitive, voluntary)	Gender, age, cultural background, Indigenous status, disability status — collected voluntarily for WGEA reporting and diversity initiatives.
IT & systems	Username, system access logs, device allocation, IP addresses (see Section 7: Monitoring).
Imagery	Photographs (ID badges, company directory), CCTV footage (see Section 6: Surveillance).

4.2 Sensitive Information

Sensitive information (as defined in the Privacy Act 1988 s 6) includes health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership, criminal record, and biometric data. The Company will only collect sensitive information where:

The individual has consented; or
Collection is required or authorised by law (e.g., police checks for certain roles); or
Collection is necessary to prevent or lessen a serious threat to life, health, or safety.

5. How We Collect, Use, and Disclose Information

5.1 Collection

Personal information is collected:

Directly from the employee (application forms, HRIS entries, interviews, self-service portals).
From third parties with the employee's knowledge or consent (referees, background check providers, superannuation funds, medical practitioners).
Through automated systems (IT system logs, timekeeping systems, CCTV).

The Company will only collect personal information that is reasonably necessary for the employment relationship (APP 3).

5.2 Use

Personal information is used for the primary purpose for which it was collected, including:

Administering the employment relationship (payroll, superannuation, leave, benefits).
Managing performance, development, and career planning.
Meeting legal and regulatory obligations (tax, WHS, workers' compensation, FW Act record-keeping).
Conducting investigations (disciplinary, WHS, complaints).
Workplace planning and reporting (WGEA, diversity metrics).
Communicating with employees about work-related matters.

5.3 Disclosure

The Company may disclose personal information to:

Government agencies where required by law (ATO, Fair Work Ombudsman, SafeWork NSW, Services Australia).
Third-party service providers who assist in employment administration (payroll provider, superannuation fund, HRIS vendor, background check provider, EAP provider) — subject to contractual privacy obligations.
Insurers (workers' compensation, income protection).
Legal advisers or investigators as necessary.
Courts or tribunals where required by law or legal proceedings.

The Company will not disclose personal information overseas without ensuring the receiving party is subject to substantially similar privacy protections (APP 8), or with the employee's informed consent.

6. Employee Surveillance

The Company complies with the Workplace Surveillance Act 2005 (NSW) in relation to any surveillance of employees. This section constitutes the Company's notice of surveillance activities.

6.1 CCTV (Camera Surveillance)

CCTV cameras are in operation at the Botany office for the purposes of:

Security of premises, equipment, and personnel.
Prevention and detection of unlawful activity.
WHS compliance (e.g., monitoring emergency exits).

Cameras are located in common areas including building entrances, reception, corridors, server rooms, and car park. Cameras are not located in bathrooms, change rooms, or designated private areas. Signage is displayed at all entry points to surveilled areas as required by the Workplace Surveillance Act 2005 s 11.

CCTV footage is retained for 30 days unless required for a specific investigation, in which case relevant footage is preserved. Access to CCTV footage is restricted to authorised personnel (Facilities Manager, IT Security, People & Culture, and senior management as required).

6.2 Computer Surveillance

In accordance with s 16 of the Workplace Surveillance Act 2005 (NSW), the Company provides the following notice:

Notice of Computer Surveillance: The Company monitors the use of Company-provided IT systems, including but not limited to email, internet usage, application usage, file access, and system login/logout times. This monitoring is conducted through endpoint management software and network logging tools for the purposes of:

Protecting the security and integrity of Company systems and data.
Ensuring compliance with the IT Acceptable Use Policy.
Detecting and responding to cybersecurity threats.
Investigating suspected breaches of Company policy or law.

Computer surveillance is conducted on an ongoing basis. Individual-level review of monitoring data will only occur where there is a reasonable basis for investigation.

6.3 No Covert Surveillance

The Company does not conduct covert surveillance of employees except where expressly authorised by a covert surveillance authority issued by a Magistrate under Part 4 of the Workplace Surveillance Act 2005.

6.4 Tracking Surveillance

The Company does not currently use GPS or location tracking on employee devices. If tracking is introduced in the future, employees will be given at least 14 days' written notice as required by the Workplace Surveillance Act 2005 s 18.

7. Monitoring of Email, Internet, and Devices

As noted in Section 6.2, the Company monitors the use of its IT systems. Employees should not expect privacy in relation to their use of Company-provided email, internet, devices, or cloud services. Key principles include:

All data transmitted through or stored on Company systems is considered Company data, subject to legal professional privilege and whistleblower protections.
Bulk/automated monitoring (e.g., web filtering, malware detection, DLP rules) operates continuously.
Targeted review of individual activity (e.g., reviewing email content, browsing history) will only occur where there is a reasonable suspicion of policy breach, misconduct, or security incident, and with approval from People & Culture and/or the General Counsel.
Employees are not permitted to access, read, or intercept another employee's email or files without authorisation.

8. Access to Personnel Files

8.1 Employee Right of Access

Employees may request access to their personnel file and personal information held by the Company. Requests should be made in writing to the People & Culture team. Access will generally be provided within 30 days of the request.

The Company may refuse or limit access where:

Providing access would unreasonably impact the privacy of other individuals.
The information relates to an ongoing investigation.
The request is frivolous or vexatious.
Providing access would be unlawful or would prejudice legal proceedings.

Where access is refused, the Company will provide written reasons.

8.2 Correction of Information

Employees may request correction of personal information they believe to be inaccurate, out of date, incomplete, irrelevant, or misleading. Correction requests should be directed to the People & Culture team and will be actioned within 30 days. If the Company refuses a correction request, the employee may request a statement of the correction sought be associated with the record.

9. Health Information

Health information is treated as sensitive information and handled with additional protections in accordance with the Health Records and Information Privacy Act 2002 (NSW). Specifically:

Health information is collected only where necessary (e.g., medical certificates for leave, fitness-for-duty assessments, workers' compensation claims, reasonable adjustments for disability).
Health information is stored separately from general personnel records with restricted access.
Health information is not disclosed to managers beyond what is necessary for managing the employment relationship (e.g., a manager may be told of work restrictions but not the diagnosis, unless the employee consents).
Pre-employment health assessments will only be conducted where the role has inherent physical or psychological requirements.

10. Data Retention and Destruction

Record Type	Retention Period	Authority
Employee records (pay, leave, hours, super)	7 years after termination	Fair Work Act 2009 s 535; Tax Administration Act 1953
Tax File Number records	Destroyed when no longer needed for tax purposes	Privacy (Tax File Number) Rule 2015
Workers' compensation records	7 years after the claim is finalised	Workers Compensation Act 1987 (NSW)
WHS incident records	30 years (for notifiable incidents) / 5 years (other records)	WHS Regulation 2017 (NSW) cl 38
CCTV footage	30 days (unless preserved for investigation)	Company policy
Recruitment records (unsuccessful applicants)	12 months after decision	Best practice
Performance reviews	Duration of employment + 7 years	Company policy; limitation periods
Training records	Duration of employment + 7 years	WHS Regulation; Company policy

Upon expiry of the retention period, records containing personal information will be securely destroyed (shredded for paper records; securely wiped or cryptographically erased for electronic records) in accordance with APP 11.2.

11. Data Breach Response

In the event of a data breach involving employee personal information, the Company will:

Contain the breach and take immediate steps to limit the impact.
Assess whether the breach is likely to result in serious harm (an "eligible data breach" under Part IIIC of the Privacy Act 1988).
Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable if the breach is an eligible data breach (Notifiable Data Breaches scheme).
Review the incident and implement measures to prevent recurrence.

12. Responsibilities

Role	Responsibility
All Employees	Protect the personal information of colleagues, clients, and third parties. Report suspected data breaches. Keep personal details up to date in the HRIS.
People & Culture	Manage employee personal information in accordance with this policy. Respond to access and correction requests. Ensure HRIS security. Train staff on privacy obligations.
IT / Security	Implement and maintain technical controls to protect personal information. Manage access controls, encryption, backup, and secure destruction. Monitor for data breaches.
Managers	Handle team member personal information with care and confidentiality. Only access information on a need-to-know basis. Do not store personal information locally.
Privacy Officer (General Counsel)	Overall accountability for privacy compliance. Handle privacy complaints. Liaison with the OAIC. Coordinate data breach response.

13. Complaints

Employees who believe their personal information has been handled in breach of this policy or the Privacy Act 1988 may:

Raise the concern with the People & Culture team or the Privacy Officer.
If not resolved, lodge a formal complaint with the Privacy Officer, who will investigate and respond within 30 days.
If still not satisfied, lodge a complaint with the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au / 1300 363 992.

14. Review

This policy will be reviewed annually, or sooner in response to legislative changes (including any reforms to the Privacy Act 1988 or the employee records exemption), data breach incidents, or audit findings. The next review is scheduled for 1 January 2027.