Privacy Policy

Our policy on your privacy

CVCheck is a product provided by Kinatico Ltd and its subsidiary, CV Check (NZ) Ltd. At CVCheck we are highly committed to respecting the privacy of our customers, suppliers, visitors, applicants or anyone who engages with CVCheck and protecting their personal information.

It’s important that you feel secure whenever you deal with us, so you’ll be happy to know that CVCheck puts information security and privacy at the forefront of everything it does. The CVCheck platform has built in privacy by design and privacy by default.

However, it’s important that you understand not only how we protect your privacy but also how, when and where we may use and store your details. This is detailed in this Privacy Policy.

CVCheck complies with the relevant privacy legislation and principles in Australia and New Zealand which set out requirements for the gathering, handling, use, disclosure, storage, destruction or de-identification of
personal information. We also satisfy the General Data Protection Regulation for EU customers, although you should be aware that our website uses cookies. Additional details are below on our use of cookies.

This Privacy Policy relates to personal information that we collect and handle about you as a customer, supplier, visitor to our site, a job applicant or as someone who engages with us through social media, other digital services, correspondence or in person as a member of the public.

Our present and former staff should contact our legal team for details about how we maintain the privacy of their personal information.

What CVCheck does

Your personal information is at the centre of the services we provide, and we always aim to be clear and open about what we do with it. So, let’s start with a brief explanation of what CVCheck generally does with personal information.

The process of obtaining a background screening check necessarily involves multiple exchanges of personal information. Typically:

  • As an online portal, we need to create personal information (User ID), link it to more personal information (email address) and allow you to create more personal information (password), just to set up an account;
  • We need to collect personal information (names, date of birth, address history) from you to order a check;
  • We need to collect further personal information (ID documents) to confirm that the person making the application and giving consent and the identity the subject of the check are the same;
  • We need to pass personal information to a source (in the case of an Australian police check, the Australian Criminal Intelligence Commission), who may pass it on to multiple other sources (in the case of a police check, police agencies in different jurisdictions);
  • Those sources will need to pass back (again, possibly through the multiple sources) in the check result more personal information (e.g. criminal history or a reference) from their own records (or in the case of a referee, their opinion);
  • We may then need to share check results with a potential employer (as well as you, the applicant);
    Operating in a regulated environment means that we are compelled to keep certain records for certain periods of time (e.g. for 12 months in the case of a request for an Australian national police check) or to maintain an audit trail. Being an online portal to meet our regulatory obligations and for the effective management of the business (including for customer experience improvements) requires that we track and record, in some form, the multiple “journeys” through our platform, which requires cookies (see the section “cookies”, below).

What personal information do we collect?

Personal information means any information or opinion about an identified individual, or an individual who is reasonably identifiable.

In all cases, the personal information that we collect will depend on the nature of your interaction with us and we will only collect information necessary so that we can provide our services to you or for completing our interaction with you. Information will only be collected lawfully, fairly and not in an intrusive way.

If you are a customer, the personal information we may collect about you might include, for example, your name, contact details and date of birth, as well as copies of your identity documents. Personal information may also include information such as current or previous addresses, your career information, professional or trade qualifications, work history, references, financial information and previous legal claims, or information within checks ordered through CVCheck both before and after any information has been verified by CVCheck.

Where it is reasonable and practicable to do so, we collect your personal information directly from you when you sign on as a user, order checks, enter into arrangements with us, correspond with us or provide feedback to us. We will record, collect and hold information in relation to your transactions with us.

We may also collect other information, some of which may be personal information, including information about your order history with CVCheck, which areas of our website you visited (see the section “cookies”, below) and records of your communications and interactions with us. We may monitor and record your communications with us (including email and telephone) for security, dispute resolution and training purposes.

Depending on the products or services being provided or the reason for your interaction with CVCheck, we may also collect information about you from others. Such as:

  • Third party suppliers including but not limited to providers of criminal checks, law enforcement agencies, regulatory and licensing bodies, credit agencies, education providers, professional
    organisations or psychometric assessment providers.
  • Information regarding shareholders may be collected from our share registry.
  • Information from recruitment agencies, as well as prospective or previous employers.

Due to the nature of the products and services CVCheck provides, some of your personal information that we collect will be ‘sensitive’ information. This information will only be obtained with your permission – except where otherwise allowed by law.

We collect, use and exchange your information if we have a valid lawful reason to do so, and so that we can:

  • Confirm your identity
  • Assess your application for our products or services
  • Manage our relationship with you, including being able to provide our products and services
  • Contact and communicate with you
  • Improve our service to you and your experience with us
  • Minimise risks and protect against fraud, misuse or loss of data
  • Comply with laws, obligations or provide assistance to regulatory, government and law enforcement authorities
  • Manage our business.

Additionally, we may use your personal information for the following reasons:

  • Contract: We need to process your information in order to fulfil a contract you have with us, or because you have asked us to take specific steps before entering into a contract.
  • Legal obligations: We need to process your information for us to comply with the law (including contractual obligations).
  • Consent: You have given clear consent for us to process your personal information for a specific purpose.
  • Legitimate interests: We need to process your information for our legitimate interests or the legitimate interests of a third party. This legitimate interest can be overridden where there is a good reason to protect your personal information.

Bringing you new products and services

We may also use your information to tell you about products and services we think you might be interested in. To do this, we may contact you by email, phone, SMS, social media, mail or advertising.

Using data to give you better customer service and marketing

We’re always working to improve our products and services and give you the best customer experience. New technologies let us collate information we have about you and our other customers, for example transaction information. We analyse this data to learn more about you and other customers, and how to improve our products and services. We may also use data analysis to determine what products or services may be of interest to you and for general or direct marketing purposes.

If at any time you don’t want to receive direct marketing messages, you can unsubscribe. Alternatively, if you want to change your contact preference you can do this by emailing:

If you are a corporate client: [email protected]
If you are an individual: [email protected]

How long will we keep your personal information?

We will keep your information for as long as you are a customer of CVCheck, or pursuant to our legal obligations. For example, Australian criminal history checks are deleted after 12 months and identity documents provided when ordering one of those checks must be kept for 12 months and deleted within 15 months.

We aim to keep your information for only as long as we need it. Factors that may influence for how long we may keep your data include:

  • Fulfilling our legal or regulatory obligations
  • Internal research and analytics
  • Responding to a question or complaint or
  • Being unable to delete the data for technical reasons.

With whom do we share your information?

CVCheck will disclose your information only in accordance with the professional services we provide.

During the process of providing our services and depending on the products or services being provided or the reason for your interaction with CVCheck we may share information about you with third parties. Such as:

  • Third party suppliers including but not limited to providers of criminal checks, law enforcement agencies, regulatory and licensing bodies, credit agencies, education providers, professional organisations or psychometric assessment providers
  • Current employers or previous employers – for example to confirm your employment
  • Partner organisations
  • Government and law enforcement agencies or regulators
  • Business who do some of our work for us – including direct marketing and IT support
  • Auditors, insurers and re-insurers.

CVCheck will only partner with organisations or engage third-party suppliers /businesses, that have robust processes and procedures in place for the handling of personal information which is at least equivalent to CVCheck’s practices.

Integral to the CVCheck Platform is that you control who may see your results once products/services have been provided to you by CVCheck.

As you will appreciate, in certain circumstances we may be compelled by law to disclose your personal information to various authorities.

Sending your information overseas

To conduct a check, it will be necessary to disclose some of your personal information to the entity (or entities) that will verify the accuracy of your information. For a check relating to another country, that entity (or entities) will be in that other country and so your information must be disclosed overseas. CVCheck may use an agent as an intermediary, who may be based overseas, to conduct some international checks. If we are also checking information (for example, as a referee or a previous employer) and you have been engaged overseas it will be necessary to share your personal information (that is, your name and possibly your role) with someone internationally and therefore this information will be disclosed overseas. However, as you have requested the international check your consent will have been give prior to the disclosure of your information overseas.

As noted above, CVCheck may use some businesses and contractors who are based overseas to complete some of the work necessary to provide our Services. This may require an international transfer of information whilst that work is undertaken.

In terms of international agencies CVCheck will only partner with organisations or engage third-party suppliers, that have robust processes and procedures in place for the handling of personal information which is at least equivalent to CVCheck’s practices.

We hold personal information electronically and may hold some information in hard copy form, both at our own premises and with the assistance of our service providers. Our main database, where all verified records are held, is held securely in Australian data centres.

Our trained operators manage and process checks from operations centres in Australia, New Zealand or the Philippines. Usually, your information will be processed and managed by your local operation centre, but to provide a timely and efficient service, you may be assisted by one of our other operations centres, in which case your personal information may be viewed by those CVCheck staff who are overseas.

Keeping your information secure

We store your hard-copy or electronic records in secure building and systems or using trusted third parties. We also have a layered approach to our security.

Security by Design:

Our systems and processes are engineered to deliver security at all levels, with managerial oversight from the executive level down. Our Information Security Committee includes our most senior and experienced staff with a spread of expertise from Information Technology to Legal. The Security Committee sets the security policy framework that defines security measures and responsibilities for CVCheck’s staff and all operational departments.

Staff training:

CVCheck embeds privacy and security in our culture. We train our staff driving awareness and procedural compliance to keep your information safe and secure.

Physical Security:

We control access to sensitive areas, management of physical and electronic documents, and secure document disposal. We use a mix of alarms, cameras, guards and other controls in our buildings to prevent unauthorised access.

Platform security:

Security architecture, designs and implementation of our software and systems. CVCheck’s engineering team designed our online screening platform to ensure security from the ground up.

  1. File and database systems are encrypted at rest which means that every piece of data is protected 100% of the time.
  2. Our application incorporates role-based and departmental security to segregate data and ensure access to sensitive information is available on a need-to-know basis.
  3. All functionality is implemented to support best-practice security
    defences to thwart scripting attacks and other hacker modalities. –Firewalls and site monitoring block illegal traffic and record user events across the application to a separate audit server.
  4. We enforce the use of secure sockets between the user and our servers for all web page views (TLS 1.1 or later).
  5. Our application and operational processes only use secure point to point transport mechanisms to transfer sensitive data or materials. We don’t use unsecured transmission mediums, such as email, to exchange data or provide results with our users.
  6. Our engineering teams complete ongoing industry training to maintain their awareness of current commercial security practices and hacker exploits and the engineering techniques that protect against intrusion.
  7. We maintain rigorously updated patches on our servers to ensure
    that security updates are applied as soon as they are released.
  8. Your information is stored using secure AES-256 encryption in the Microsoft Azure data centres located in Sydney and Melbourne.

Audits and Testing:

Security assurance through external and independent audits, review, and regular penetration testing. CVCheck employs independent, industry certified, security experts with the experience and track record to support our security aims. We continue to run an annual program of penetration and security testing of the CVCheck online screening platform. This testing regime is supported by ongoing audit and architecture reviews to maximise the security of our application and the servers it runs on.

Transactional Security:

Secure data transfer technologies and payment gateways. CVCheck enforces secure socket layer (SSL) connections for every page of our website and our application. The use of SSL means that data traffic between your computer and our site is encrypted and protected at all times.

Secure Data Management:

All customer and operational data is held securely in Australian data centres. Our trained operators manage and process checks from our operations centres in Australia, New Zealand and Philippines. The CVCheck application architecture includes redundant servers with automatic fail-over and load balancing to ensure high availability, robust performance, fast response times and data preservation in the event of an equipment failure.

Destroying or de-identifying data when no longer required

We aim to keep personal information only for as long as we need it – for example for business or legal reasons. When we no longer need information, we take reasonable steps to destroy or de-identify it.

Minors and children’s privacy

We will generally seek parent or guardian consent to collect the personal information of children under 16. However, if we are legally obliged to provide the product to a person aged under 16 without such consent then we may not obtain consent in those circumstances. For example, minors in New Zealand are entitled to obtain their own criminal records without such consent.

For some products provided by CVCheck we are required to obtain parental or guardian consent for persons aged under 18 years of age, for example. Australian criminal history checks. Consent of parents or guardians will be obtained in those circumstances.

Access, updating and correcting your personal information

You have a right to access your personal information held by CVCheck. There is no charge to put in a request to see your information and we can easily provide you with general information such as your name, address and contact details. If you believe that this information is incorrect or out of date you may of course ask us to correct it.

We can also provide you with access to most check results on you (except for references given in confidence to a potential employer, or psychometric assessments). Please note that in giving a check result we are verifying an accurate record of what information the source has that corresponds to the information given about you. If you believe that the source has inaccurate, incomplete or misleading information, you may need to take that up with the source.

If we believe the information is correct and does not need correcting, we will let you know why. Please send your requests to:

Privacy Officer
Kinatico Ltd PO Box 7394
Cloisters Square WA 6850 Australia
or send an email to: [email protected]

Is there a fee?

Generally, we will not charge a fee for such requests. However, we may need to charge you a small administration fee to cover our costs if you want to access more detailed information and we spend time finding or putting together the information you want or if you want copies of information on your file. If there’s a fee, we’ll let you know how much it is likely to be, so you can choose if you want to go ahead. Generally, the fee is an hourly rate plus any photocopying costs and other expenses. You’ll need to pay us before we start or give us permission to take it out of your account.

Can we refuse to give you access?

In some cases, we can refuse access or only give you access to certain information. For example, we might not let you see information that is commercially sensitive or if it also contains someone else’s personal information. If we do this, we’ll write to you explaining our decision.

CVCheck’s compliance with GDPR

European Union (EU) based General Data Protection Rules (GDPR) legislation has replaced individual country data privacy laws in the EU, giving more rights to EU citizens (who are resident in the EU) as individuals and more obligations to organisations holding their personal information. CVCheck’s satisfies GDPR requirements and the additional information and your rights for EU citizens are set out in this Policy.

Special Information

The EU GDPR protects your special information. Special information is information about your religion, ethnicity, health or biometrics (for example, your fingerprints). We will only process this type of information if required, for example US criminal check, and only with your consent or where otherwise lawfully permitted. In addition to the rights detailed above, as an EU citizen you have the following additional rights:

The right to be informed how personal information is processed

You have the right to be informed how your personal information is being collected and used. If we require your consent to process your information you can withdraw consent at any time. If you withdraw consent, we may not be able to provide certain products or services to you. The right to withdraw only applies when the lawful basis of processing is consent.

The right to erasure

You may have the right to ask us to delete your personal information if there is no need for us to keep it. The right to erasure is also known as the right to be forgotten. You can make the request verbally or in writing. There may be legal or other reasons why we need to keep your data and if so we will tell you what these are.

The right to restrict processing

You have the right to ask us to restrict our use of your personal information in some circumstances. We may be able to restrict the use of your data. In this situation we would not use or share your information while it is restricted. This is not an absolute right and only applies in certain circumstances.

The right to data portability

In some circumstances you have the right to request we provide you with a copy of the personal information you have provided to us in a format that can be easily reused. All CVCheck check results are portable in this sense.

Rights in relation to automated decision making and profiling

You have rights over automated decisions. CVCheck does not currently make decisions based on the automated decisioning alone.

What are ‘cookies’ and how do they work?

A cookie is a small text file that is placed on your computer or mobile device when you visit a website. Cookies collect information about users and their visit to the website, such as their Internet protocol (IP) address, how they arrived at the website (for example, through a search engine or a link from another website) and how they navigate within the website. A cookie cannot read data from your hard disk or read cookie files created by other websites.

A cookie is a string of letters and numbers that uniquely identify the computer you are using and the Username and password you may have used to register at the site.

Two types of cookies are used on the CVCheck site.

The first type of cookie tracks the way that visitors use our site. These cookies help us to understand which pages are of the most interest to our users and the way that users move through our site. This type of cookie is anonymised and does not report any information that could personally identify any single user, including you. The result data gives us an aggregated view of the overall behaviour of all visitors but can’t tell us what any single user does.

The second type of cookie exists only for the time you are logged on to our site. These cookies are used by our application to create a secure user session when you login to our site using your username and password so that you can navigate around the secure areas of the site – without the need for you to re–enter information.

Some of the cookies are owned by CVCheck; some are owned by the third-party providers of tools (software) that we use in building, running or monitoring our site. Most browsers can be configured to refuse to accept cookies. You can also delete cookies from your hard drive. However, doing so may hinder your access to valuable areas of information within our site.

Access to other websites

Other websites that may be accessible via hyperlinks from the CVCheck website or through an Automated Platform Interface (API) are owned and operated by third parties and are not subject to CVCheck’s Privacy
Policy. CVCheck has no control over the content of those websites. Please review the privacy policy of each individual website you access and assess whether the policy is satisfactory to you before you use the other websites.

Making a privacy complaint – How can you make a complaint?

At CVCheck we value our customers. We will always aim to be fair and responsive. If you have a complaint you have the right to expect that we will handle it in a friendly and professional way. When we receive a
complaint, we look on it as valuable feedback that may help us to improve the services we offer and to ensure your needs are met in a satisfactory and appropriate manner.

If you wish to complain at any time about the handling, use or disclosure of your personal information just write to us at the following address:

Privacy Officer
Kinatico Ltd
PO Box 7394
Cloisters Square PO, WA 6850
Australia
or send an email to: [email protected]

We will make all efforts possible to investigate your complaint and advise you of the outcome as soon as
possible.

If the matter is not resolved to your satisfaction, you can then refer your complaint to the Office of the Australian Information Commissioner who can be contacted through the following website: https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint.

How do we manage a complaint?

We will:

  • Keep a record of your complaint
  • Respond to the complaint within a few days if we can, or tell you if we need more time to look into it
  • Keep you updated on what we’re doing to fix the problem
  • We will make all efforts possible to advise you of the outcome as soon as possible and in any event within 30 days of the complaint. Or if we cannot respond within that timeframe we will let you know
    why.

What else can you do?

If the matter is not resolved to your satisfaction after you have been through our internal complaints process, there are free and independent dispute resolution services available to you.

In Australia:
Office of the Australian Information Commissioner. GPO Box 5218 Sydney NSW 2001.
Fax: +61 2 9284 9666
Email: [email protected] Note that email that is not encrypted and can be copied or tracked.

In New Zealand:
Office of the Australian Information Commissioner. PO Box 10 094 Wellington 6143.
Fax: (04) 474 7595
Email: [email protected] Note that email that is not encrypted and can be copied or tracked.

In European Union:
Office of the Australian Information Commissioner. For list of relevant data protection authorities, please refer to the European Commission website.
UK authority: Information Commissioner’s Office Wycliffe House Wilmslow Cheshire SK9 5AF UK
Email: https://ico.org.uk/global/contact-us/email Note that email that is not encrypted and can be copied or tracked.