1. Introduction
  2. Personal Information
  3. Information We Collect
  4. How We Collect Personal Information
  5. Purpose of Collection
  6. Use and Disclosure of Personal Information
  7. Marketing
  8. Quality & Correction
  9. Access
  10. How We Store Personal Information
  11. Website Cookies & Google Tools
  12. Changes to Our Privacy Policy
  13. Complaint Resolution
  14. Disclosure to Overseas Recipients
  15. Contact Us
  16. Annexure A – Data Breach Response Plan
    Reviewed 14 April 2024
    Enacted 19 June 2024
  17. Introduction
    Traffic Monitoring Services (TMS) Pty Ltd (ABN:79 142 495 752) (we, us, our and other similar expressions) respects the privacy rights of all individuals with which it deals with across all aspects of our business.
    This policy tells you how we collect, use, distribute and protect your personal information. We encourage you to read this policy carefully so that you understand our information handling practices.
  18. Personal Information
    Personal information is defined to be information or an opinion about an identified individual, or an individual who is reasonably identifiable.
  19. Information We Collect
    In order to provide you with services, we may need to collect, use and disclose personal information about you or others. If we are not provided with all the personal information we request, we may not be able to provide our services.
    The extent and type of personal information we collect and handle depends on which service you use, but may include your name, address, email address, mobile number.
  20. How We Collect Personal Information
    Generally, we collect your personal information directly from you. For example, we collect personal information from you when you apply for a job with us or you otherwise make contact or correspond with us. There may be occasions where we need to source personal information about you from a third party. For example, we may collect personal information from companies with whom you work, other organisations with whom you have dealings, information service providers, people or organisations you authorise us to make contact with or to provide us with your personal information, or from publicly maintained records.
  21. Purpose of Collection
    We collect personal information for the following purposes:
    • To identify users of our service, potential users and their representatives,
    • To provide our services,
    • To develop and implement initiatives to improve our service,
    • To develop new services,
    • To seek your opinions or comments about our services,
    • To inform you (by way of direct marketing or otherwise) about offers or other benefits and products and services that are available from us, our related entities and third parties that we consider may be of interest to you,
    • To carry out our management, administrative, quality assurance and complaint handling activities in a professional and efficient manner (including but not limited to the management of the facilities we use to provide our services and meeting any contractual obligations we have in connection with those facilities),
    • To conduct consumer and market research and to assist with the development of product and service offerings for us and our related entities,
    • Processing job applications,
    • To follow up or pursue any queries you make; and
    • Any other purpose that you may authorize at the time of, or before, the information is collected.
  22. Use and Disclosure of Personal Information
    We use and disclose the personal information we collect for the purposes indicated above, for other secondary purposes, and for directly related purposes, as permitted by applicable privacy laws.
    We may disclose the personal information we collect to our related entities, service providers and contractors, who help us supply and/or develop our products and services which may include management, administrative, quality assurance and complaint handling activities, research and any of the other matters described in paragraph 5 above.
    We may be required, as a result of contractual obligations, to disclose personal information we collect to the landlords of particular car parking facilities we manage and operate, and to auditors who conduct audits of our business and services.
    Except as indicated above, we will not use or disclose your personal information unless:
    • you have consented to the use and/or disclosure;
    • the third party is our related entity, affiliate, agent, service provider or contractor, in which case we will require them to use and disclose the personal information only for the purposes for which it was provided to them;
    • the third party is a person involved in a dealing or proposed dealing (including a sale) of all or part of our assets and business; or
    • the disclosure is permitted, required or authorised by or under law.
  23. Marketing
    We may use personal information to advise you of new products and services and marketing initiatives that we think may be of interest to you. This may include product or service offerings, newsletters and general information about us or third parties.
    If you wish to stop receiving information about our products and services, you can either:
    • contact us and ask to be removed from the relevant circulation list. Contact details for our Privacy Officer appear at the end of this policy; or
    • follow the unsubscribe directions or click on the unsubscribe facility in the relevant electronic message.
    Unsubscribing however, will not end transmission of service-related emails from us, such as administrative email alerts in relation to your account settings.
  24. Quality & Correction
    At all times we strive to ensure that the information we hold about you is accurate, complete and up-to-date. You have the right to correct your personal information, so if at any time you believe the personal information that we hold about you is incorrect, incomplete or inaccurate, please contact our Privacy Officer using the contact details set out in section 14 below. We will use all reasonable efforts to correct the information.
    If you are located in New Zealand, then in addition to your rights to request access to (as set out in section 9 below), and correction of, your personal information you also have the right to:
    • provide us with a statement of any correction you seek to be made to your personal information (Statement of Correction); and
    • if we do not agree to make the correction you have sought, request that we attach the Statement of Correction to your personal information so that it is read together with your personal information where reasonably practicable.
  25. Access
    If at any time you want to obtain confirmation that we hold personal information about you and know what personal information we hold about you, you are welcome to request access to your information by contacting us at the contact details listed in section 13 below. However, where:
    • the access impacts on the privacy of others;
    • the request for access is frivolous or vexatious;
    • there are existing or anticipated legal proceedings to which the personal information relates;
    • any other grounds for withholding the personal information requested under applicable laws apply; or
    • such access can be, or is required to be, otherwise denied under law or by a law enforcement agency, we may not be able to provide you with access to the personal information we hold about you. If we deny your request for access, we will let you know why. If we provide you with any copies of your personal information, we reserve the right to charge a fee to cover the reasonable costs we incur in processing your request.
  26. How We Store Personal Information
    We take all reasonable steps to keep secure any personal information that we hold about you and to protect your personal information from loss, unauthorised access, use, alteration or disclosure, or misuse. We maintain a range of computer and network security measures (such as systems access and firewalls) over personal information you provide to us electronically. Our employees are obliged to respect the confidentiality of any personal information held by us. We also maintain physical security procedures to manage and protect the use and storage of records containing personal information.
    If there is a suspected or known breach, our primary concern is to contain the breach where possible. In order to do this we will need to take steps to quickly limit further access or distribution of the affected personal information. The steps to be taken are set out in the Data Breach Response Plan attached as Annexure A to this Policy.
  27. Website Cookies & Google Tools
    To ensure we are meeting the needs and wants of our website users, and to develop our online services, we may collect aggregated information by using cookies or similar electronic tools.
    Cookies are small amounts of information sent from a web server to your computer. These cookies are used to retain login and location information in order to make your experience more convenient and personal. We do not use cookies to track your internet activity before or after you leave our website. No other company has access to our cookies.
    We use Google tools (e.g. Google Analytics). The Google Analytics service issues cookies from its own servers and will be able to track visitors throughout our website. For more information on how Google Analytics collects and processes data, please click here. Please refer to Google’s Privacy Policy here for more information. We also use WordPress essential cookies to make our site work.
  28. Changes to Our Privacy Policy
    We may update or change this policy at any time. When we do so, we will publish the current policy on our website. The amended policy will apply between us whether or not we have given you specific notice of any change.
  29. Complaint Resolution
    We are committed to constantly improving our procedures so that personal information is treated appropriately. If you feel that we have failed to deal with your personal information in accordance with this policy, please contact us at the details below so that we have an opportunity to resolve the issue to your satisfaction.
    We will log your complaint and our privacy officer will, within a reasonable time:
    • listen to your concerns and grievances;
    • discuss with you the ways in which we can remedy the situation; and
    • put in place an action plan to resolve your complaint and improve our information handling procedures if appropriate.

If you are located in Australia and remain dissatisfied, you can also make a formal complaint with the Officer of the Australian Information Commissioner:
Office of the Australian Information Commissioner (OAIC)
Complaints must be made in writing
Tel: 1300 363 992
Director of Compliance
Office of the Australian
Information Commissioner
GPO Box 5218
Sydney NSW 2001

  1. Disclosure to Overseas Recipients
    We are likely to disclose limited personal information to recipients located in Australia, New Zealand, Japan, Philippines, United Kingdom and India, for (including but not limited to) account management and administrative purposes.
  2. Contact Us
    If you wish to access any personal information that we hold about you, or have a query about this policy, please contact our Privacy Officer:
    Privacy Officer: Traffic Monitoring Services (TMS)
  3. Annexure A
    Traffic Monitoring Services (TMS) – Data Breach Response Plan
    This data breach response plan (Response Plan) sets out procedures and clear lines of authority for Traffic Monitoring Services (TMS) staff in the event that Traffic Monitoring Services (TMS) experiences a data breach (or suspects that a data breach has occurred).
    A data breach covered by the notifiable data breaches (NDB) scheme occurs when personal information is lost or subjected to unauthorized access or disclosure. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals and entities.
    This response plan is intended to enable Traffic Monitoring Services (TMS) to contain, assess and respond to data breaches in a timely manner, to help mitigate potential harm to affected individuals and to comply with the NDB scheme that commenced on 22 February 2018.
    The plan sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist Traffic Monitoring Services (TMS) to respond to a data breach.
    Traffic Monitoring Services (TMS) experiences data breach/data breach suspected Discovered by Traffic Monitoring Services (TMS) staff member or Traffic Monitoring Services (TMS) otherwise alerted.
    What should the Traffic Monitoring Services (TMS) staff member do?
    • Immediately notify your manager of the suspected breach.
    • Record and advise your manager of the time and date the suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
    What should the manager do?
    • Determine whether a data breach has or may have occurred.
    • Determine whether the data breach is serious enough to escalate to the Data Breach
    Response Team. If so, immediately escalate to the Data Breach Response Team – ELT.
    Alert Traffic Monitoring Services (TMS) data breach response team coordinator (CIO)
    Coordinator convenes a data breach Response Team Meeting.
    When should a data breach be escalated to the Traffic Monitoring Services (TMS) Data Breach Response Team? General Managers to use discretion in deciding whether to escalate to the Response Team
    Some data breaches may be comparatively minor, and able to be dealt with easily without action from the data breach Response Team (consisting of nominated members of the Traffic Monitoring Services (TMS) Executive Leadership Team (ELT) from time to time).
    For example, a Traffic Monitoring Services (TMS) officer may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled, or if the officer can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue to the response team.
    General Managers should use their discretion in determining whether a data breach or suspected data breach requires escalation to the Response Team. In making that determination, General Managers should consider the following questions:
  • Are multiple individuals affected by the breach or suspected breach?
  • Is there (or may there be) a real risk of serious harm to any of the affected individual(s)?
  • Does the breach or suspected breach indicate a systemic problem in Traffic Monitoring Services (TMS) processes or procedures?
  • Could there be media or stakeholder attention as a result of the breach or suspected breach?
    If the answer to any of these questions is ‘yes’, then the General Manager should notify the Response Team Coordinator (CIO), or if this is not possible, a member of the Response Team.
    The checklist below sets out the steps that the response team will take in the event of a serious data breach.
    General Managers should inform the Response Team Coordinator of minor breaches.
    If a General Manager decides not to escalate a minor data breach or suspected data breach to the Response Team for further action, the General Manager should send a brief email to the Response Team Coordinator and Risk Manager that contains the following information:
  • description of the breach or suspected breach
  • action taken by the General Manager or Traffic Monitoring Services (TMS) officer to address the breach or suspected breach
  • the outcome of that action, and
  • the General Manager’s reasons for their view that no further action is required
  • save of copy of email in the Risk & Incident Tracking Tool in the IT Service Desk platform:
    Data Breach Response – reports and investigation of data breaches to be saved within the Traffic Monitoring Services (TMS) Risk & Incident Tracking Tool in the IT Service Desk platform.
    If the General Manager decides to escalate the suspected data breach to the Response Team for further action, the General Manager and the Response Team Coordinator must arrange an out of session ELT Meeting to discuss this matter as soon as possible. The Risk Manager is to be informed.
    Traffic Monitoring Services (TMS) Data Breach Response Process
    There is no single method of responding to a data breach. Data breaches must be dealt with on a case- by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. Depending on the breach, the Response Team may need to take additional steps that are specific to the nature of the breach, for example engaging an IT specialist/ data forensics expert or a human resources adviser.
    There are four key steps to consider when responding to a breach or suspected breach.
  • STEP 1: Contain the breach
  • STEP 2: Assess the risks associated with the breach
  • STEP 3: Consider breach notification
  • STEP 4: Review the incident and take action to prevent future breaches
    The response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession. At all times, the response team should consider whether remedial action can be taken to reduce any potential harm to individuals.
    The Response Team should refer to the checklist below as a guide to managing data breaches.
    Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.
    Where notification is required, that is where serious harm is likely, Traffic Monitoring Services (TMS) must prepare a statement for the Privacy Commissioner that contains:
  • The entity identity and contact details
  • a description of the breach
  • a description of the information concerned
  • recommended steps for individuals to take
    Traffic Monitoring Services (TMS) must also notify affected individuals and inform them of the contents of the statement. Individuals may be notified in one of three ways, namely:
  • notify all individuals;
  • notify only those individuals at risk of serious harm; or
  • publish the statement on Traffic Monitoring Services (TMS)’s website and publicise it.
    Following a serious data breach, the Response Team should conduct a post-breach review to assess Traffic Monitoring Services (TMS)’s response to the breach and the effectiveness of this plan and report the results of the review to Traffic Monitoring Services (TMS) Risk Management Committee. The post-breach review report should identify any weaknesses in this response plan and include recommendations for revisions or staff training as needed.
    Records Management
    Documents created by the Response Team, including post-breach and testing reviews, should be saved in the following Risk & Incident Tracking Tool in the IT Service Desk platform:
    Traffic Monitoring Services (TMS)’s Data Breach Response Process
  1. Contain the breach
  2. Assess the risks
  3. Consider breach notification
  4. Review and preventative action
    Traffic Monitoring Services (TMS)’s Data Breach Response Check List
    STEP 1: Contain the Breach
    Notify data breach Response Team Coordinator who may convene a meeting of the Response Team.
    Immediately contain breach including:
    • IT to implement the ICT Incident Response Plan (if necessary).
    • Alert building security (if necessary).
    Consider whether response team needs other expertise.
    Ensure evidence is preserved that may be valuable in determining the cause of the breach, or allowing Traffic Monitoring Services (TMS) to take appropriate corrective action.
    Consider whether a communications or media strategy is required.
    STEP 2: Assess the risks for individuals associated with the breach
    Conduct initial investigation, and collect information about the breach promptly, including:
    • the date, time, duration, and location of the breach
    • the type of personal information involved in the breach
    • how the breach was discovered and by whom
    • the cause and extent of the breach
    • a list of the affected individuals, or possible affected individuals
    • the risk of serious harm to the affected individuals
    • the risk of other harms
    Determine whether the context of the information is important.
    Establish the cause and extent of the breach.
    • Ensure evidence is preserved that may be valuable in determining the cause of the breach, or allowing Traffic Monitoring Services (TMS) to take appropriate corrective action.
    Assess priorities and risks based on what is known.
    Keep appropriate records of the suspected breach and actions of the response team, including the steps taken to rectify the situation and the decisions made.
    STEP 3: Consider breach notification
    Determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.
    Determine whether and how to notify affected individuals. Does the breach trigger the requirements of the NDB scheme – ie is the breach likely to result in serious harm to any of the individuals to whom the information relates and Traffic Monitoring Services (TMS) has not been able to prevent the likely risk of serious harm through remedial action. In some cases, it may be appropriate to notify the affected individuals immediately; e.g., where there is a high level of risk of serious harm to affected individuals. If the NDB scheme is triggered – a formal notification to the Australian Information Commissioner (AIC) should be made. Even if the NDB scheme threshold is not met would notifying the individuals be appropriate?
    Consider whether others should be notified, including police/law enforcement, or other agencies or organisations affected by the breach or can assist in containing the breach or assisting individuals affected by breach, or where Traffic Monitoring Services (TMS) is contractually required to notify specific parties.
    STEP 4: Review the incident and take action to prevent future breaches
    Fully investigate the cause of the breach.
    Implement a strategy to identify and address any weaknesses in data handling that contributed to the breach.
    Conduct a post-breach review and report to Traffic Monitoring Services (TMS) Executive on outcomes and recommendations:
    Update security and response plan (if necessary).
    Make appropriate changes to policies and procedures (if necessary).
    Revise staff training practices (if necessary).
    Consider the option of an audit to ensure necessary outcomes are effected.