Is MIDAS Australian Privacy Act (APP) compliant?

What is the Privacy Act?

Australia's principal privacy law is the Privacy Act 1988 (Cth). It regulates how personal information is handled by organizations through thirteen Australian Privacy Principles (APPs), which cover matters such as the open and transparent handling of personal information, use and disclosure, security, and an individual's right to access and correct their information. Organizations bound by these principles are known as "APP entities", and the Act is regulated by the Office of the Australian Information Commissioner (OAIC). The Act also includes the Notifiable Data Breaches scheme, which requires certain data breaches to be reported.

How the Privacy Act applies to MIDAS

MIDAS is a room booking and resource scheduling tool. When you use MIDAS, you decide what personal information, if any, is entered into your booking system. You collect that information and determine how it is used. The obligations of an APP entity in respect of that information therefore rest with you; we host and process the information on your behalf so that we can provide the MIDAS service to you.

In practice, this means:

• We handle the personal information within your MIDAS system only on your behalf, and only in order to provide the MIDAS service to you.
• We do not sell that personal information, and we never have.
• We apply appropriate security measures to protect the personal information we host on your behalf, as described in our Software Privacy Policy.
• For "cloud-hosted" systems, the processing relationship is already governed by our Data Processing Agreement.

Under APP 8, an APP entity that discloses personal information to an overseas recipient generally remains accountable for how that information is handled. Your MIDAS database is hosted at one of our available data center locations (currently the EU, US East Coast, or US West Coast), and our Data Processing Agreement provides the contractual safeguards governing how we handle the personal information on your behalf at whichever location you choose.

How we handle personal information generally, and the rights available to individuals, is described in our Software Privacy Policy and our GDPR Statement. Individuals can request a copy of the personal data we hold on them at any time using our self-service Subject Access Request tool.