c2pr

Privacy Statement

Last updated: April 2026
 

1. Introduction

c2pr Group Pty Ltd (“c2pr”, “we”, “our”, “us”) is committed to protecting the privacy of individuals and handling personal information in an open, transparent, and secure manner.

This Privacy Statement explains how we collect, use, store, disclose, and protect personal information in accordance with:

  • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • The Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act) and the Information Privacy Principles (IPPs), where applicable 

This statement also outlines how individuals can access and correct their personal information or make a privacy complaint.

 

2. What is personal information?

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in material form or not.

This may include, for example:

  • Name, email address, phone number, and job title
  • Organisation and role information
  • Online identifiers (such as IP address or account details)
  • Information provided during security assessments, consulting engagements, or training

Sensitive information (such as health or biometric information) is handled only where required by law or contract and with appropriate safeguards.

 

3. How we collect personal information

We collect personal information only where it is reasonably necessary for our business activities. This may include collecting information:

  • Directly from you (for example, when you contact us, engage our services, or attend training)
  • From your employer or organisation (including WA public sector agencies)
  • Through our website, email systems, collaboration platforms, and security tooling
  • As part of delivering cybersecurity, privacy, governance, or compliance services

Where required, we provide notice at or before the time of collection, including the purpose of collection and how the information will be used. 

 

4. Purpose of collection and use

We collect, hold, and use personal information to:

  • Deliver cybersecurity, privacy, governance, and advisory services
  • Meet contractual obligations to clients, including WA public sector entities
  • Manage client relationships and communications
  • Provide training, workshops, and assessments
  • Meet legal, regulatory, and compliance obligations
  • Maintain the security and integrity of our systems and services

We do not use personal information for purposes unrelated to these activities unless required or authorised by law.

 

5. Disclosure of personal information

We may disclose personal information to:

  • Clients and project sponsors (including WA public sector entities)
  • Cloud, security, and professional service providers engaged by c2pr
  • Legal, regulatory, or law enforcement bodies where required or authorised by law

Where we act as a contracted service provider under a WA Government contract, we handle personal information strictly in accordance with client instructions, contractual privacy clauses, and applicable IPPs under the PRIS Act.

 

6. Cross‑border disclosure

Some of our service providers and technology platforms may store or process information outside Australia (for example, Microsoft cloud services).

Where personal information is disclosed overseas, we take reasonable steps to ensure that overseas recipients handle the information in a manner consistent with the Australian Privacy Principles and contractual privacy obligations. 

 

7. Aboriginal Data Governance Acknowledgment

c2pr acknowledges Aboriginal peoples as the Traditional Custodians of the lands on which we work and live, and recognises their continuing connection to land, waters, culture, and community. We pay our respects to Elders past and present.

In alignment with the Privacy and Responsible Information Sharing Act 2024 (WA) and emerging best practice in Aboriginal data governance, c2pr recognises that personal information relating to Aboriginal people and communities may have additional cultural, community, and collective significance.

Where c2pr handles personal information relating to Aboriginal people or communities—particularly in the context of services delivered to Western Australian public sector clients—we are committed to:

  • handling such information respectfully and in accordance with applicable law and contractual obligations
  • supporting transparency in how information is collected, used, shared, and protected
  • engaging appropriately with client agencies where Aboriginal data governance, cultural considerations, or community impacts are relevant
  • avoiding secondary use or disclosure of information in ways that could cause harm, misrepresentation, or loss of trust

We support responsible information sharing practices that balance public benefit with privacy protection and cultural considerations, and we acknowledge the importance of Aboriginal perspectives in decisions that affect Aboriginal personal information.

 

8. Security of personal information

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

Controls include:

  • Access controls and least‑privilege principles
  • Encryption and secure cloud services
  • Monitoring, logging, and incident response processes
  • Secure disposal and data minimisation practices

These measures align with APP 11 and the PRIS IPPs relating to information security.

 

9. Data breaches

Where required by law or contract, c2pr complies with:

  • The Notifiable Data Breaches (NDB) scheme under the Privacy Act
  • PRIS Act data breach notification obligations for WA public sector information (from January 2027)

If a serious data breach occurs that is likely to result in serious harm, affected individuals and relevant regulators will be notified in accordance with applicable law.

 

10. Access and correction

You may request access to, or correction of, personal information we hold about you.

Requests can be made using the contact details below. We will respond within a reasonable timeframe and in accordance with the Privacy Act and IPPs where applicable.

 

12. Complaints

If you believe we have interfered with your privacy, you may contact us using the details below.

We will investigate and respond to complaints in a timely and fair manner. If you are not satisfied with our response, you may escalate your complaint to:

  • The Office of the Australian Information Commissioner (OAIC), or
  • The Office of the Information Commissioner (Western Australia), where relevant under the PRIS Act.

 

13. Contact us

Managing Director
c2pr Pty Ltd
Email: [email protected]
Location: Perth, Western Australia

 

14. Changes to this Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in law, regulation, or our practices. The current version will always be available on our website.