Privacy & Information Management Policy

1. Purpose

This Policy establishes the governance framework under which Sj iTech Pty Ltd (“Sj iTech”, “we”, “our”, “us”) collects, processes, stores, discloses, secures, and disposes of Personal Information and Sensitive Information. Sj iTech is committed to compliance with:

• The Privacy Act 1988 (Cth)
• The Australian Privacy Principles (APPs)
• The Notifiable Data Breaches (NDB) Scheme
• The General Data Protection Regulation (GDPR) where applicable
• Industry-specific regulatory standards

2. Scope of Application

This Policy applies to all directors, officers, employees, and contractors of Sj iTech; third-party service providers; client engagements; and all digital systems, AI models, and infrastructure operated by or on behalf of Sj iTech.

3. Definitions

• Personal Information: Information or an opinion about an identified individual.
• Sensitive Information: Includes health information, biometric data, or genetic data.
• De-identified Data: Data where personal identifiers have been removed and re-identification risk is mitigated.

4. Lawful Basis for Collection and Processing

Sj iTech collects and processes information only where necessary for contract performance, service delivery, legal compliance, or where consent has been obtained.

5. Categories of Information Collected

5.1 Personal Information

• Names and business contact details
• Professional titles and affiliations
• Contractual and billing information

5.2 Sensitive Information (Where Applicable)

• Health information and medical imaging datasets (e.g., DICOM)
• Clinical annotations and operational datasets for AI training

6. Healthcare & Clinical Data Governance

Where Sj iTech provides AI systems for healthcare:

• Data is received only from authorised providers.
• Formal contractual safeguards (NDA, DPA, MSA) govern transfers.
• Sj iTech does not sell personal or health information or monetise patient data.

7. Data Security & Technical Safeguards

7.1 Technical Controls

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control (RBAC) and Multi-factor authentication (MFA)
• Audit logging and security monitoring

7.2 Organisational Controls

• Confidentiality agreements and regular security reviews
• Alignment with HIPAA safeguard principles and GDPR design standards

8. Cross-Border Data Transfers

Transfers outside Australia occur only where adequate safeguards exist and comply with APP 8 and GDPR provisions where relevant.

9. Data Retention & Disposal

Information is retained only as long as necessary to fulfil contractual or legal obligations. Upon expiry, data is securely deleted, anonymised, or destroyed.

10. De-Identified Data Usage

Sj iTech may use de-identified datasets for AI model refinement and performance benchmarking subject to strict re-identification risk controls.

11. Individual Rights

Individuals may request access to, correction of, or deletion of their Personal Information. Requests should be directed to:

Sj iTech Pty Ltd
Sydney, Australia
Email: info@sjitech.com

12. Notifiable Data Breaches

Sj iTech complies with the NDB Scheme. In the event of an eligible breach, affected clients and the OAIC will be notified without undue delay.

13. Complaints Handling

Complaints may be submitted to info@sjitech.com. If unresolved, complaints may be referred to the Office of the Australian Information Commissioner (OAIC).

14. Website & Digital Tracking

We collect limited analytics (IP metadata, device type). Cookies may be used to enhance functionality. No personally identifiable information is collected via analytics without consent.

15. Governance & Review

This Policy is reviewed periodically to ensure alignment with legislative changes, AI governance, and cybersecurity best practices.