Your privacy is important to Iron Mountain

Iron Mountain website privacy policy

Policy last updated: 01 January 2017

This Privacy Policy is intended to apply to Iron Mountain New Zealand Limited (“Iron Mountain/we/us/our”) and details our compliance with the Privacy Act 1993 (the “Privacy Act”).

1. Introduction

Your privacy is important to you, which in turn means that it is important to us. Iron Mountain is in the business of handling information securely and we have spent years working out the best ways to protect your personal information.

This Privacy Policy describes exactly how (and why) we collect, use, store and dispose of your personal information. Personal information is information or an opinion, whether true or not and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.

If you give us personal information packaged in cartons or personal information in digital format for storage, you can be assured that we do not use or disclose, or are even aware of, any of the personal information that you store with us. We do make sure that it is safe and secure. This Privacy Policy does not address in detail the ways in which we provide secure storage, except to say that Iron Mountain is ISO-certified and has developed security processes to the highest standard. Any additional queries or concerns that you may have in relation to the storage of your information is best addressed with your account manager or other authorised Iron Mountain representative.

The bottom line is that we will only disclose your personal information that we have collected to others if you have given us permission, or if the disclosure relates to the main reason we collected the information and you would reasonably expect us to do so.

2. The kind of information we collect

Customers

As a customer of our information management services, you may have provided us with personal information to store in either a physical or digital format or to process by way of scanning.

In addition, if you are reading this Privacy Policy as a representative of a customer, then, as a result of your employer asking Iron Mountain to provide it with information management services, we may collect your personal information. Details like your name, your work contact details, your position and any other personal information that is relevant to your, or your employer’s, use of Iron Mountain’s services will be collected.

Candidates

If you are a job applicant or a potential employee of Iron Mountain, then we may be provided with your CV, birth date, contact details and other background information. We may store this information in a secure physical location or in a local data centre.

Contractor or Supplier

If you are an individual contractor of Iron Mountain, or a representative of a supplier, then Iron Mountain will collect your name, contact details, bank details, background checks and any medical information that you have consented to provide and which is reasonably necessary for you to carry out your functions.

3. How we hold or store your information

Customers

Where we store your information as a part of our services or to enable us to provide the services, we have developed security measures at each physical site and have developed and implemented global standard operating procedures that cover the handling and storage of your information. These procedures are in turn localised to effectively ensure New Zealand standards are adhered to. Internally we have developed a set of standards to ensure our policies and procedures meet or exceed industry and government legislative requirements. Iron Mountain is ISO-certified, which demonstrates excellence in Information Security Management System (“ISMS”).

In some cases you may be using services that involve digital storage of your information, whether it is in the form of cloud storage, or as a result of us carrying out scanning services. In these cases we use the following measures:

• Firewalls and access logging tools that protect against unauthorised access to your data and our network.
• Secure work environments and workflow systems that prevent unauthorised access and copying of your personal information.
• Secure server and closed network environments.
• Encryption of data.
• Virus scanning tools.
• Ongoing security reviews.

Where we scan information on your behalf, the scanned images will be retained on our data servers until sent to you and will then be deleted 30 days thereafter. All Iron Mountain data servers are located in Australia.

We use customer relationship management (“CRM”) software to store the personal information collected directly from you and to assist us to provide marketing activities to you.

Wherever your personal information is stored, it will only be accessed by authorised personnel only to provide technical support or to carry out other functions reasonably necessary to provide the services. This information will not be disclosed in any other way without your express authorisation.

The digital landscape is constantly changing, so while these measures have been successful to date, the nature of the medium means that they cannot be relied upon to always be effective. We will keep striving to maintain the security of your digital personal information.

Suppliers and candidates

We will store the information that you provide us in a secure physical location or on our data servers which are located within Australia.

4. Why we collect personal information

We collect personal information from you, or store any information that you give to us, in order for us to carry out the services we have been contracted to provide. We will also use the personal information in order to provide you with news of updated products and services, provide you with news of any marketing campaigns and where it is reasonably necessary for any other related business or marketing purposes.

Having your personal information makes it easier for Iron Mountain to discuss our services with you and to contact you in a timely manner should we need to. Other reasons we collect personal information are to:

• Manage our business, including hiring staff.
• Comply with our legal obligations.
• Deal with you as a contractor providing services to Iron Mountain.

5. How we collect personal information

Directly from you

We collect most personal information directly from you. For example, you might fill out a form in which you provide your contact details, you may include the information in a contract or you may give us cartons of material or tapes to store.

You may also have provided us with personal information when you requested us to undertake the conversion of documents from a physical format to a digital format.

From others

We may receive personal information from your employers. Or, if you are a potential candidate, we may receive your CV and other background checks from a recruitment agent. You may also have directed others to provide personal information to us on your behalf, for example, the results of medical checks and police background checks, if you are a contractor.

If we have knowledge of the personal information provided to us (as opposed to being provided with material for the purposes of storage) we will take reasonable steps to make sure you are aware that we have your personal information, how we received it and how we will manage it.

Through our website and emails

If you visit the Iron Mountain website, we may collect various non-personal information, such as internet protocol (IP) addresses, the date and time of website visits, the web pages reviewed, any links that you access through emails sent to you and any documents downloaded and the type of browser and operating system used to access the website.

Where such information is collected, it may be used and disclosed by us, but only in an anonymous, aggregated form where no individuals are identified. While this information is not of a personal nature, it may become so when analysed or aggregated together with other information, which could lead to the identification of an individual. If this was to happen, we will inform you that we hold information that is capable of identifying you.

6. How to access your personal information

You are entitled to request access to the personal information that we may hold (subject to the exceptions which may apply under the Privacy Act, such as where access to such information may pose a threat to someone’s life), or you may simply want to know what sort of personal information we hold and for what purposes and how we collect, hold, use and disclose that information. If so, you should direct a written request to our Privacy Officer at Privacy.Au@ironmountain.com and we will respond within a reasonable time. If we refuse to provide you with access to your personal information, we will provide you with reasons for the refusal.

If you are a representative of a customer and we hold personal information that we collected directly from you then, there is generally no cost for accessing the personal information we hold about you, unless the request is complex or resource intensive. If there is a charge, it will be reasonable and we will let you know what it is going to be so that you can agree to it before we go ahead. If you feel that the information that we hold is incorrect or outdated, then we will take all reasonable steps to correct that information.

However, where that information is held as part of the materials that you store with us, access to that information will be charged at your standard rates for retrieval and refiling.

7. Who we may share information with

We have partnered with several trusted partners to provide digital services. We also use third party providers to assist with marketing and communication to our customers. In the event of non-payment of Iron Mountain’s invoices, we may provide personal information to third party debt collectors.

We have taken all reasonable measures to ensure that these partners and providers do not breach the obligations under the Privacy Act. The partners and providers limit their access to your personal information to the extent necessary to do their job.

Some of these partners may have data centres in other locations outside of New Zealand. For example, personal information that we have collected directly from you, your personnel or from other representatives of your company are stored on servers in North America. The content management suite of digital services that we sell is backed up to servers in either North America or Japan. By providing your personal information to us, you consent to the transfer of that information to our third party partners who are located outside of New Zealand for that purpose.

8. Legal disclosure of personal information

We may disclose personal information in circumstances where we are obliged to do so under New Zealand law, for example, where we have been provided with a subpoena or warrant that requires access to the information.

9. What happens if we no longer need your personal information?

Where Iron Mountain no longer provides services to you or where the personal information is no longer reasonably necessary for us to carry out the services, then the information will be securely destroyed in one of our many secure destruction facilities or will be permanently deleted from its system.

10. Marketing by Iron Mountain

We market our services using email, mail and phone. We will provide you with clear advice as to how you may opt out of any marketing activities that we conduct, but where you do not opt out, you will be taken to having consented to us marketing our services to you.

11. Complaints

Any queries or complaints in relation to how we collect, use, disclose, store or destroy your personal information should be directed to the Privacy Officer at Privacy.Au@ironmountain.com. We will take your query or complaint seriously and respond within a reasonable time to address your concerns or questions.

12. Amendment

Iron Mountain reserves the right to amend this Privacy Policy from time to time by posting an updated version of this policy on our web site. Please review it regularly for any changes.

13. More information

For any more information about the Privacy Act or your rights, please visit the website of the Office of the Privacy Commissioner, at www.privacy.org.nz