AGL Energy

Comprehensive scope statement covering multiple entities and stakeholders, clear definitions section, specific contact methods including phone and postal address, current effective date, and policy availability in multiple formats with downloadable PDF option.

Clear enumeration of primary collection purposes and secondary uses including research and marketing, specific disclosure of AI usage for analytics and customer support, but includes broad 'other purposes notified to you from time to time' clause that weakens purpose limitation.

Basic policy update notification through website publication, staff training commitments for information security, internal governance framework with security monitoring, and current effective date, but lacks specific review frequency commitments or named privacy officer details.

Extensive enumeration of specific data types collected including identification documents, energy usage data, and financial information, clear disclosure of sensitive information collection with consent requirements, and detailed collection methods from direct interactions to automated tracking technologies.

Named specific third parties including credit reporting bodies (Equifax, Experian, CreditorWatch) and mobile networks (Telstra, Optus), comprehensive categories of recipients, clear purposes for sharing, and contractual protection requirements for service providers including overseas recipients.

Specific technical measures including data transmission encryption and access controls, dedicated security monitoring with professional staff, physical security measures (ID cards, cameras, guards), employee training requirements, and data destruction practices, but lacks detailed encryption specifications or certifications.

Named specific countries and regions (India, Indonesia, Fiji, Japan, Singapore, Malaysia, New Zealand, Philippines, South Africa, USA, UK, EU), clear safeguards requiring Privacy Act compliance, contractual obligations for overseas service providers, and acknowledgment of advance specification limitations.

Comprehensive access rights with 30-day response timeframe, clear correction process with third-party notification, multiple opt-out methods for marketing, online account access for basic information, and specific OAIC complaint escalation details with full contact information.

Discloses AI usage for analytics, personalisation, marketing and customer support with safety commitments, but lacks transparency about decision-making logic, provides no opt-out rights or human review mechanisms for automated decisions including credit assessments.

No explicit children's data provisions, age verification processes, parental consent mechanisms, or child-specific protections despite collecting personal information that could include children's data through general consent assumptions.