Transurban

Comprehensive scope statement covering multiple stakeholder groups, clear table of contents with 18 sections, specific privacy officer contact details, definitions section, and commitment to plain language. Strong structural elements with good navigation aids.

Clear primary purposes stated with comprehensive secondary use disclosure including AI systems and marketing. Marketing opt-out available, though some purposes are quite broad and catch-all clauses present.

Clear update notification process via website posting and customer notification for significant changes. Named privacy officer with contact details and staff training commitment, but lacks specific review frequency timeframes or formal governance framework details.

Detailed enumeration of personal information types collected, comprehensive disclosure of collection methods including direct, automated, and third-party sources. Specific coverage of sensitive information handling with consent requirements and clear legal basis statements.

Good specificity in naming service provider categories and overseas disclosure countries with safeguards. Clear disclosure of law enforcement sharing and business transfer scenarios, though some categories remain broad rather than naming specific entities.

General security measures mentioned including physical and electronic safeguards, staff training, and third-party vetting. However, lacks specific technical details like encryption standards or certifications, with acknowledgment of internet security limitations.

Specific countries named for data transfers with clear distinction between contractor services and related entity transfers. Safeguards specified as 'commercially reasonable steps' to ensure APP compliance, though adequacy mechanisms not detailed.

Strong access and correction rights with clear contact mechanisms and no fees for access requests. Marketing opt-out clearly described and OAIC escalation pathway provided, though response timeframes are vague ('as soon as we can').

AI system use disclosed with specific purposes like fraud detection and personalisation, but lacks transparency about decision logic, no opt-out rights for automated decisions, and no human review mechanisms described.

No relevant claims found in policy.

No specific findings.