Privacy Policy

1. Purpose and scope

1.1 Purpose

CloudBlue Managed Services Pty Ltd (CloudBlue) collects and uses information about individuals as part of delivering managed IT services and operating our business. This policy sets out the principles and controls CloudBlue uses to protect personal information and to comply with applicable privacy obligations.

1.2 Scope

This policy applies to all CloudBlue information systems, people, and processes that handle personal information, including: directors, employees, contractors, suppliers, and other third parties who access CloudBlue systems or personal information.

1.3 Related documents

This policy should be read together with CloudBlue’s:

  • Information Classification and Handling Standard

  • Acceptable Use Policy

  • Access Control Policy

  • Logging and Monitoring Standard

  • Information Security Incident Response Procedure

  • Records Retention and Disposal Standard

  • Supplier / Third-Party Risk Management Procedure

2. Privacy compliance framework

2.1 Applicable laws and standards

CloudBlue is committed to demonstrable compliance with:

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

  • Notifiable Data Breaches (NDB) scheme requirements under the Privacy Act

  • Any other applicable Australian privacy or data-related laws relevant to CloudBlue’s operations (as applicable to a particular engagement)

CloudBlue also supports privacy governance through an Information Security Management System (ISMS) aligned to ISO/IEC 27001 principles.

2.2 Roles and responsibilities

  • Managing Director / Executive Sponsor: accountable for privacy governance and resourcing.

  • Security/Compliance Owner: responsible for policy maintenance, training, and oversight.

  • Service Delivery Leaders: ensure privacy requirements are embedded in service delivery and supplier arrangements.

  • All personnel: must follow this policy and report suspected privacy or security incidents promptly.

CloudBlue does not appoint a formal “Data Protection Officer” unless required by law or customer contractual requirements; however, privacy accountabilities are assigned to defined roles as above.

3. Key definitions

3.1 Personal information

Personal information has the meaning in the Privacy Act: information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

3.2 Sensitive information

Sensitive information is a category of personal information that is subject to higher protections under the Privacy Act (e.g., health information, biometric data, religious beliefs). CloudBlue aims to avoid collecting sensitive information unless it is strictly necessary and lawful.

3.3 Processing / handling

Handling includes collecting, using, disclosing, storing, accessing, transmitting, and disposing of information.

3.4 Customer data

Where CloudBlue provides services to customers, we may access or process information on customer systems. Customer data remains customer-owned, and CloudBlue handles it under contractual terms and applicable law.

4. Privacy principles and operational controls

CloudBlue applies the following principles to personal information handling.

4.1 Lawful, fair, and transparent handling

CloudBlue will:

  • collect personal information only where it is needed for legitimate business purposes or service delivery

  • communicate how we handle personal information through customer contracts, notices, and (where applicable) our website Privacy Notice

4.2 Collection limitation and data minimisation

CloudBlue will:

  • collect only what is reasonably necessary for the intended purpose

  • limit access to those who require it for their role

  • avoid collecting sensitive information unless required and lawful

4.3 Data quality

CloudBlue will take reasonable steps to ensure personal information we hold is accurate, up to date, complete, and relevant, particularly where it is used to make decisions or provide services.

4.4 Use and disclosure limitation

CloudBlue will use and disclose personal information only:

  • for the purpose for which it was collected, or a related purpose an individual would reasonably expect; or

  • where required or authorised by law; or

  • with the individual’s consent (where required)

4.5 Security safeguards

CloudBlue implements security controls proportionate to risk, including (as applicable):

  • role-based access control and least privilege

  • MFA for privileged access and core systems

  • encryption in transit and, where appropriate, at rest

  • secure configuration baselines and patch management

  • security monitoring and logging

  • vulnerability management and secure change control

  • supplier assurance and contractual security requirements

4.6 Retention and disposal

CloudBlue retains personal information only as long as required for:

  • business and service delivery purposes

  • legal and regulatory obligations

  • dispute resolution, auditing, and contractual requirements

When no longer needed, personal information is securely destroyed or de-identified in accordance with CloudBlue’s Records Retention and Disposal Standard.

4.7 Privacy by design and change management

Privacy impacts must be considered for new systems and material changes. Where appropriate, CloudBlue will complete a privacy impact assessment (PIA) or equivalent risk assessment that considers:

  • what personal information is handled and why

  • lawful basis and customer expectations

  • risks to individuals and mitigations

  • retention, access control, and disclosure pathways

  • supplier and cross-border impacts

5. Individual rights and requests (Australia)

CloudBlue supports rights under the Privacy Act, including:

5.1 Access to personal information

Individuals may request access to personal information CloudBlue holds about them. CloudBlue will respond within a reasonable timeframe and may need to verify identity before releasing information.

5.2 Correction

Individuals may request correction of personal information if it is inaccurate, out of date, incomplete, irrelevant, or misleading.

5.3 How to submit a request

Requests should be submitted to: accounts@cloudblue.com.au.


CloudBlue will:

  • acknowledge requests promptly

  • verify identity where appropriate

  • respond within a reasonable timeframe required by the Privacy Act

CloudBlue may refuse access or correction in limited circumstances permitted by law (e.g., legal privilege, impact on others’ privacy), and will provide reasons where required.

6. Consent and direct marketing

6.1 Consent

Where consent is required by law or appropriate to the context, CloudBlue will obtain consent that is voluntary, informed, current, and specific. Individuals may withdraw consent, noting that withdrawal may affect service delivery in some contexts.

6.2 Direct marketing

CloudBlue will comply with applicable rules relating to direct marketing. Individuals may opt out of marketing communications using the unsubscribe mechanism or by contacting CloudBlue.

7. Cross-border disclosure

CloudBlue may use suppliers, cloud platforms, and service providers that store or process data in Australia or overseas. Before cross-border disclosure of personal information, CloudBlue will take reasonable steps to ensure:

  • appropriate contractual safeguards are in place (where applicable)

  • disclosures are consistent with APP 8 requirements

  • security and access controls are maintained

Customers remain responsible for approving their own data residency and cross-border settings unless CloudBlue is explicitly contracted to manage those decisions.

8. Data breaches and incident response

8.1 Incident reporting

All CloudBlue personnel must promptly report suspected privacy or security incidents through the CloudBlue incident process.

8.2 Response process

CloudBlue manages incidents under its Information Security Incident Response Procedure, which includes:

  • containment and investigation

  • assessment of affected information and systems

  • remediation and recovery

  • documentation, lessons learned, and control improvements

8.3 Notifiable Data Breaches (NDB)

Where CloudBlue determines it is required to notify under the Privacy Act (or must support a customer’s notification obligations), CloudBlue will act promptly and in accordance with the NDB scheme, including:

  • assessing whether the incident is likely to result in serious harm

  • notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals where required

  • coordinating communications and evidence preservation where relevant

9. Training, awareness, and compliance monitoring

CloudBlue will:

  • provide privacy and security awareness training to personnel relevant to their role

  • maintain documented procedures and evidence of key controls

  • periodically review privacy risks, supplier posture, and technical/organisational safeguards

  • address non-compliance through corrective actions, up to and including disciplinary action

10. Complaints

Individuals may lodge a privacy complaint with CloudBlue. CloudBlue will:

  • acknowledge complaints promptly

  • investigate in good faith

  • respond within a reasonable timeframe

If a complaint cannot be resolved, individuals may contact the OAIC.

11. Policy governance

11.1 Review and updates

This policy is reviewed at least annually and when there are material changes to:

  • law/regulation

  • CloudBlue services and systems

  • supplier or delivery models

  • security risk posture

11.2 Exceptions

Any exception to this policy must be documented, risk-assessed, approved by an authorised CloudBlue executive, and time-bound.