Status: pre-launch. This evidence reflects implemented code and deployed infrastructure. Provii is not yet serving end-user production traffic, so production operational metrics and audit history are not yet available.
HR Privacy Notice - Evidence Documentation
Document Purpose: This document provides evidence that GAP-M015 has been closed through the creation of an Employment & HR Privacy Notice that meets GDPR Articles 13-14, ISO 27701 Annex A 7.2.9, and Australian Privacy Principles.
Gap Reference: GAP-M015 Use Case: UC-030 (Privacy for Employment and HR) Severity: MEDIUM Status: CLOSED Closure Date: 2025-11-08 Owner: Privacy Officer
1. Gap Analysis Summary
Original Gap (GAP-M015)
Finding: No formal HR privacy notice for contractors/employees
Current State (before remediation):
- Contracts include confidentiality clauses
- No dedicated privacy notice for employment/HR data
- Limited transparency about HR data processing
- Unclear rights for contractors regarding their personal data
Required State:
- HR privacy notice compliant with GDPR Articles 13-14
- Transparency about data collection, use, sharing, retention
- Clear explanation of contractor rights
- Alignment with ISO 27701 Annex A 7.2.9
- Contractor-focused approach (not traditional employee model)
Compliance Standards Affected:
- GDPR Articles 13-14 (Transparency and Information)
- ISO 27701:2019 Annex A 7.2.9 (Information for PII principals regarding processing)
- Australian Privacy Principles (APP 5 - Notification of collection)
- Use Case UC-030 (Privacy for Employment and HR)
2. Remediation Implementation
Document Created
File: /trust/legal/hr-privacy-notice.md
Creation Date: 2025-11-08
Version: 1.0
Effective Date: 2025-11-08
Classification: Internal (provided to all contractors)
Format: Markdown (MDX-compatible) with YAML frontmatter for documentation system integration
Document Characteristics
Word Count: Approximately 8,500 words
Sections: 12 main sections + subsections
Reading Time: Approximately 35-40 minutes for reading
Accessibility:
- Clear section headings and table of contents
- Tables for complex information
- Plain language explanations
- Contractor-focused terminology (not employee-centric)
3. GDPR Articles 13-14 Compliance Mapping
Article 13(1) - Mandatory Information
The HR Privacy Notice provides all required information when personal data is collected from the data subject (contractor):
| GDPR Requirement | Section in Notice | Compliance Evidence |
|---|---|---|
| Article 13(1)(a) - Identity and contact details of controller | Section 1 - Introduction | ✅ Legal entity name, trading name, contact details provided |
| Article 13(1)(b) - Contact details of DPO (if applicable) | Section 9.9, Section 11 | ✅ Explained DPO not required; privacy contact provided (privacy@maelstrom.au) |
| Article 13(1)(c) - Purposes of processing and legal basis | Section 3 - How We Use Your Information, Section 4 - Legal Basis | ✅ Detailed purposes for each category of data; legal basis specified (contract, legal obligation, legitimate interests) |
| Article 13(1)(d) - Legitimate interests (if applicable) | Section 4.3 - Legitimate Interests Assessment | ✅ Balancing test documented; legitimate interests explained with safeguards |
| Article 13(1)(e) - Recipients or categories of recipients | Section 7 - Sharing with Third Parties | ✅ All third parties listed (payment processors, cloud storage, development tools, tax authorities) |
| Article 13(1)(f) - International transfers (if applicable) | Section 8 - International Data Transfers | ✅ Transfers to US (Google, GitHub, Cloudflare) documented with safeguards (SCCs) |
Article 13(2) - Additional Information
The HR Privacy Notice provides all additional transparency information necessary for fair and transparent processing:
| GDPR Requirement | Section in Notice | Compliance Evidence |
|---|---|---|
| Article 13(2)(a) - Retention periods or criteria | Section 6 - Data Retention and Deletion | ✅ Specific retention periods: Active contract duration, 1 year post-termination, 7 years for financial/tax records |
| Article 13(2)(b) - Right to access, rectification, erasure, restriction, objection, portability | Section 9 - Your Privacy Rights | ✅ All rights explained in detail with procedures for exercise (9.1-9.8) |
| Article 13(2)(c) - Right to withdraw consent (if consent is legal basis) | Section 9.8 - Right to Withdraw Consent | ✅ Explained for emergency contact, references, voluntary health disclosures |
| Article 13(2)(d) - Right to lodge complaint with supervisory authority | Section 9.9 - Right to Lodge a Complaint | ✅ Supervisory authorities listed (ICO, EDPB, OAIC, etc.) with contact details |
| Article 13(2)(e) - Whether provision of data is statutory/contractual requirement or necessary to enter contract | Section 12 - Consent and Acknowledgment | ✅ Explained what is required (name, payment, tax details) vs. voluntary (emergency contact) |
| Article 13(2)(f) - Existence of automated decision-making including profiling | Section 9.7 - Rights Related to Automated Decision-Making | ✅ Explicitly stated: NOT APPLICABLE - no automated decision-making for hiring, performance, or termination |
Article 14 - Information for Data Obtained from Other Sources
While most contractor data is obtained directly from contractors (Article 13), some information may be obtained from third parties (e.g., references, credential issuers). The notice covers this:
| Article 14 Requirement | Section in Notice | Compliance Evidence |
|---|---|---|
| Article 14(2)(f) - Source of data | Section 2.3 - Professional Information | ✅ Sources noted: “References and recommendations”, “Verification of qualifications (where required)“ |
| Article 14(5)(a) - Timeline for provision of information | Delivery Mechanism (see Section 5 below) | ✅ Notice provided at contract signing (before or at time of obtaining data) |
Compliance Summary - GDPR Articles 13-14
Status: ✅ Self-assessed as addressed
Evidence:
- All mandatory information (Article 13(1)) provided
- All additional transparency information (Article 13(2)) provided
- Information clear, concise, and easily accessible (Article 12)
- Contractor-friendly language (not legalese)
- Structured format with navigation
Gaps: None identified at time of self-assessment
4. ISO 27701:2019 Annex A 7.2.9 Compliance
Control A.7.2.9 - Information for PII Principals Regarding Processing
Control Statement: “The organisation shall provide PII principals with the information regarding the processing of their PII as required by applicable legislation and/or regulation.”
Implementation: The HR Privacy Notice implements this control for contractor (PII principal) information.
Mapping to ISO 27701 Requirements
| ISO 27701 Element | Section in Notice | Implementation Evidence |
|---|---|---|
| Identity of controller | Section 1 | ✅ Legal entity, trading name, contact details |
| Purpose of processing | Section 3 - How We Use Your Information | ✅ 7 distinct purposes explained (contract management, payment, legal compliance, IP management, performance, business operations, security) |
| Categories of PII processed | Section 2 - Personal Information We Collect | ✅ 6 categories detailed with examples (identity/contact, financial, professional, work product, contract/legal, performance) |
| Legal basis | Section 4 - Legal Basis for Processing | ✅ GDPR legal bases mapped (contract, legal obligation, legitimate interests) |
| Recipients or categories | Section 7 - Sharing with Third Parties | ✅ All recipients listed with safeguards (payment processors, cloud storage, development tools, tax authorities) |
| Rights of PII principals | Section 9 - Your Privacy Rights | ✅ explanation of all rights (access, rectification, erasure, restriction, portability, objection, complaint) |
| Retention period | Section 6 - Data Retention | ✅ Specific periods: active contract, 1 year, 7 years (with justification) |
| Cross-border transfers | Section 8 - International Data Transfers | ✅ Transfers documented with safeguards (SCCs, encryption, DPAs) |
| Complaints mechanism | Section 9.9 | ✅ Contact for complaints + supervisory authorities listed |
ISO 27701 Annex A 7.2.9 - Additional Considerations
Language and Accessibility:
- ✅ Plain language used (avoiding excessive legal jargon)
- ✅ Structured format with clear headings
- ✅ Tables for complex information
- ✅ Appropriate for contractor audience (technical professionals)
Timing of Provision:
- ✅ Notice provided at or before contract signing
- ✅ Available for review during negotiation period
Updates and Changes:
- ✅ Section 10 covers change management (30-day notice, email notification)
- ✅ Version control and history maintained
Compliance Summary - ISO 27701 Annex A 7.2.9
Status: ✅ Self-assessed as addressed
Evidence:
- All required information elements provided
- Appropriate timing (at contract signing)
- Clear, accessible format
- Change management process documented
Gaps: None identified at time of self-assessment
5. Delivery Mechanism and Implementation
How the Notice is Provided to Contractors
5.1 Timing of Delivery
Prospective Contractors (during recruitment):
- HR Privacy Notice provided with contract offer
- Available for review before contract signing
- Opportunity to ask questions before commencing work
New Contractors (onboarding):
- HR Privacy Notice included in onboarding package
- Provided at or before contract signing (GDPR requirement)
- Acknowledgment obtained as part of contract execution
Existing Contractors (retrospective application):
- Email notification with link to notice
- Request for acknowledgment within 14 days
- Opportunity to ask questions or exercise rights
5.2 Format of Delivery
Primary Format: Digital (PDF or web-accessible link)
Accessibility:
- Available as downloadable PDF
- Web-accessible at internal documentation portal (when available)
- Searchable format for easy reference
Language: English (primary), translations available upon request for non-English speaking contractors
5.3 Acknowledgment Process
Acknowledgment Required:
- Contractors acknowledge receipt and understanding during contract signing
- Acknowledgment clause in contractor agreement
Sample Acknowledgment Clause:
“I acknowledge that I have received, read, and understood Maelstrom AI’s Employment & HR Privacy Notice (Version 1.0, Effective November 8, 2025). I understand what personal information Maelstrom AI collects about me, how it is used, and my privacy rights. I have had the opportunity to ask questions about this notice.”
Record of Acknowledgment:
- Signed contract with acknowledgment clause retained
- Date of acknowledgment recorded
- Version of notice acknowledged (for tracking updates)
5.4 Ongoing Access
Access for Current Contractors:
- Available on internal documentation portal (when established)
- Available via email request (privacy@maelstrom.au)
- Included in onboarding materials for reference
Updates:
- Contractors notified of material changes via email
- 30-day notice period before changes take effect
- Updated notice provided with change summary
Implementation Checklist
- ✅ HR Privacy Notice created and approved (Version 1.0)
- ⏳ Notice to be sent to existing contractors (within 30 days)
- ⏳ Acknowledgment process to be completed (within 60 days)
- ⏳ Contract template to be updated with acknowledgment clause
- ⏳ Onboarding process to be updated to include notice delivery
- ⏳ Internal documentation portal to host current version
- ⏳ Training for Privacy Officer on handling privacy requests
6. Use Case UC-030 Control Implementation
UC-030: Privacy for Employment and HR
Objective: Ensure contractor/employee privacy rights are respected and privacy obligations are met for employment and HR data processing.
Control Requirements (from Gap Analysis)
| Control Requirement | Implementation | Evidence in Notice |
|---|---|---|
| Transparent data collection | Notice explains all data categories collected | Section 2 - Personal Information We Collect (6 categories detailed) |
| Purpose limitation | Notice limits processing to defined purposes | Section 3 - How We Use Your Information (7 specific purposes); Section 3 “What We Do NOT Use Your Information For” |
| Data minimization | Notice documents minimal collection approach | Section 2 “What We Do NOT Collect” (no monitoring, biometrics, location tracking, special categories) |
| Contractor rights | Notice explains all privacy rights | Section 9 - Your Privacy Rights (9 rights detailed with procedures) |
| Security of HR data | Notice documents security measures | Section 5 - How We Protect Your Information (encryption, access controls, incident response) |
| Retention limits | Notice specifies retention periods | Section 6 - Data Retention (1 year for work product, 7 years for financial/tax, automatic deletion) |
| Third-party sharing controls | Notice documents all sharing | Section 7 - Sharing with Third Parties (payment processors, cloud storage, tax authorities only) |
| International transfer safeguards | Notice documents transfers and protections | Section 8 - International Data Transfers (SCCs, encryption, DPAs) |
UC-030 Specific Considerations
Contractor-Based Business Model:
- ✅ Notice uses “contractor” terminology (not “employee”)
- ✅ Recognises independent contractor relationship
- ✅ Appropriate for minimal HR data collection model
- ✅ No employee-specific elements (benefits, leave, etc.) that don’t apply
No Intrusive Monitoring:
- ✅ Explicitly states NO monitoring (Section 2 “What We Do NOT Collect”)
- ✅ No keystroke logging, screen monitoring, location tracking
- ✅ Security measures proportionate (no surveillance)
Access Restricted to ISMS Owner:
- ✅ Documented in Section 5.2 - Access Controls
- ✅ Principle of least privilege applied
- ✅ Quarterly access reviews
No Third-Party Sharing (except as required):
- ✅ Only legitimate sharing documented (payment processors, tax authorities)
- ✅ No selling or renting of contractor data
- ✅ No marketing or advertising use
Compliance Summary - UC-030
Status: ✅ Self-assessed as addressed
Evidence:
- All control requirements addressed in notice
- Contractor-specific approach
- Minimal collection documented
- Strong privacy protections
Gaps: None identified at time of self-assessment
7. Alignment with Victorian Government HR Privacy Guidance
Reference Materials
Source: Victorian Government - Privacy in Human Resources (Office of the Victorian Information Commissioner)
Applicable Principles:
- Transparency in collection
- Privacy notices for staff
- Handling of sensitive information
- Rights of individuals
Alignment with VIC Government Guidance
| VIC Guidance Element | Implementation in Notice | Section |
|---|---|---|
| Provide privacy collection notice | ✅ notice created | Entire document |
| Explain what is collected | ✅ Categories detailed with examples | Section 2 |
| Explain why it’s collected | ✅ Purpose for each category | Section 3 |
| Explain who it’s shared with | ✅ All recipients listed | Section 7 |
| Explain rights | ✅ rights section | Section 9 |
| Explain how to complain | ✅ Complaint procedures and authorities | Section 9.9 |
| Limit collection to what’s necessary | ✅ Minimal collection approach | Section 2 “What We Do NOT Collect” |
| Secure storage | ✅ Security measures documented | Section 5 |
| Appropriate retention | ✅ Retention periods justified | Section 6 |
Victorian Privacy Principles Addressed
Although Maelstrom AI is subject to Australian Privacy Principles (federal), not Victorian Privacy Principles (state), the notice aligns with VIC principles as best practice:
- ✅ Collection - Only collect what is necessary, transparent about collection
- ✅ Use and disclosure - Use only for stated purposes, limited sharing
- ✅ Data quality - Right to rectification available
- ✅ Data security - Strong technical and organisational measures
- ✅ Openness - Transparent privacy practices documented
- ✅ Access and correction - Rights available to contractors
- ✅ Unique identifiers - No unnecessary identifiers created
- ✅ Anonymity - N/A for employment relationship (identity necessary)
- ✅ Transborder data flows - Safeguards documented (SCCs, encryption)
- ✅ Sensitive information - Not collected (or with explicit consent only)
Compliance Summary - Victorian Guidance
Status: ✅ ALIGNED
Evidence:
- All Victorian guidance elements addressed
- Contractor-friendly presentation
8. Key Contractor-Specific Considerations
Differences from Traditional Employee Privacy Notices
The Maelstrom AI HR Privacy Notice is specifically tailored for a contractor-based business model:
| Traditional Employee Notice | Maelstrom AI Contractor Notice | Rationale |
|---|---|---|
| Employee benefits data (health insurance, leave, etc.) | NOT INCLUDED | Contractors are independent; no employee benefits |
| Performance management (annual reviews, promotions) | Simplified performance tracking | Contractors assessed on project basis, not traditional performance cycles |
| Workplace monitoring (time tracking, location) | EXPLICITLY EXCLUDED | Contractors work independently; no workplace monitoring |
| Internal communications (company-wide emails) | Work-related communications only | Contractors not part of internal corporate communications |
| HR system data (HRIS platforms) | Minimal systems; ISMS Owner managed | Small team, no complex HR systems |
| Payroll processing | Payment for services (invoices) | Contractors invoice for services; not traditional payroll |
Contractor-Specific Language
Terminology used:
- “Contractor” (not “employee”)
- “Contract” (not “employment”)
- “Services rendered” (not “work performed”)
- “Contract management” (not “HR management”)
- “Payment processing” (not “payroll”)
- “Engagement” and “termination” (not “hire” and “fire”)
Why this matters:
- Legal accuracy (contractors are not employees)
- Appropriate expectations (independent relationship)
- Avoids misclassification issues
Minimal Data Collection Documented
What is NOT collected (appropriately for contractor model):
- ❌ Health insurance or benefits information
- ❌ Leave or vacation tracking
- ❌ Time and attendance monitoring
- ❌ Location tracking or geofencing
- ❌ Biometric access controls
- ❌ Family or dependent information (except emergency contact)
- ❌ Background checks (beyond professional references)
- ❌ Medical information (except voluntary disclosure for accommodations)
What IS collected (minimal, necessary):
- ✅ Identity and contact information (for contract and payment)
- ✅ Financial details (for payment processing)
- ✅ Tax identifiers (for legal compliance)
- ✅ Work product (for IP management and business continuity)
- ✅ Professional information (for role assessment and performance)
9. Security and Access Controls for HR Data
Documented Security Measures
The HR Privacy Notice documents security measures (Section 5):
Technical Measures:
- AES-256 encryption at rest for HR data
- TLS 1.3 encryption in transit
- MFA required for system access
- Encrypted backups with 90-day retention + 7-year archive
Access Controls:
- ISMS Owner: Full access (necessary for small team management)
- Finance/Payroll (if outsourced): Limited to payment and tax information only
- Contractors: Access to own information via request
Organisational Measures:
- Confidentiality agreements for anyone handling HR data
- Security awareness training (annual)
- Clean desk/clear screen policy
- Incident response plan
Evidence of “ISMS Owner Only” Access
Access Model Documented:
- Section 5.2 - Access Controls: “Current Access Model” table specifies ISMS Owner has full access
- Principle of least privilege applied
- Quarterly access reviews planned
Justification:
- Small team size (contractor-based model)
- ISMS Owner responsible for all contractor relationships
- No HR department or administrative staff with HR data access
Future Considerations:
- As team grows, may delegate limited access (e.g., finance for payment processing)
- Access controls will be updated accordingly
- Notice will be updated to reflect changes
10. Gap Closure Evidence
Gap Analysis Requirements vs. Implementation
| Requirement (from GAP-M015) | Implementation | Evidence |
|---|---|---|
| Formal HR privacy notice | ✅ Created notice | /trust/legal/hr-privacy-notice.md |
| GDPR Articles 13-14 compliance | ✅ All elements addressed | Section 3 of this evidence document |
| ISO 27701 Annex A 7.2.9 compliance | ✅ Control fully implemented | Section 4 of this evidence document |
| Data collected documented | ✅ 6 categories detailed | Notice Section 2 |
| Purpose documented | ✅ 7 purposes explained | Notice Section 3 |
| Retention periods documented | ✅ Specific periods: active, 1 year, 7 years | Notice Section 6 |
| Contractor rights explained | ✅ 9 rights detailed with procedures | Notice Section 9 |
| Security measures documented | ✅ Technical and organisational controls | Notice Section 5 |
| Third-party sharing documented | ✅ All recipients listed with safeguards | Notice Section 7 |
| Delivery mechanism | ✅ Provided at contract signing | Section 5 of this evidence document |
GAP-M015 Closure Criteria
Original Criteria:
- ✅ HR privacy notice created
- ✅ GDPR Articles 13-14 requirements addressed
- ✅ ISO 27701 Annex A 7.2.9 control implemented
- ✅ Contractor-appropriate approach (not employee-centric)
- ✅ Documented data collection, use, retention, sharing, security
- ✅ Contractor rights explained
- ⏳ Notice delivered to all contractors (implementation in progress)
Status: ✅ GAP CLOSED (delivery to existing contractors in progress)
Residual Risks
Low Risk:
- Existing contractors not yet acknowledged notice (implementation in progress)
- Mitigation: Email campaign within 30 days, acknowledgment tracking
No Residual Risks for:
- Documentation completeness (notice created)
- Legal compliance (GDPR, ISO 27701, APPs addressed)
- Future contractors (notice will be provided at contract signing)
11. Next Steps and Recommendations
Immediate Actions (Within 30 Days)
- Deliver Notice to Existing Contractors
- Action: Email notice to all active contractors
- Responsibility: Privacy Officer
- Timeline: Within 30 days of notice approval
- Deliverable: Email sent with acknowledgment request
- Update Contract Template
- Action: Add acknowledgment clause to contractor agreement template
- Responsibility: ISMS Owner + Legal Counsel (if engaged)
- Timeline: Before next contractor engagement
- Deliverable: Updated contract template with clause
- Track Acknowledgments
- Action: Create simple tracking spreadsheet for acknowledgments
- Responsibility: Privacy Officer
- Timeline: Set up within 14 days
- Deliverable: Spreadsheet with contractor names, email dates, acknowledgment dates
Short-Term Actions (Within 90 Days)
- Establish Internal Documentation Portal
- Action: Make notice available on internal docs site (if established)
- Responsibility: ISMS Owner
- Timeline: When documentation portal set up
- Deliverable: Link to current version of notice
- Training for Privacy Officer
- Action: Review procedures for handling Data Subject Access Requests (DSARs)
- Responsibility: Privacy Officer (self-training or external training)
- Timeline: Within 90 days
- Deliverable: Training completion, documented DSAR procedures
- Test Deletion Procedures
- Action: Document and test procedures for contractor data deletion (upon request or retention expiry)
- Responsibility: Privacy Officer
- Timeline: Within 90 days
- Deliverable: Documented deletion procedure, test deletion completed
Medium-Term Actions (Within 6-12 Months)
- Annual Review
- Action: Review HR Privacy Notice for accuracy and updates
- Responsibility: Privacy Officer
- Timeline: Annually (next review November 2026)
- Deliverable: Reviewed notice, change log if updates made
- Legal Review
- Action: Engage legal counsel to review notice (if budget allows)
- Responsibility: ISMS Owner
- Timeline: Before Series A funding or significant growth
- Deliverable: Legal counsel sign-off, any recommended changes
- Audit of HR Data Processing
- Action: Conduct audit to verify compliance with notice (data minimization, retention, security)
- Responsibility: Internal Auditor
- Timeline: 12 months after notice implementation
- Deliverable: Audit report, any corrective actions
Continuous Actions
- Update Notice as Needed
- Trigger: New data processing activities, new third parties, law changes
- Action: Update notice and notify contractors (30-day notice)
- Responsibility: Privacy Officer
- Deliverable: Updated notice version, notification emails
- Handle Privacy Requests
- Action: Respond to contractor Data Subject Access Requests, erasure requests, etc.
- Responsibility: Privacy Officer
- Timeline: 30 days (GDPR), 45 days (CCPA)
- Deliverable: Responses to requests, documentation of compliance
12. Legal Review Recommendations
Areas for Legal Counsel Review (Future)
When engaging legal counsel (recommended before significant growth or funding), request review of:
- Contractor vs. Employee Classification
- Ensure notice language supports independent contractor relationship
- Verify no language creates employment relationship implications
- Confirm appropriate for Australian contractor law
- Tax and Financial Compliance
- Verify TFN/ABN handling complies with Taxation Administration Act
- Confirm 7-year retention aligns with ATO requirements
- Review payment processor data sharing arrangements
- Intellectual Property Language
- Ensure IP management purposes align with contractor IP assignment agreements
- Verify work product retention (1 year) is legally justified
- Confirm anonymization option for code contributions
- International Transfer Safeguards
- Review Standard Contractual Clauses with third parties (Google, GitHub, Cloudflare)
- Verify Transfer Impact Assessment is adequate
- Confirm compliance with Schrems II (EU case law on international transfers)
- Deletion and Retention
- Verify retention periods meet all Australian legal requirements
- Confirm deletion procedures are legally compliant
- Review exceptions to erasure requests
- Consent Mechanisms
- Review consent language for emergency contact, references, voluntary disclosures
- Ensure consent is freely given, specific, informed, unambiguous
- Verify consent withdrawal procedures
Legal Sign-Off
Legal Review Status: Tracked under Planned Work Register item P-001 (external legal review of DPAs) and P-002 (external legal review of privacy notices). Both items are scheduled for completion before the first customer engagement. (maintained internally; available to auditors and enterprise customers on request)
Owner: ISMS Owner (P-001), Privacy Officer (P-002)
Current Status: Not started.
13. Monitoring and Continuous Compliance
Metrics to Track
Privacy Request Metrics (quarterly):
- Number of Data Subject Access Requests (DSARs)
- Average response time for DSARs
- Number of erasure requests
- Number of objections to processing
- Number of complaints (internal and to supervisory authorities)
Compliance Metrics (quarterly):
- Percentage of contractors who have acknowledged notice
- Number of contract templates with updated acknowledgment clause
- Number of privacy rights requests fulfilled within SLA (30 days)
- Number of data breaches involving contractor data (target: 0)
Audit Metrics (annually):
- Percentage compliance with retention periods (target: 100%)
- Number of access control reviews completed (target: 4 per year)
- Number of unauthorised accesses to HR data (target: 0)
- Completion of annual privacy training for Privacy Officer (target: 100%)
Continuous Improvement
Feedback Mechanisms:
- Contractor feedback on notice clarity (via surveys or direct feedback)
- Questions received about privacy (track themes for future clarification)
- Supervisory authority guidance updates (monitor for changes)
Trigger for Updates:
- New data processing activities
- New third-party service providers
- Changes to privacy laws (GDPR, Australian Privacy Act updates)
- Contractor feedback indicating confusion or concerns
- Supervisory authority guidance or enforcement actions
- Annual review findings
14. Document Summary
Evidence of Compliance
GAP-M015: ✅ CLOSED
Deliverables:
- ✅ HR Privacy Notice created (8,500 words, 12 sections)
- ✅ GDPR Articles 13-14 requirements mapped and self-assessed as addressed
- ✅ ISO 27701 Annex A 7.2.9 control elements addressed (self-assessed)
- ✅ UC-030 controls documented (requirements mapped)
- ✅ Contractor-specific approach (appropriate for business model)
- ✅ Delivery mechanism defined (contract signing, email for existing contractors)
- ✅ Evidence documentation created (this document)
Next Steps:
- ⏳ Deliver notice to existing contractors (within 30 days)
- ⏳ Update contract template (before next engagement)
- ⏳ Track acknowledgments (ongoing)
- ⏳ Legal review (when counsel engaged)
- ⏳ Annual review (November 2026)
Files Created
| File Path | Purpose | Status |
|---|---|---|
/trust/legal/hr-privacy-notice.md | HR Privacy Notice for contractors | ✅ Created |
/trust/compliance/evidence/privacy-controls/hr-privacy-notice-evidence.md | Evidence of compliance and gap closure | ✅ Created (this document) |
Compliance Summary
| Standard | Status | Evidence |
|---|---|---|
| GDPR Articles 13-14 | ✅ Self-assessed as addressed | Section 3 - the identified requirements have been mapped and addressed |
| ISO 27701 Annex A 7.2.9 | ✅ Self-assessed as addressed | Section 4 - identified control elements have been implemented |
| Australian Privacy Principles (APP 5) | ✅ Self-assessed as addressed | Notification of collection provided |
| Victorian HR Privacy Guidance | ✅ Aligned | Section 7 - the identified guidance elements have been addressed |
| UC-030 (Privacy for Employment/HR) | ✅ Self-assessed as addressed | Section 6 - the identified control requirements have been addressed |
Document Information
Document Title: HR Privacy Notice - Evidence Documentation
Document Owner: Privacy Officer
Approved By: ISMS Owner
Creation Date: 2025-11-08
Last Reviewed: 2026-05-21
Next Review: 2026-11-21 (annually, or upon material change)
Version: 1.0
Classification: Public
Document Location: /trust/compliance/evidence/privacy-controls/hr-privacy-notice-evidence.md
Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2025-11-08 | Privacy Officer | Initial evidence documentation for GAP-M015 closure |
Gap Closure Certification
I certify that:
- GAP-M015 has been remediated through creation of HR Privacy Notice
- The identified compliance requirements (GDPR, ISO 27701, APPs, UC-030) have been addressed
- Documentation is accurate and complete as of the date of this certification
- Implementation plan is in place for delivery to contractors
Certified By: ISMS Owner Date: November 8, 2025 Signature: [Digital signature - to be completed]
Document created: November 8, 2025 Status: GAP-M015 CLOSED (implementation in progress)
© 2026 Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust. All rights reserved.