Australian and New Zealand Data Privacy

Introduction

Zscaler is committed to our customers’ success, including compliance with applicable privacy laws in Australia and New Zealand. Compliance will require a close partnership between Zscaler and our customers in their use of our services and products. The following is a brief summary of how Zscaler complies with applicable data privacy laws in Australia and New Zealand.

Australian Privacy Laws

In Australia, privacy is regulated at both the Commonwealth (or federal) level and at the state and territorial level.  The Privacy Act 1988 (Cth) (the “Privacy Act”) sets forth the Commonwealth’s standards for the collection, use, disclosure, and protection of “personal information” and applies to most private sector organizations operating in Australia or engaging in conduct that has an Australian link.  As defined under the Privacy Act, "personal information" is defined broadly to include information or an opinion about an identified individual, or an individual who is reasonably identifiable: (i) whether the information or opinion is true or not; and (ii) whether the information or opinion is recorded in a material form or not.

In particular, the Privacy Act uses the 13 Australian Privacy Principles (the “APPs”) to set standards for considering, collecting, dealing with, and maintaining the integrity of personal information.  The APPs include rights for an individual to access personal information an organization may hold that relates to that individual and/or to correct such personal information.

For more information regarding the APPs and the Privacy Act, see the Australian Government website at www.oaic.gov.au.

New Zealand Privacy Laws

In New Zealand, information privacy is regulated through the Privacy Act 2020 (the “Act”), which sets forth standards for the collection, use, disclosure, and protection of “personal information” by “agencies.”  The Act applies broadly to an “agency,” which is defined under the Act to include any person or body of persons, whether corporate or unincorporated, and whether in the public sector or private sector.  The Act also broadly defines “personal information” to mean information about an identifiable individual.

Similar to the 13 APPs under Australia’s Privacy Act, the Act sets forth 13 information privacy principles (the “IPPs”), which set standards for the storage and security of personal information, data minimization, limits on disclosure and use, and the manner for collecting personal information, as well as an individual’s rights of access and correction.  These IPPs can be found at https://privacy.org.nz/the-privacy-act-and-codes/privacy-principles/.

Zscaler Compliance with Australian and New Zealand Privacy Laws

As a security-as-a-service provider, data protection is at the core of Zscaler’s business and something Zscaler takes very seriously.  Zscaler remains committed to protecting personal data in compliance with the highest standards of privacy and security.  Below is a high-level summary of Zscaler’s compliance with the key areas of the Privacy Act (including each of the 13 APPs) as well as the key areas of the Act (including each of the 13 IPPs):  

• Zscaler will only retain, disclose, store, or use personal information for the purpose of performing the services specified in the written contracts with our customers or for the purposes described in our Privacy Policy.

• Zscaler expects that its customers will inform their Australian or New Zealand employees and users about their collection of personal information in accordance with the Act or the Privacy Act (as applicable), including without limitation (i) informing individuals of the fact that personal information is being collected as well as what kinds of personal information is being collected and held; (ii) the purpose for which the personal information has been or will be collected; (iii) the manner in which personal information will be collected and held (including the name and address of the processing entity); (iv) the intended recipients of the personal information (including location if they are overseas); (v) consequences to the individual if the information is not provided (e.g., loss of service); (vi) the individual’s rights of access and correction and how they can be exercised; and (vii) how an individual can report a privacy breach.

• Zscaler has taken reasonable steps to protect personal information it retains, discloses, stores, or uses from (i) misuse, interference, and loss; and (ii) unauthorized access, modification, or disclosure.

• Except as required by law, Zscaler does not retain, disclose, use, or store any personal information that is not needed for the purpose of providing the products or performing the services specified in our contracts with our customers or for the purposes specified in our Privacy Policy.

• Zscaler will be responsible and liable for the performance of any of its sub-processors.  Zscaler maintains a list of its current sub-processors here.

• Zscaler will make available to its customers any information reasonably necessary for our customers to demonstrate their compliance with the Act or the Privacy Act (as applicable).

FAQs relating to Australian and New Zealand Privacy Laws

We have put together the FAQs below in order to address the most common questions relating to data protection that we receive from customers and partners regarding our platform.

(1) What personal information does Zscaler retain, disclose, use, or store?

Zscaler processes and stores a limited amount of personal information (e.g., IP addresses, URLs, user IDs, user groups and departments from corporate directories).  

Zscaler support personnel will not access any personal information except for the purpose of performing the services specified in the contracts with our customers or for the purposes described in our Privacy Policy.  Additionally, customers have the option to obfuscate their user IDs from ever being seen even by their own administrators. 

For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk; all inspection takes place in memory. 

For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).

For Zscaler App (Z App) software, customers can globally enable or disable the packet capture through policies with Zscaler and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.

Customer Transaction Logs (“Customer Logs”) are never stored in clear text and are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (“CA”). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA. 

(2) How does Zscaler protect the personal information that it retains, discloses, uses, or stores?

Zscaler implements and maintains reasonable security procedures and practices in accordance with both the Privacy Act and the Act.  Zscaler is certified under ISO 27001 and System and Organization Controls (SOC) 2, Type II standards and is audited annually by a third party to ensure its ongoing compliance with these certifications.  Zscaler regularly tests, assesses and evaluates the effectiveness of its security measures.  Upon written request, and subject to appropriate confidentiality protections being in place, Zscaler can provide a customer with a copy of its most recent ISO 27001 certificate and/or SOC 2, Type II report. For more information, please visit https://www.zscaler.com/privacy-compliance/compliance.

(3) What is pseudonymization versus anonymization of data? And can I elect to have my company’s information fully anonymized instead of pseudonymized?

Pseudonymization of data makes it so that the data can be reattributed to a system, individual, or organization.  In contrast, anonymization of data makes it so that the data can never be reattributed to a system, individual, or organization.

For cyber security, organizations need the ability to reattribute data in the event the organization must conduct an investigation, remediation, or recovery after a security vulnerability or breach (such as isolating a targeted phishing attack). In providing our products to customers, we give customers the option to obfuscate or pseudonymize their personal data so they have the option to report on what devices should be remediated after a security breach or vulnerability.  Zscaler uses the “tokenization” methodology to perform pseudonymization of personal information.

(4) Does enabling SSL inspection change the types of personal information that Zscaler retains, discloses, uses, or stores?

No. Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores.  Rather, it provides an added layer of security protection for those threats concealed behind encrypted traffic and provides additional protection for our customers’ employees and other users.

(5) Does Zscaler use sub-processors to provide its services?

Yes. Like most cloud vendors, Zscaler does use a limited number of sub-processors to provide its services.  Zscaler will provide customers with advance written notice of any changes to its sub-processor list.  Zscaler will be responsible and liable for the performance of its sub-processors.  Zscaler maintains a current list of its sub-processors at https://www.zscaler.com/legal/subprocessors.

(6) Can Zscaler assist with requests for access and/or correction?

Yes. Zscaler has an internal process for responding to requests from individuals. However, it’s important to remember that our customer is responsible for reviewing and validating the request and submitting a support ticket to Zscaler. A request should only be made if an individual (usually a customer employee or user) makes such a request to our customer. If Zscaler receives a request directly from a customer employee or user, we will re-direct the person to our customer to validate and respond.

NOTE: While this site is designed to help organizations understand data privacy laws in Australia and New Zealand as they relate to Zscaler's services and products, the information contained herein should not be construed as legal advice.  Zscaler customers should consult with their own legal counsel with respect to interpreting their unique obligations under the Privacy Act, the Act, and various state or territorial laws affecting the privacy rights of individuals in Australia and New Zealand.