Privacy
Policy

01Overview

ComplyFOI is an end-to-end Freedom of Information (FOI) case management platform designed for use by Australian government agencies and public authorities subject to FOI obligations under the Freedom of Information Act 1982 (Cth) and equivalent state and territory legislation. ComplyFOI incorporates AI-assisted tools to support FOI case processing, document triage, redaction assistance, and exemption analysis.

We respect your right to privacy and are committed to safeguarding the privacy of our customers and users. By providing us with personal information, you consent to the terms of this Policy and the types of disclosure covered by this Policy.

This Policy has been prepared in accordance with guidance issued by the Office of the Australian Information Commissioner (OAIC) in October 2024 regarding the use of Artificial Intelligence (AI) and generative AI (GenAI) tools in commercial and government settings.

02What is personal information?

Personal information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be personal information regardless of whether it is true.

This Policy's definition of personal information expressly includes information generated or inferred by AI systems — such as profiles, assessments, redaction recommendations or decisions derived from your data — where those outputs are capable of identifying an individual.

Sensitive information is a subset of personal information that includes health information, racial or ethnic origin, political opinions, religious beliefs, criminal records, and certain government-issued identifiers. We handle sensitive information with additional care and in accordance with APP 3.

03What personal information do we collect and hold?

The types of personal information we collect depend on the nature of our engagement with you. Examples include, but are not limited to:

• name, title, and contact details;
• email address;
• home or work address;
• work information (e.g. employer, agency, role and position);
• device and technical information when you access our platform or Site;
• government-issued identifiers where provided in the course of platform use; and
• any information inferred or generated about you through our use of AI or analytics tools in connection with the platform.

Information in government records

ComplyFOI is designed to process government records, which may contain personal information and sensitive information about third parties. This information is provided to us by government agencies for the purpose of FOI case management. We do not collect or use that information for any purpose other than delivering the ComplyFOI service to the relevant agency, and we handle it in accordance with our obligations as a data processor under applicable law and the relevant agency's data handling agreement.

04Why do we collect, hold and use your personal information?

We collect, hold and use your personal information so that we can:

• verify your identity and manage your access to the platform;
• provide you with the ComplyFOI platform and associated services, and manage our relationship with you;
• contact you to respond to your queries or complaints, or to communicate important information;
• comply with our legal obligations and assist government and law enforcement agencies or regulators;
• operate, maintain and improve the ComplyFOI platform and our AI-assisted features, in accordance with the purposes described in this Policy; and
• fulfil our obligations as a service provider to government agencies under applicable contracts and data handling agreements.

If you do not provide us with your personal information, we may not be able to provide you with our products or services, communicate with you or respond to your enquiries.

05How do we collect your personal information?

We collect personal information from you in a variety of ways, including:

• when you interact with us electronically or in person;
• when you access our Site or use the ComplyFOI platform;
• when we provide our products or services to you or your agency; and
• from your employer or a government agency on whose behalf you are accessing the platform.

We may collect information about how you access, use and interact with our Site using tools such as Google Analytics or other web analytics tools.

We use cookies on the Site. A cookie is a small text file that the Site may place on your device to store information. We may use persistent cookies to store information that speeds up your use of the Site, and session cookies to manage the display and presentation of information. You may refuse cookies by adjusting your browser settings, but doing so may affect the functionality of the Site.

06Our use of Artificial Intelligence (AI) tools

ComplyFOI incorporates AI-assisted features to support FOI case management, including document triage, redaction assistance, exemption analysis and case workflow automation. LCMS is both a developer and operator of AI systems used in the ComplyFOI platform. We are subject to privacy obligations in relation to personal information that is collected, stored, used, disclosed, generated or inferred in connection with these AI tools.

AI tools we use

We may use commercially available or proprietary AI and GenAI tools in the operation of our business and platform. These tools may process personal information to:

• analyse and classify documents submitted through the FOI case management workflow;
• generate redaction recommendations and draft exemption assessments for review by authorised officers;
• support case tracking, workload management and reporting functions; and
• assist our internal teams with business operations and platform improvement.

How we handle personal information in AI systems

When using AI tools in connection with the ComplyFOI platform, we are committed to the following safeguards:

• We will only use or disclose personal information in AI systems for the primary purpose for which it was collected, or a secondary purpose where we have your express consent.
• We will not enter personal information into publicly available generative AI tools without express permission from the relevant agency or individual.
• We take steps to ensure that AI tools we use comply with the Privacy Act and APPs, and we conduct due diligence on AI vendors regarding their data handling and security practices.
• Where AI systems generate or infer personal information about an individual — including redaction recommendations, exemption assessments or case-related profiles — that information is subject to the same protections as directly collected personal information.
• We apply data minimisation principles and use only the minimum amount of personal information necessary for a given AI function.
• AI tools used in connection with government records are subject to contractual data handling requirements consistent with government information security obligations, including the Protective Security Policy Framework (PSPF).

AI as a decision-support tool

Our AI features are designed to support human decision-making, not replace it. Human oversight and review mechanisms are embedded in our platform workflows.

AI model training

LCMS will not use government agency records, FOI request data or your personal information to train external AI models. Where we develop or fine-tune proprietary AI models using internal data, we take steps to de-identify or anonymise personal information before it is used for model training purposes, to the extent reasonably practicable.

07How do we store personal information?

We store most personal information in computer systems and databases operated by us or our external service providers. Where personal information is processed in connection with the ComplyFOI platform on behalf of a government agency, storage arrangements are governed by the applicable data handling agreement with that agency.

We implement and maintain processes and security measures designed to protect personal information we hold from misuse, interference or loss, and from unauthorised access, modification or disclosure. These include:

• identity and access management technologies to control access to systems on which personal information is processed and stored;
• requiring all employees and contractors to comply with internal information security policies;
• applying security controls to AI systems and third-party tools used in our business, including contractual data handling and confidentiality obligations on vendors; and
• operating in accordance with applicable government information security frameworks, including the PSPF and relevant Australian Government cloud security guidance, where required by our agency customers.

We will take reasonable steps to destroy or de-identify personal information once we no longer require it for the purposes for which it was collected.

Government agencies retain ownership of all documents, records and FOI request data processed through the ComplyFOI platform. LCMS does not claim any ownership of, or rights in, agency records.

08Who do we disclose your personal information to, and why?

We may disclose personal information for the purposes described in this Policy to:

• our employees and related bodies corporate;
• third party suppliers and service providers, including providers for the operation of our Site and platform, and technology partners engaged to deliver the ComplyFOI service;
• our existing or potential agents, business partners or professional advisors; and
• AI tool providers or technology platforms engaged by us to operate or improve the platform, subject to appropriate data handling agreements.

We may also disclose personal information where: (i) we are required or authorised by law to do so; (ii) you have expressly consented to the disclosure; or (iii) we are otherwise permitted to disclose the information under the Privacy Act.

We do not disclose government agency records or FOI request data to any unauthorised third party. Any disclosure of such records is governed exclusively by the applicable data handling agreement with the relevant agency.

09Do we disclose personal information to overseas recipients?

We may disclose your personal information to recipients located outside Australia. Those recipients are likely to be in the United States of America.

Some AI tools and platforms we use may process or store data on servers located overseas, including in the United States. Before disclosing personal information to overseas recipients, we take reasonable steps to ensure those recipients handle information consistently with the APPs, or we obtain the consent of the relevant individual or agency.

Government agencies with requirements to store data onshore should discuss sovereign data hosting options with us before deploying the platform.

10Do we use your personal information for marketing?

We may use your personal information to offer you products and services that we believe may be of interest to you, unless you tell us not to. Where you receive electronic marketing communications from us, you may opt out by following the opt-out instructions in the communication.

We do not use automated profiling, AI-driven targeting, or government records data for marketing purposes.

11How do you access, or ask for a correction to, your personal information?

You may access or request correction of the personal information that we hold about you by contacting us at the details below. There are some circumstances in which we are not required to give you access to your personal information.

There is no charge for requesting access, but we may require you to meet our reasonable costs in providing access (such as costs for time spent collating large amounts of material).

We will respond to access and correction requests within a reasonable time and will take all reasonable steps to ensure the personal information we hold about you remains accurate and up to date.

If you wish to access personal information held about you in any AI-generated assessment, redaction recommendation or case profile, or to request correction of inaccurate AI-inferred information, you may exercise your access and correction rights by contacting us at the details below. Where such information is held as part of a government agency's FOI case records, you may need to direct your request to the relevant agency.

12How do you make a complaint?

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, please contact us at the details below.

We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome and any subsequent internal investigation.

If you are not satisfied with our handling of a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (www.oaic.gov.au) for guidance on alternative courses of action.

13Contact details

If you have any questions, comments, requests or concerns relating to this Policy or the handling of your personal information, please contact us at:

Email: info@legalconsultingmanagedservices.com
Web: www.legalconsultingmanagedservices.com

14Changes to this Policy

We may modify this Policy at any time, in our sole discretion. All modifications will be effective immediately upon posting to our Site. Please check back from time to time to review our current Policy.

Where changes are material — in particular, changes relating to our use of AI tools, data handling practices, or your rights regarding AI-generated information — we will provide prominent notice on our Site.

You may obtain a copy of our current Policy from our Site or by contacting us at the details above.