FAQs

The Trusted Digital Identity Framework (TDIF), is the Australian Government’s accreditation framework for digital identity services.

TDIF sets strict rules and standards for usability, accessibility, privacy protection, security, risk management, fraud control and more.

TDIF considers global best practices and standards and adapts them to a model that will work for all Australians and meet their expectation of privacy, safety and security while online.

TDIF is the benchmark for privacy and security for digital identity services and sets best-practice digital identity policy across the government and private sector in Australia.

Accreditation demonstrates that a digital identity service is trusted, safe and secure and built to the standards set by the Australian Government.
RatifyID is a Trusted Digital Identity Framework (TDIF) accredited identity service provider and credential service provider.

You can visit the Australian Government website here to learn more.

RatifyID is wholly owned by background checking company Makesure Pty Ltd and built in partnership with the Ratify team.

The Makesure Group offers Checking, Compliance and Identity services through four businesses.

Makesure – Background checking

Widest range of background checks all in one place, online, low touch, automated, with full support for clients and applicants.

Ratify – Compliance services

Fully flexible SaaS compliance management software and app that stores, monitors, tracks, request shares, approve and audits almost anything.

RatifyID – Identity services

Seamless trusted and TDIF-accredited digital ID app for businesses to authenticate & onboard users in seconds.

(Removing the need for passwords and verification questions)

IDSure – Identity services

Document Verification Gateway connected to Department of Home Affairs. Using AI based OCR1 to read and verify and complete fast verification’s.

The Benefits:
*Safe & Secure.

*Convenient & Efficient.

*Simple & Reusable.

Digital identity offers numerous benefits for individuals and businesses alike, by improving convenience, security, efficiency, and access to services, thereby driving digital transformation and empowering individuals and businesses in the digital era.

Digital identity solutions can be integrated with fraud detection mechanisms, enhancing the ability to identify and prevent fraudulent activities.

Businesses can limit the storage of personal data by relying on digital identity verification systems. They only need to confirm the authenticity of the individual’s identity without storing extensive personal information, reducing the risk of data breaches and compliance with data protection regulations.

Digital identity verification streamlines customer on boarding processes, making it faster and more efficient. This can lead to increased customer satisfaction and more seamless and user-friendly experience, which can lead to increased customer loyalty.

Digital identity systems can assist businesses in meeting regulatory requirements and Know Your Customer (KYC) obligations more effectively.

Integration:

RatifyID makes it easier for your customers to verify their identity to the level you require. Easily integrated into your experience, RatifyID helps you meet your compliance obligations, boost your conversion rates and build trust.

The integration process is simple, it will begin with a discussion between you and our RatifyID account management team to establish your organisations needs.

Please contact us here and we will be in touch to discuss a RatifyID demonstration.

The RatifyID app is compatible with smartphone devices using the Android (version 8.0+) or iOS (version 12.0+) operating systems.

If you are using one of these devices and are experiencing issues please contact our RatifyID support team, by clicking the chat icon on your screen now.

The documents include the following, and are not limited to:

• Passport – not more than 3 years expired.
• Verify your photo.
• Driver’s licence (including learner’s permit).
• Birth certificate.
• Visa (using your foreign passport).
• ImmiCard.
• Citizenship Certificate.
• Medicare card – Once you verify one of the documents above in the app, you’ll have the option to verify your Medicare card.

Enduring Consent implies ongoing permission granted by the individual for the collection, use, and sharing of their personal information. Express consent, on the other hand, is specific and explicit consent given by an individual for a particular purpose or set of activities.

Please contact us on the RatifyID live chat now to discuss the verification error you are receiving. Our experienced team will assist you in real time to verify your documentation or further investigate the error you are receiving.

Easily. Once you follow the steps to set up your RatifyID trusted digital identity, your verified identity details are ready to be used with our relying partner websites.

To use RatifyID face-to-face, follow these steps:

• Ensure you have the necessary digital verification app installed on your mobile device. This could be an app provided by a trusted identity verification service.
• Open the app and navigate to the face verification or facial recognition feature.
• Position yourself in good lighting conditions, ensuring your face is clearly visible to the device’s camera.
• Follow the prompts provided by the app. This may include aligning your face within a designated area or performing specific facial movements as directed.
• The app will capture and analyze your facial features to verify your identity. It may compare your facial data against previously recorded data or use biometric algorithms to authenticate your identity.

Once the verification process is complete, you will receive confirmation of your identity verification on the app or through a notification.

Yes, RatifyID is safe as it employs robust security measures, adheres to privacy regulations, and conduct regular updates and audits.

RatifyID is a Trusted Digital Identity Framework (TDIF) accredited identity service provider and credential service provider.

Please visit the Australian Government website here, to learn more about The TDIF.

We prioritise your privacy and data security. Your information is stored securely in Australia, utilising strong encryption within our protected environment.

 Your information is safe.

Please see our privacy policy here.

RatifyID ensures the security of your personal data by linking it to your mobile number and device, utilising advanced encryption technology. If your phone is lost or stolen, your data remains protected. A guided process will take you through steps of verifying you are the owner of the account and transferring your digital identity to a new device.

The process involves requesting information from the user to verify that they are the actual owners of that account. For example, we will ask what IP level they reached, which documents they verified, and ask the document number and expiration dates of the verified documents, we may even use what TDIF calls “biometric matching” to match the user profile picture against the person going through the process. At the end of the process, the previously used device is marked as inactive, and the new one takes its place.

• Only use Australian Government accredited Digital Identity providers, such as RatifyID.
• Only use trusted websites and network connections.
• Keep Personal Information Private. NEVER share private information via email – RatifyID will NEVER ask you to do this.
• Always password-protect your devices with strong passwords or two-factor authentication.
• Be vigilant of phishing scams.

Your personal data is instantly deleted once your Identity is verified. RatifyID does not retain your personal data.

RatifyID allows you to easily deactivate your digital identity or delete your entire account. You can access these options from Account and settings > Manage account. If you decide to delete your account, all the information associated with your account will be permanently deleted from the RatifyID servers, and from your device. Uninstalling the RatifyID app does NOT deactivate your digital identity or delete your account.

If you suspect being a target of identity theft, please reach out to your local police for assistance. To report any fraudulent activities, you can visit SCAMWatch or the Australian Cybercrime Online Reporting Network websites. For specialised identity support specifically for Australian and New Zealand citizens, you can access the IDCARE website.

Digital Identity Fraud Incidents Process

Experiencing a digital identity fraud incident can be distressing, but it is important to take prompt action to report and address the issue. Follow this procedure to complain about a digital identity fraud incident.

We have established a Fraud Incident Response procedure to ensure that any concerns or complaints regarding identity fraud are promptly and effectively addressed. This procedure outlines the steps involved in lodging a Digital Identity Fraud Incident and the process we follow at Ratify ID to resolve such incidents.

Lodging Your Incident

To lodge an incident, please provide a written statement outlining the relevant details including:

• Your name and contact information.
• The nature of the incident.
• Relevant dates, events, or incidents related to the incident.
• Any supporting documentation or evidence.
• You can submit your incident at fraud@localhost

Acknowledgment of Your Incident:

Upon receiving the details of your incident, we will send an acknowledgment email within 24 hours, confirming receipt.

Investigation and Resolution of Your Incident:

We will conduct a thorough investigation of your incident, which may involve gathering additional information or contacting relevant parties.

Our aim is to resolve incidents within a reasonable time frame, generally within 5 – 10 business days.

During the investigation, we may need to contact you for further details or clarification regarding your complaint.

The incident will be handled by a dedicated Digital Identity fraud controller at Ratify ID who has experience and skills in investigating and resolving fraud complaints.

Our Response:

Investigating a digital identity fraud incident involves documenting the incident, allocating an investigator, securing affected systems, conducting appropriate analyses, collaborating with law enforcement if appropriate, notifying relevant parties, collecting and analyzing data, coordinating with third parties, reporting and documenting findings, implementing remediation measures, and continuous monitoring. It’s important to preserve evidence, engage experts when needed, and maintain detailed records. The investigation aims to gather evidence, identify the perpetrators, and take steps to mitigate the incident’s impact while preventing future occurrences. Collaboration, documentation, and continuous learning are key throughout the investigation process.

We will either:

a) investigate actual and suspected Digital Identity Fraud Incident, unless the incident or suspected incident has been referred to, and been accepted by, an Enforcement Body such as Police or another Entity; or
b) if the Digital Identity Information held by us in connection with the services you have used does not include Personal Information, take reasonable steps to support an investigation being conducted by Police or another Entity.

With all Digital Identity Fraud Incidents, we will take reasonable steps to:

a) mitigate the adverse effects of the incident; and
b) eliminate or, if it cannot be eliminated, minimise, the risk of recurrence of similar incidents.

Resolution

Once the investigation is complete, we will provide you with a written response outlining our findings and any actions taken as a result.

Subject to the investigation findings we will explain any remedies or corrective measures implemented to address your Digital Identity Fraud Incident.

Reporting on Digital Identity Fraud Incidents

We will at all times maintain documented procedures setting out criteria for Digital Identity Fraud Incident investigation processes and procedures including appropriate criteria for making timely decisions at critical stages in managing a Digital Identity Fraud Incident.

We will also keep records of:

a) decisions to use civil, administrative or disciplinary procedures, or to take no further action in response to a suspected Digital Identity Fraud Incident; and
b) our investigation of and responses to actual and suspected Digital Identity Fraud Incidents.
c) maintain documented procedures setting out criteria for Digital Identity Fraud Incident investigation processes and procedures including appropriate criteria for making timely decisions at critical stages in managing a Digital Identity Fraud Incident

Will also:

a) provide Digital Transformation Australia with a report on Digital Identity Fraud Incidents at least once every quarter; or
b) if the Digital Identity Information held by us in connection with the services we have provided does not include Personal Information, we will take reasonable steps to support the reporting of Digital Identity Fraud Incidents by another suitable Entity (Accredited Provider or Relying Party).

We will include, at a minimum, the following information when reporting on Digital Identity Fraud Incidents:

a) the number of Digital Identity Fraud Incidents related to the Applicant in the period since the last report. The number of such incidents may be zero;
b) a description of the type or types of Digital Identity Fraud Incidents and their severity; and
c) a description of the measures taken by us in response to the incidents covered by the report.

If you are not happy with our response to your Digital Identity Fraud Incident:

If you are dissatisfied with our response or the handling of your Digital Identity Fraud Incident, you may choose to escalate the matter to the Office of the Australian Information Commissioner at www.oaic.gov.au

If you have any questions or require further information about our process for resolving Digital Identity Fraud Incidents, please contact us at fraud@localhost or Contact us here.

Cyber Security Incidents and complaints

Experiencing Cyber Security incidents can be distressing, but it is important to take prompt action to report and address the issue. Please follow the steps to lodge your incident and contact us at privacy@ratifyid.com or Contact us here.

Lodging Your Cyber Security Incident

To lodge an incident, please provide a written statement outlining the relevant details including:

• Your name and contact information.
• The nature of the incident.
• Relevant dates, events, or incidents related to the incident.
• Any supporting documentation or evidence.

You can submit your incident at privacy@ratifyid.com

Acknowledgment of Your Incident:

Upon receiving the details of your incident, we will send an acknowledgment email within 24 hours, confirming receipt. You will also be informed of the Investigation outcome.

To contact RatifyID anonymously, please click here.

The RatifyID Whistleblower Policy

1. Aim

RatifyID is committed to transparency and to building an environment in which people feel free to raise legitimate issues relating to the Company’s operations. The aim of this Policy is to help deter wrongdoing relating to the Company’s operations, by encouraging disclosure of wrongdoing and ensuring that anyone who makes a disclosure can do so safely, securely and with confidence that they will be protected and supported.

2. Purpose

The Corporations Act 2001 (Cth) and the Taxation Administration Act 1953 (Cth) provide for protections for whistleblowers (Whistleblower Protection Scheme).

The purpose of this Policy is to set out information relating to the Whistleblower Protection Scheme, including information about:

(a) the types of disclosures that qualify for protection;

(b) the protections available to whistleblowers;

(c) who disclosures can be made to and how they can be made;

(d) how the Company will support whistleblowers and protect them from detriment;

(e) how the Company will investigate disclosures;

(f) how the Company will ensure fair treatment of employees who are the subject of or are mentioned in disclosures; and

(g) how this Policy is to be made available to officers and employees of the Company.

This Policy applies to the company RatifyID. Reference to The Company throughout this Policy means RatifyID , which will perform the obligations under this Policy. If the Company has any related bodies corporate overseas, this Policy may need to be read subject to any applicable overseas legislation.

3. Scope of the Whistleblower Protection Scheme

3.1 What disclosures are protected?

A disclosure will ‘qualify’ for protection under the Whistleblower Protection Scheme if:

(a) it is a disclosure by an ‘eligible whistleblower’ (see paragraph 4) to:

(i) ASIC, APRA, the Commissioner of Taxation (in relation to tax matters), a prescribed Commonwealth authority or a legal practitioner; or

(ii) an ‘eligible recipient’ (see paragraph 6.1); and

(b) the eligible whistleblower has ‘reasonable grounds’ to ‘suspect’ that the disclosed information concerns a disclosable matter (see paragraph 5.1).

Public interest and emergency disclosures also qualify for protection – see paragraphs 6.4 and 6.5.

4. Who is an ‘eligible whistleblower’?

The following persons are capable of being ‘eligible whistleblowers’:

(a) an officer or employee of the Company (including, but not limited to, current and former employees who are permanent, part-time, fixed-term or temporary, interns, secondees, managers and directors);

(b) an individual who is an associate of the Company; and

(c) an individual who supplies goods or services to the Company (whether paid or unpaid) or an employee of a supplier (including, but not limited to, current and former contractors, consultants, service providers and business partners).

An ‘eligible whistleblower’ also includes an individual who previously held any of the above positions or functions or who is a relative of the individuals set out above or a dependant of one of those individuals or of the spouse of such an individual.

5. What information will be a disclosable matter?

5.1 What is a ‘disclosable matter’?

A disclosable matter is information that:

(a) concerns misconduct or an improper state of affairs or circumstances in relation to the Company or one of its related bodies corporate; or

(b) indicates the Company, a related body corporate or one of its or their officers or employees has engaged in conduct that constitutes an offence against, or a contravention of, the:

(i) Corporations Act 2001 (Cth);

(ii) Australian Securities and Investments Commission Act 2001 (Cth);

(iii) National Consumer Credit Protection Act 2009,
and any instrument made under these Acts;

(c) constitutes an offence against or a contravention of any other law of the Commonwealth that is punishable by imprisonment for 12 months or more; or

(d) represents a danger to the public or the financial system.

The misconduct or an improper state of affairs can also be in respect of tax affairs.
Disclosable matters do not necessarily involve a contravention of a law. For example, ‘misconduct or an improper state of affairs or circumstances’ could involve conduct that, while not unlawful, indicates a systemic issue of concern that the relevant regulator should know about to properly perform its functions. It may also relate to business behaviour and practices that may cause consumer harm. Also, information that indicates a significant risk to public safety or the stability of, or confidence in, the financial system is a disclosable matter, even if it does not involve a breach of a particular law.

ASIC guidance indicates that disclosable matters include:

(i) illegal conduct, such as theft, dealing in, or use of illicit drugs, violence or threatened violence, and criminal damage against property;

(ii) fraud, money laundering or misappropriation of funds;

(iii) offering or accepting a bribe;

(iv) financial irregularities;

(v) failure to comply with, or breach of, legal or regulatory requirements; and

(vi) engaging in or threatening to engage in detrimental conduct against a person who has made a disclosure or is believed or suspected to have made, or be planning to make, a disclosure.

An eligible whistleblower who makes a disclosure must have ‘reasonable grounds to suspect’ the information to qualify for protection. The term ‘reasonable grounds to suspect’ is based on the objective reasonableness of the reasons for the eligible whistleblower’s suspicion. This means that even if a disclosure turns out to be incorrect, the protections will still apply, provided the eligible whistleblower had ‘reasonable grounds to suspect’. In practice, a mere allegation with no supporting information is not likely to be considered as having ‘reasonable grounds to suspect’. However, an eligible whistleblower does not need to prove their allegations.

Disclosures that are not about a disclosable matter are not covered by this Policy and do not qualify for protection under the Whistleblower Protection Scheme. However, such disclosures may be protected under other legislation, such as the Fair Work Act 2009 (Cth), for example, personal work-related grievances (set out in paragraph 5.3 below).

5.2 Deliberate false reports not tolerated

The Company must treat all reports of disclosable matters seriously and endeavour to protect anyone who raises concerns in line with this Policy. An eligible whistleblower can still qualify for protection under this Policy where their disclosure turns out to be incorrect.

However, deliberate false or vexatious reports will not be tolerated. Anyone found making a deliberate false claim or report will be subject to disciplinary action, which could include dismissal.

5.3 Personal work-related grievances

A disclosure does not qualify for protection under the Whistleblower Protection Scheme to the extent that the information disclosed:

(a) concerns a personal work-related grievance of the eligible whistleblower; and

(b) does not concern a contravention, or an alleged contravention of the detriment provisions referred to in paragraph 8.3 of this Policy.

A disclosure is a ‘personal work-related grievance’ if:

(a) the information concerns a grievance about a matter relating to the eligible whistleblower’s employment, or former employment, having (or tending to have) implications for the eligible whistleblower personally; and

(b) the information:

(i) does not have significant implications for the Company, or another regulated entity, that do not relate to the eligible whistleblower; and

(ii) does not concern conduct, or alleged conduct, referred to in paragraph 5.1(b), 5.1(c), or 5.1(d) of this Policy.

Examples of personal work-related grievances include:

(a) an interpersonal conflict between the eligible whistleblower and another employee;

(b) a decision that does not involve a breach of workplace laws;

(c) a decision relating to the engagement, transfer or promotion of the eligible whistleblower;

(d) a decision relating to the terms and conditions of engagement of the eligible whistleblower; or

(e) a decision to suspend or terminate the employment of the discloser, or otherwise to discipline the eligible whistleblower.

Disclosures about personal work-related grievances should be raised under the Company’s existing grievance policy, which can be found in the Employee Handbook.

However, a personal work-related grievance may still qualify for protection if:

(a) it includes information about misconduct, or information about misconduct includes or is accompanied by a personal work-related grievance;

(b) the entity has breached employment or other laws punishable by imprisonment for a period of 12 months or more, engaged in conduct that represents a danger to the public, or the disclosure related to information that suggests misconduct beyond the eligible whistleblower’s personal circumstances;

(c) the eligible whistleblower suffers from or is threatened with detriment for making a disclosure; or

(d) the eligible whistleblower seeks legal advice or legal representation about the operation of the whistleblower protections under the Corporations Act.

6. Who can receive a disclosure?

For the protections under the Whistleblower Protection Scheme to apply, a disclosure must be made directly to an ‘eligible recipient’. These people are detailed below. If you are an eligible whistleblower, your disclosure qualifies for protection from the time it is made to an eligible recipient, regardless of whether you or the recipient recognises that the disclosure qualifies for protection at that time.

6.1 Eligible recipients within the Company

An eligible whistleblower can make a disclosure internally to the persons set out below (referred to as Authorised Recipients) – each of whom has relevant experience to deal with such matters. Authorised Recipients can be contacted in the following ways:

Steve Prideaux

Chief Executive Office

03 9034 6449

Whilst the Company encourages disclosures to an Authorised Recipient, if it relates to the CEO or a director of the Company, it should be raised directly with the Chair of the Board, who can be contacted in the following ways – by email – donclarke@optusnet.com.au.

If you do not feel comfortable raising your disclosure with an Authorised Recipient, you could also raise it with any of the following:

(a) an officer or senior manager of the Company or a related body corporate. For these purposes, a senior manager includes the CEO or CFO

(b) the internal or external auditor of the Company or a related body corporate (including a member of an audit team conducting an audit).

6.2 Disclosure to external regulatory bodies

While the Company encourages you to make disclosures internally, an eligible whistleblower may choose to raise disclosable matters outside of the Company with:

(a) ASIC; or

(b) APRA; or

(c) a Commonwealth authority prescribed in the Corporations Regulations.

6.3 Disclosure to a legal practitioner

A report of a disclosable matter will also be protected if it is to a qualified legal practitioner for the purpose of taking legal advice or legal representation in relation to the operation of the whistleblower provisions in the Corporations Act.

6.4 Public interest disclosures

There is an additional category of disclosures called ‘public interest disclosures’ that qualify for protection. These can be made to journalists and members of Parliament, but only if the eligible whistleblower complies with the following strict requirements:

(a) the eligible whistleblower must have first made a qualifying disclosure to ASIC, APRA, or a prescribed Commonwealth authority;

(b) at least 90 days has passed since the qualifying disclosure was made;

(c) the eligible whistleblower does not have reasonable grounds to believe that action is being, or has been, taken to address the matters to which the qualifying disclosure related;

(d) the eligible whistleblower has reasonable grounds to believe that making a public interest disclosure would be in the public interest;

(e) after 90 days has passed, the eligible whistleblower must give the body to which the qualifying disclosure was originally made, a written notification that:

(i) includes sufficient information to identify the qualifying disclosure; and

(ii) states that the eligible whistleblower intends to make a public interest disclosure; and

(f) the extent of the information disclosed in the public interest disclosure is no greater than to inform the journalist or member of Parliament of the misconduct or improper state of affairs or circumstances, or other conduct falling within the scope of the Whistleblower Protection Scheme.

6.5 Emergency disclosures

There is an additional category of disclosures called ’emergency disclosures’ that qualify for protection. These can be made to journalists and members of Parliament, but only if the eligible whistleblower complies with the following strict requirements:

(a) the eligible whistleblower must have first made a qualifying disclosure to ASIC, APRA or a prescribed Commonwealth authority;

(b) the eligible whistleblower has reasonable grounds to believe that information concerns a substantial and imminent danger to the health or safety of one or more persons or to the natural environment;

(c) the eligible whistleblower gave notice to the body to which the qualifying disclosure was made that states:

(i) that they intend to make an emergency disclosure; and

(ii) includes sufficient information to identify the qualifying disclosure; and

(d) the extent of the information disclosed in the emergency disclosure is no greater than is necessary to inform the journalist or member of Parliament of the substantial and imminent danger.

Before making a public interest or emergency disclosure, it is important that an eligible whistleblower understands the criteria for protection under the relevant legislation. Eligible whistleblowers should obtain independent legal advice prior to making any disclosure.

7. Anonymous Disclosures

An eligible whistleblower can choose to make a disclosure anonymously and to remain anonymous over the course of the investigation and after the investigation is finalised. For example, they may do so because of concerns about their identity becoming known. If such concerns exist, an eligible whistleblower may prefer to adopt a pseudonym for the purposes of their disclosure (not their true name) – or to create an anonymous email address to submit their disclosure to an Authorised Recipient. Regardless, anonymous disclosures are still capable of being protected under the Whistleblower Protection Scheme.

Reporting anonymously may hinder our ability to fully investigate a reported matter. For example, an eligible whistleblower can refuse to answer questions that they feel could reveal their identity at any time, including during follow-up conversations. For this reason, we encourage anonymous eligible whistleblowers to maintain ongoing two-way communication with us (such as via an anonymous email address), so that we can ask follow-up questions or provide feedback.

You can lodge an anonymous report to us via email at privacy@ratifyid.com or by our online contact form here.

8. Protections

Important protections relating to confidentiality and detriment apply to eligible whistleblowers who report disclosable matters in accordance with the Whistleblower Protection Scheme outlined in this Policy. The protections apply not only to internal disclosures, but to disclosures to legal practitioners, regulatory and other external bodies, and public interest and emergency disclosures that are made in accordance with the Corporations Act.

The Company takes contraventions of these protections very seriously and will take disciplinary action against anyone for doing so. If you have any particular concerns about this, you can raise them with an Authorised Recipient.

Civil and criminal sanctions also apply for breaches of these protections.

8.1 Confidentiality

Strict confidentiality obligations apply in respect of any disclosures that qualify for protection under the Whistleblower Protection Scheme.

Unless the eligible whistleblower consents, it is against the law for a person to disclose an eligible whistleblower’s identity or any information that may lead to their identification (subject to the exceptions set out below).

The Company will protect the eligible whistleblower’s identity through:

(a) maintaining mechanisms reducing the risk that the eligible whistleblower will be identified from the information contained in a disclosure:

(i) all personal information or reference to the eligible whistleblower witnessing an event will be redacted;

(ii) the eligible whistleblower will be referred to in a gender-neutral context;

(iii) where possible, the eligible whistleblower will be contacted to help identify certain aspects of their disclosure that could inadvertently identify them; and

(iv) disclosures will be handled and investigated by qualified staff.

(b) maintaining mechanisms for secure record-keeping and information-sharing processes:

(i) all paper and electronic documents and other materials relating to disclosures will be stored securely;

(ii) access to all information relating to a disclosure will be limited to those directly involved in managing and investigating the disclosure;

(iii) only a restricted number of people who are directly involved in handling and investigating a disclosure will be made aware of an eligible whistleblower’s identity (subject to the eligible whistleblower’s consent) or information that is likely to lead to the identification of the eligible whistleblower;

(iv) communications and documents relating to the investigation of a disclosure will not to be sent to an email address or to a printer that can be accessed by other staff; and

(v) each person who is involved in handling and investigating a disclosure will be reminded about the confidentiality requirements, including that an unauthorised disclosure of an eligible whistleblower’s identity may be a criminal offence.

In practice, it is important to recognise that an eligible whistleblower’s identity may still be determined if the eligible whistleblower has previously mentioned to other people that they are considering making a disclosure, the eligible whistleblower is one of a very small number of people with access to the information or the disclosure related to information that an eligible whistleblower has previously been told privately and in confidence.

It is likely that the Company will ask eligible whistleblowers to consent to the disclosure of their identity – or information that may lead to their identification. This consent may be needed to appropriately investigate and resolve the matter and/or prevent the disclosable matter occurring again.

If an eligible whistleblower does not consent to their identity being disclosed, it will still be lawful to disclose their identity to:

(a) ASIC, APRA, the AFP or the Commissioner of Taxation (in relation to tax matters);

(b) a legal practitioner for the purposes of obtaining legal advice or legal representation about the disclosure; or

(c) to a body prescribed by the Corporations Regulations.

It will also be lawful to disclose information in a disclosure without the eligible whistleblower’s consent if this is reasonably necessary for the purpose of investigating the disclosure (provided the information does not include the eligible whistleblower’s identity and the Company takes all reasonable steps to reduce the risk that the eligible whistleblower will be identified as a result of the disclosure).

ASIC, APRA or the AFP can disclose the identity of an eligible whistleblower, or information that is likely to lead to the identification of the eligible whistleblower, to a Commonwealth, State or Territory authority to help the authority in the performance of its functions or duties.

If there is a breach of confidentiality, an eligible whistleblower can lodge a complaint with an Authorised Recipient or a regulator such as ASIC or APRA for investigation.

If your disclosure qualifies for protection set out in this Policy, it is likely you will be asked to provide consent to the disclosure of your identity or information that is likely to lead to your identification. This would be to facilitate any investigation and/or resolution of the matter. If consent is withheld, it may not be possible to adequately investigate and respond (if at all) to the disclosure.

8.2 The Company cannot pursue action against the eligible whistleblower

An eligible whistleblower is protected from any civil liability, criminal liability and/or administrative liability (including disciplinary action) for making a qualifying disclosure in accordance with the Whistleblower Protection Scheme, and no contractual or other remedy may be enforced or exercised against the eligible whistleblower on the basis of a qualifying disclosure.
However, the protections do not grant immunity for any misconduct an eligible whistleblower has engaged in that is revealed in their disclosure.

8.3 Detriments and threats of detriment prohibited

The protections also make it unlawful for a person to engage in conduct against another person that causes or will cause a detriment:

(a) in circumstances where the person believes or suspects that the other person or a third person made, may have made, proposes to make or could make a qualifying disclosure; and

(b) if the belief or suspicion held by that person is the reason or part of the reason for their conduct.

Threats of detriments will also be unlawful if the person making the threat intended to cause fear that a detriment would be carried out or was reckless as to whether the person against who it was directed would fear the threatened detriment being carried out.

Threats may be express or implied, conditional or unconditional. An eligible whistleblower (or another person) who has been threatened in relation to a disclosure does not have to actually fear that the threat will be carried out.

The meaning of ‘detriment’ is very broad and includes:

(a) dismissing an employee;

(b) injuring an employee in their employment;

(c) altering an employee’s position or duties to their disadvantage;

(d) discriminating between an employee and other employees;

(e) harassing or intimidating a person;

(f) harming or injuring a person;

(g) damaging a person’s property, reputation, business or financial position; and

(i) any other damage to a person.

It may be necessary during the course of an investigation to take reasonable administrative action to protect an eligible whistleblower from detriment (e.g. changing the whistleblower’s reporting line if the disclosure relates to a manager). Such conduct will not be detrimental conduct. A disclosure will also not prohibit the Company from managing (in the ordinary way) any separate performance issues that may affect the work of an eligible whistleblower.

A whistleblower may be subject to disciplinary action if, in the course of investigating a disclosure, the Company determines that the eligible whistleblower was complicit in the misconduct or improper state of affairs or has otherwise acted in an improper way.

Information about what the Company will do to provide support to and protect an eligible whistleblower is set out in paragraph 10. However, if an eligible whistleblower believes they have suffered detriment they can lodge a complaint with an Authorised Recipient or a regulator such as ASIC or APRA for investigation.

8.4 Court orders

Courts are given broad scope to make orders remedying a detriment or threatened detriment. These include injunctions, compensation orders (including against individual employees and their employer), reinstatement, exemplary damages and the making of apologies. Civil and criminal sanctions also apply to breaches of the Whistleblower Protection Scheme. The Company encourages eligible whistleblowers to seek independent legal advice in regards to seeking compensation or other remedies.

8.5 Are there any other protections that are available?

Disclosures may also amount to the exercise of a workplace right by an employee or contractor. The Company and its employees are prohibited under the Fair Work Act 2009 (Cth) from taking adverse action against employees or contractors because they exercised or propose to exercise any workplace rights.

9. Further steps and investigation of disclosures

The Company will acknowledge receipt of a disclosure within a reasonable period, assuming the ‘eligible whistleblower’ can be contacted (including through anonymous channels). The Company will assess disclosures to determine whether:

(a) they fall within the Whistleblower Protection Scheme; and

(b) an investigation is required – and if so, how that investigation should be carried out.

Generally, if an investigation is required, the Company will determine:

(a) the nature and scope of the investigation;

(b) who should lead the investigation – including whether an external investigation is appropriate;

(c) the nature of any technical, financial or legal advice that may be required to support the investigation; and

(d) the anticipated timeframe for the investigation.

Where practicable, the Company will keep the eligible whistleblower informed of the steps taken or to be taken (or if no action is to be taken, the reason for this), and provide appropriate updates, including about the completion of any investigation. However, the extent of the information provided, or whether it will be provided at all, will be subject to applicable confidentiality considerations, legal obligations and any other factors the Company considers relevant in the particular situation.

The Company may not be able to undertake an investigation, or provide information about the process etc, if it is not able to contact the eligible whistleblower, for example, if a disclosure is made anonymously and has not provided a means of contact.

Regular reporting – Where practicable, whistleblowers will receive updates about when the investigation has begun, while the investigation is in progress and after the investigation has been finalised. The frequency and timeframe of any updates may vary depending on the nature of the disclosure. The Company will ensure that any updates provided will preserve confidentiality and will not compromise the anonymity of the eligible whistleblower.

9.2 Documenting and reporting the findings of an investigation

Any method for documenting and reporting the findings will depend on the nature of the disclosure. Any reporting of findings will preserve confidentiality. There may be circumstances where it may not be appropriate to provide details of the outcome to the eligible whistleblower.

The Company is not obliged to reopen an investigation and it may conclude a review if it finds that the investigation was conducted properly, or new information is either not available or would not change the findings of the investigation. An eligible whistleblower may lodge a complaint with ASIC, APRA or the ATO, if they are not satisfied with the outcome of the Company’s investigation.

10. Support and fair treatment

The Company is committed to transparency and to building an environment in which people feel free to raise legitimate issues relating to the Company’s operations. The Company is also committed to protecting eligible whistleblowers from detriment.

When a qualifying disclosure under the Whistleblower Protection Scheme is made, the Company will reiterate the requirements of this Policy to relevant individuals to ensure the protections are not undermined.

Disciplinary action up to and including dismissal may be taken against any person who causes or threatens to cause any detriment against an eligible whistleblower.

In addition, the Company’s usual EAP services will be available to all whistleblowers and other employees affected by the disclosure, should they require that support.

The Company may also consider a range of other matters to protect an eligible whistleblower from the risk of suffering detriment. These could include:

(a) assessing whether anyone may have a motive to cause detriment—information could be gathered from an eligible whistleblower about:

(i) the risk of their identity becoming known;

(ii) who they fear might cause detriment to them;

(iii) whether there are any existing conflicts or problems in the work place; and

(iv) whether there have already been threats to cause detriment.

(b) analysing and evaluating the likelihood of each risk and evaluating the severity of the consequences;

(c) developing and implementing strategies to prevent or contain the risks—for anonymous disclosures, it may be worthwhile assessing whether the discloser’s identity can be readily identified or may become apparent during an investigation;

(d) monitoring and reassessing the risk of detriment where required—the risk of detriment may increase or change as an investigation progresses, and even after an investigation is finalised;

(e) ensuring that:

(i) disclosures will be handled confidentially, when it is practical and appropriate in the circumstances;

(ii) each disclosure will be assessed and may be the subject of an investigation;

(iii) the objective of an investigation is to determine whether there is enough evidence to substantiate or refute the matters reported;

(iv) when an investigation needs to be undertaken, the process will be objective, fair and independent;

(v) an employee who is the subject of a disclosure will be advised about: the subject matter of the disclosure as and when required by principles of natural justice and procedural fairness and prior to any actions being taken—for example, if the disclosure will be the subject of an investigation;

(f) assisting the eligible whistleblower by providing support services such as counselling services and access to resources for strategies to manage stress, time or performance impacts resulting from the investigation;

(g) allowing the eligible whistleblower (where appropriate) to perform their duties from another location or reassigning the eligible whistleblower to another role of the same level or making other modifications to the workplace or the way the eligible whistleblower performs their duties; and/or

(h) where necessary, undertaking specific interventions to protect an eligible whistleblower where detriment has already occurred including disciplinary action, extended leave for the eligible whistleblower and alternative career development and training.

If the disclosure mentions or relates to employees of the Company other than the eligible whistleblower, the Company will take steps to ensure that those individuals are treated fairly. Typically, this would include giving those persons an opportunity to respond to the subject matter of the disclosure having regard to principles of procedural fairness. In addition, action would only be taken against such a person if there is cogent evidence of wrongdoing.

11. Vexatious or false disclosures

An eligible whistleblower will only be protected if they have objectively reasonable grounds to suspect that the information that they disclose concerns misconduct or an improper state of affairs or circumstances or other conduct falling within the scope of the Whistleblower Protection Scheme.

The protections under the Whistleblower Protection Scheme will not extend to vexatious or deliberately false complaints. If any investigation of a disclosure demonstrates that it was not made on objectively reasonable grounds, it will not be protected.

Depending on the circumstances, it may be appropriate for the Company to take disciplinary action against any person who does not have objectively reasonable grounds for their disclosure. Such action may include the termination of employment.

12. Other matters

This Policy will be made available to the Company’s employees and officers via the Company’s internal HR Drive.

This Policy is not intended to go beyond the legislation. This Policy is not a term of any contract, including any contract of employment and does not impose any contractual duties, implied or otherwise, on Company. This Policy may be varied by the Company from time to time, including as part of any review described below.

Review of the Policy

The Company will periodically review this Policy and accompanying processes and procedures with a view to ensuring that it is operating effectively.

Training

Training on this Policy forms part of the induction process for new employees and refresher training for existing employees may be offered from time to time. Specialist training will be provided to staff members who have specific responsibilities under the Policy, including the Company’s processes and procedures for receiving and handling disclosures, including training relating to confidentiality and the prohibitions against detrimental conduct.

RatifyID’s Privacy Notice

Last Updated: [8th September 2023]

1. Introduction

Welcome to RatifyID (“we,” “our,” or “us”). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Notice explains how we collect, use, share, and protect your personal information when you interact with us through our website, products, services, or other channels. Please take a moment to review this notice to understand your rights and choices regarding your data.

2. Information We Collect

We may collect and hold the following types of personal information and sensitive information:

• Name
• Address
• Email
• Phone number
• Date of birth
• Nationality
• Government-related identifiers (e.g., license, passport)
• Fraud indicators
• Information from scanned ID documents or facial images
• Biometric data (used only for authentication)
• Device and web log information
• Behavioural data related to app usage
• Any other data necessary for your interactions with us

3. How We Use Your Information

Personal and Sensitive information

We use personal and sensitive information depending on your relationship with us and the services you require. This includes:

• Enabling website and app access
• Providing verification services
• Preventing fraud
• Enhancing user experience (using non-personal data for algorithm training)
• Improving systems and aiding fraud detection (without using behavioural data for training or selling)
• Sending service-related messages
• Legal compliance and dispute resolution
• Authenticating and storing biometrics (until consent revocation)

Providing Verification Services for Our Relying Partners

In delivering verification services for our relying partners, your personal data may be collected from them or another source. We maintain transparency by informing you of:

• Name of the Relying partner or individual: You will be informed of the source from which your personal information is requested.
• Purpose of Disclosure: We will clearly communicate the purpose for which your information is being disclosed to us. This information is essential to maintain transparency and trust in our data collection practices.

Rest assured that we handle the personal information obtained from these sources with the same level of care and security as any other data we collect, as outlined in RatifyID Privacy Policy.

Biometric Data Collection and Disclosure

We follow TDIF (Trusted Digital Identity Framework) guidelines to protect privacy and security.

1. Obtain express consent before collecting, using, or disclosing biometric information.
2. Biometric data is used solely for authentication and is destroyed when consent is revoked.
3. Maintain records of biometric data destruction.
4. We do not perform one-to-many matching with biometric data.

Other Circumstances for Disclosure

1. Business Transactions: In mergers, acquisitions, or asset sales, your data may be transferred with notice.
2. Detecting and investigating digital identity fraud or fraudulent activity.
3. Law Enforcement: We may disclose information as required by law or valid public authority requests.
4. Other Legal Requirements: When necessary to comply with legal obligations, protect rights, safety, prevent wrongdoing, or liability.

This summary provides a concise overview of how we use and protect your information. For more details, please refer to our full Privacy Policy.

4. To whom do we disclose your personal information?

We may share personal information (excluding sensitive or biometric data) for the following purposes:

• With companies within Makesure Consulting Pty Ltd.
• With our clients and third parties when verifying your identity is necessary to access their products/services. We do not sell your data.
• With our employees and contractors for product management and service provision.
• With third-party suppliers and service providers for document verification and website/business operation.
• With specific third parties authorized by you.
• For legal compliance, including court orders, investigations, regulatory bodies, law enforcement, and insurance claims as required or permitted by law.

5. Overseas transfer of personal and sensitive information

We may share your information with overseas recipients for specific purposes. Our website developers in Romania have access to personal data but adhere to contract obligations, the Privacy Act 1988 (Cth), and Australian Privacy Principles.

Furthermore, personal information won’t be transferred or stored overseas; it remains in Australia, including backups. Data stays within Ratify ID servers, strictly controlled by RatifyID to restrict access as needed.

6. Security

We take the security of your personal information seriously and have implemented reasonable measures to protect it.

RatifyID undertakes the following actions:

Sensitivity of Personal Information

• We categorize the personal data we collect into sensitivity levels, differentiating between various types of information, including personal, sensitive, and biometric data, for instance.
• We employ enhanced security measures for extremely sensitive data, encompassing encryption, access controls, and routine security evaluations.
• We carry out privacy impact assessments to assess and mitigate the risks associated with the handling of sensitive information.
• We provide our staff with training to ensure they can identify and manage sensitive information correctly.

Possible Adverse Consequences

• We perform an extensive risk evaluation to pinpoint potential negative outcomes for individuals, including risks like identity theft, financial loss, or harm to one’s reputation.
• We create incident response protocols to swiftly manage potential negative outcomes should a data breach occur.
• We introduce supplementary security measures, such as intrusion detection systems and continuous real-time monitoring, for data that presents an elevated risk of detrimental consequences.
• We consistently assess and revise our risk assessment in response to evolving circumstances and emerging threats.

Special Needs of Individuals

• We present alternative avenues for individuals to grant consent or assert their privacy rights, such as chat support.

7. RatifyID Privacy Policy

Please refer to our Privacy Policy for details on accessing and correcting your information, obtaining consent, the procedure for filing privacy-related complaints, and the storage of information.

8. Cookies and Similar Technologies

We use cookies and similar technologies to enhance your online experience. You can manage your cookie preferences through your browser settings.

9. Updates to this Privacy Notice

We may update this Privacy Notice from time to time. The latest version will be posted on our website with the revision date.

10. Contact Us

If you have questions, concerns, or requests related to your privacy, please contact us at:

Privacy Officer
Email: privacy@ratifyid.com
Address: 5/26-36 High Street Northcote Vic 3070
Effective Date: 23 May 2023

Date of Last Revision: 8th September 2023