Responsible AI and Privacy Policy
Document control: Shepherd Thomas Directors approved 22 July 2025. Next scheduled review: July 2026 or upon commencement of Privacy Act reforms, whichever is earlier.
1. Purpose and Scope
This Policy sets out how Shepherd Thomas Pty Ltd ("Shepherd Thomas", "we", "us", "our") governs:
- Responsible Artificial Intelligence (AI) — the development, procurement, and use of AI systems in our own operations and in client engagements; and
- Privacy & Data Protection — the collection, use, disclosure and security of personal information obtained through our website (https://www.shepherdthomas.com) and in the course of consulting services.
The Policy replaces and supersedes our previous Privacy Policy dated 13 March 2025.
2. Our Commitments
| Principle | What it means in practice |
|---|---|
| Lawfulness & Fairness | We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and other applicable laws (e.g. consumer, anti-discrimination). |
| Human-Centred & Proportionate AI | We align with Australia's eight AI Ethics Principles and the Federal Voluntary AI Safety Standard's 10 guardrails. |
| Transparency & Contestability | Where an AI system contributes to a decision that has a material effect on an individual, we disclose that fact in plain English and provide a simple way to request human review, meeting forthcoming Privacy Act transparency reforms. |
| Privacy-by-Design | We minimise personal data, de-identify where feasible, and never feed sensitive personal information into public generative-AI tools without a lawful basis. |
| Security & Reliability | We maintain technical and organisational controls — access restrictions, encryption in transit and at rest, model-version control, regular vulnerability assessments — to guard against unauthorised access, data poisoning or model drift. |
| Accountability | The directors retain ultimate responsibility. Day-to-day oversight sits with our Responsible AI Lead (contact details in Section 12). |
3. How We Use AI
| Use case | Description | Safeguards |
|---|---|---|
| Internal productivity tools | Generative assistants for research notes, draft copy, code snippets. | Tools configured to exclude client-confidential or identifiable personal data; human review before any external release. |
| Client deliverables | Prototype chatbots, risk-scoring models, survey analytics. | Project-specific risk assessment; client sign-off; option for client-hosted deployment; clear documentation of data sources and model limitations. |
| Website features | Lightweight ML for spam-filtering contact forms and measuring engagement. | Outputs do not make automated decisions about visitors; cookie notice provided (Section 6). |
We do not deploy "high-risk" AI (e.g. facial recognition, biometric inference, social-scoring) without Directors approval, a detailed impact assessment and controls aligned with ISO/IEC 42001:2023 AI Management System guidance.
4. What Information We Collect
| Category | Examples | Source |
|---|---|---|
| Contact & Professional Details | Name, email, phone, job title, organisation. | Directly from you (forms, email, meetings). |
| Engagement Data | Information you supply during workshops, interviews, or uploads. May include documents that contain personal information of your staff or customers. | You or your authorised representatives. |
| Website & Analytics Data | IP address, device type, pages visited, time on site, referring URL. | Cookies / analytics scripts. |
| Publicly Available & Third-Party Data | LinkedIn profile, industry reports, government filings relevant to consulting analysis. | Public sources or reputable data providers. |
We do not intentionally collect sensitive information (e.g. health data, racial origin) unless expressly required for a project and with explicit consent.
5. How We Use Information
- To deliver, improve and support our consulting services.
- To respond to enquiries and schedule meetings.
- To analyse website performance and optimise content.
- To send insights or marketing material only where you have opted in (you may unsubscribe any time).
- To comply with legal obligations and protect our rights.
We do not sell or rent personal information.
6. Cookies & Similar Technologies
Our site uses first-party cookies for essential functionality and Google Analytics for aggregated usage statistics. You can refuse or delete cookies via browser settings; the site will still function but certain features may be limited.
7. Automated Decision-Making Transparency
Where personal information is used in solely automated decision-making that has a significant effect on an individual (currently we do not do this at all), we will:
- State this clearly at the point of collection.
- Provide meaningful information about the logic involved.
- Offer a simple, free mechanism to obtain human review of the outcome.
These steps align with incoming Privacy Act amendments on automated decision transparency.
8. Data Security & Retention
Security controls — MFA on all cloud systems, role-based access, encryption, regular backups, vendor security reviews.
Retention periods:
- Client project files: 7 years after project closure (professional record-keeping).
- Marketing contacts: until you unsubscribe or two years of inactivity.
- Analytics logs: 26 months, then deletion or aggregation.
Breach response — We follow OAIC Notifiable Data Breach guidelines; affected individuals will be notified without undue delay where required.
9. Meeting Recordings & Transcripts
Shepherd Thomas sometimes records online workshops or interviews to improve accuracy of minutes and analysis. We apply the following strict rules:
| Commitment | Operational detail |
|---|---|
| Consent first | We only start a recording when every participant has been clearly informed and has provided affirmative consent. If consent is withheld, no recording occurs; we revert to real-time note-taking instead. |
| Controlled access | Raw audio/video files and AI-generated transcripts are stored securely in folders with access restricted to Shepherd Thomas staff. |
| Short retention window | Recordings and transcripts are deleted at the earlier of: (a) formal close-out of the client engagement; or (b) a written request from any participant or the client's project lead. |
| Same rights & protections | Transcripts are treated as "Personal Information" under this Policy. All rights in Section 11 (access, correction, deletion, objection) apply in full. |
10. International Data Transfers
Our primary systems are hosted in Australia; some providers (e.g. Microsoft 365, Atlassian, OpenAI) store or process data in the United States, EU or other jurisdictions. We rely on contractual safeguards and provider certifications (ISO 27001, SOC 2, ISO/IEC 42001 where available) to ensure comparable protection.
11. Your Rights
Under the APPs you may:
- Access the personal information we hold about you;
- Request correction if it is inaccurate or incomplete;
- Object to certain processing (e.g. marketing);
- Seek human review of significant automated decisions; and
- Complain if you believe we have mishandled your information (see Section 12).
We will respond within 30 days of receiving your request.
12. Governance, Complaints & Contact
Responsible AI Lead & Privacy Officer
Barry Thomas, Director
Email: info@shepherdthomas.com
Complaints process
- Write to the officer above detailing your concern.
- We will acknowledge receipt within 5 business days and investigate.
- If unresolved, you may escalate to the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au.
13. Review and Updates
We review this Policy at least annually or when significant changes occur in legislation, standards, or our operations. Updated versions will be posted on our website with a revised "Last updated" date.