ICT Services Privacy Statement

Overview

Background

Shoal Group Pty Ltd (Shoal) has significant investment in Microsoft Cloud Services to support our business operations. Access to these services, or subsets of these services, are provided to our clients and business partners as needed to enable collaboration between distributed individuals or teams.

Shoal employs External Identities to grant collaborators access to our ICT infrastructure. External Identities allow authorised individuals to use their personal (Microsoft Account), or business (Azure AD B2B) accounts within our ICT infrastructure.

Purpose of This Statement

The information contained on this page aims to inform users of Shoal’s ICT infrastructure about data collection, storage, and usage, access, disclosure and security.

Application of This Statement

The information contained on this page is applicable to any collaborator using Shoal’s ICT infrastructure that are either provided directly by Microsoft or third parties that are configured to use authentication services provided by Microsoft.

Data Collection

When is data collected?

Each time a user signs into Shoal’s ICT infrastructure a sign-in event is automatically logged. Information may be updated regularly throughout a session until the user logs out of the service.

What data is collected?

Some, or all, of the following information is collected and stored by Microsoft on behalf of Shoal at the beginning or during a session.

  • Date & time
  • Request ID (unique ID generated by Microsoft)
  • User name (First and surname)
  • Username (email address that is registered against the account)
  • Application accessed (e.g. Exchange, Teams, SharePoint, Office Web client, etc.)
  • Status (e.g. Success, Failure)
  • IP address (the public IP address of the internet service being used at the time of the user’s action)
  • Location (rough estimate of user’s location, including city/suburb, state and country)
  • Resource (specific resource/function in relation to Application)
  • Resource ID (unique ID generated by Microsoft)
  • Client app (app or protocol, e.g. “browser”, “mobile app”, IMAP, POP, etc.)
  • Operating system (e.g. Windows 10, iOS, MacOS, Android)
  • Web browser (e.g. Chrome, Safari, Edge). Version may be included
  • Correlation ID (unique ID generated by Microsoft)
  • Conditional Access result (e.g. was the connection request allowed/denied based on Shoal access policy)
  • Alternate sign-in name (usually email address)
  • Token issuer name (part of authentication service)

What data is not collected?

Signing in with an External Identity to Shoal’s ICT services doesn’t grant Shoal, its staff or ICT Administrators access to data stored in any accounts associated with the External Identity (e.g. OneDrive, SharePoint).

Why is data collected?

Data is automatically collected by Microsoft in order to provide the requested services and provide Shoal’s Administrators with a means to troubleshoot and secure Shoal’s infrastructure. The recording of data can not be disabled.

Data Storage

Where is data stored?

Sign-in data is stored within Microsoft’s Azure cloud. Shoal has requested this data be stored within Microsoft’s Australian data centres.

How long is data stored?

Sign-in data is stored for 30 days from the sign-in event, as documented by Microsoft here. Data may be retained for longer periods where this data is transferred to Shoal’s Log Analytics database.

Data Usage, Access, Disclosure & Security

Collected data is only accessible by a specific group of Shoal users (either full-time staff or contractors) with high-level administrative privileges. The data is only used for troubleshooting or security purposes by Administrators. Data is only ever revealed to non-administrative Shoal staff when required for further troubleshooting or security reviews. Data is never sold to third parties or shared with parties outside of Shoal, with the exception of contractors hired by Shoal to administer ICT systems.

More Information

Where Shoal uses Microsoft Cloud Services, Microsoft’s Privacy Statement may also apply.

Questions and Requesting a Copy of Your Data

For all enquiries, please email [email protected].