Supplier Information Security & Privacy Assurance Statement

Status: v1.0
Tier: Tier 1 – Core Corporate & Platform Policy
Owner: Governance and Compliance Function
Approval Authority: Board of Directors
Effective Date: 5 January 2026
Next Review: 12 months from approval

Purpose

This statement explains how Global Talent Pathway manages information security and privacy risks arising from suppliers, service providers, agents, and partners (“Suppliers”).

It provides assurance to government agencies, enterprise clients, and other stakeholders that third-party risks are actively governed.

Scope

This statement applies to Suppliers who:

  • access Global Talent Pathway systems or data,

  • process personal or sensitive information on behalf of Global Talent Pathway, or

  • provide services that may affect the confidentiality, integrity, or availability of information.

Supplier Due Diligence

Before engagement, Suppliers are subject to proportionate due diligence based on risk, including assessment of:

  • information security and privacy practices,

  • the nature and sensitivity of information involved,

  • geographic location and subcontracting arrangements, and

  • incident history and operational maturity.

Higher-risk Suppliers are subject to enhanced review.

Contractual Requirements

Suppliers processing information on behalf of Global Talent Pathway are required to:

  • use information only for authorised purposes,

  • implement reasonable administrative, technical, and physical security controls,

  • restrict access to authorised personnel,

  • comply with applicable privacy and data protection laws,

  • notify Global Talent Pathway promptly of security incidents or data breaches, and

  • cooperate with investigations, remediation, and regulatory notifications.

Access and Use Controls

Supplier access to systems or data is:

  • limited to what is necessary to perform agreed services,

  • granted through controlled access mechanisms, and

  • reviewed and removed when no longer required.

Unauthorised use or disclosure is prohibited.

Cross-Border Processing

Where Suppliers are located outside Australia or use offshore infrastructure, Global Talent Pathway takes reasonable steps to ensure:

  • contractual safeguards apply,

  • protections consistent with Australian Privacy Principle 8 are maintained, and

  • accountability for information handling is preserved.

Monitoring and Assurance

Supplier compliance may be monitored through:

  • attestations or reviews,

  • incident and performance reporting, and

  • audit or assurance activities proportionate to risk.

Corrective actions may be required where deficiencies are identified.

Incident Management

Suppliers must report incidents affecting Global Talent Pathway information immediately.

Incidents are managed in accordance with the Data Breach Response Procedure.

Governance Alignment

This statement operates alongside:

  • the Workforce Privacy Policy,

  • the Information Security Policy, and

  • the Data Breach Response Procedure.

Together, these documents define Global Talent Pathway’s third-party security and privacy governance.