Rio Tinto is a leading international mining group headquartered in the UK, combining Rio Tinto plc, a London and New York Stock Exchange listed company, and Rio Tinto Limited, which is listed on the Australian Securities Exchange. The two companies are joined in a dual listed companies structure as a single economic entity, called the Rio Tinto Group.
- Rio Tinto’s Data Privacy Standard which includes 12 Data Privacy Principles that apply whenever and wherever Rio Tinto collects and processes personal data; and
- Online privacy and cookies statement, which sets out additional information about your privacy if you use this website.
A Glossary has been included at the end of the Standard which defines key terms (in red).
Questions and contact information
If you have any questions or complaints about your privacy or wish to exercise your rights as a data subject, please refer to Data Privacy Principle 9 in the Data Privacy Standard and:
- contact the data privacy co-ordinator for your Rio Tinto Group business;
- contact your local Rio Tinto office; or
- email us at email@example.com Your correspondence will be forwarded to the Rio Tinto data privacy co-ordinator for the relevant business unit within Rio Tinto.
Data privacy standard
What does this Standard do?
The Data Privacy Standard sets out the minimum rules (Data Privacy Principles) that apply whenever and wherever Rio Tinto collects and processes personal data. Note that:
The Data Privacy Principles reflect the common principles and requirements under data privacy laws (sometimes known as data protection laws or privacy laws) in the countries where Rio Tinto operates.
Why is compliance with this Standard important?
At Rio Tinto, the lawful and correct handling of personal data is critical. At its simplest, people need to be able to trust us to respect their privacy and how we handle their personal data when working with us or doing business with us.
In addition, we need to comply with privacy and data protection laws around the world. Applying the Data Privacy Principles in this Data Privacy Standard helps us to do this.
Who does this Standard apply to?
This Standard applies to everyone who works for Rio Tinto, and to each Rio Tinto Group business. We must comply with the Data Privacy Principles and also with local laws that apply to the processing of personal data. If there is a conflict between the requirements under the Data Privacy Principles and local laws, you should comply with the most stringent requirement. Your Data Privacy Co-ordinator, Rio Tinto Compliance or Rio Tinto Legal can advise you if you’re unsure. Any variance from the Data privacy standard must be approved by the Global Head of Compliance.
Where can I obtain more information?
More detailed guidance on data privacy is available in the Rio Tinto Data Privacy Manual. This is a “how to” guide that has been developed for Data Privacy Co-ordinators and other Rio Tinto staff who process personal data as part of their job, or who need a more detailed understanding of data privacy at Rio Tinto.
If you have questions about data privacy at Rio Tinto, you should contact the Data Privacy Co-ordinator for the Group business that you work for or deal with. A listing of Data Privacy Co-ordinators is available from the data privacy page on the Prospect portal (Compliance community). If you are external to Rio Tinto or have a data privacy question, you can send an email to firstname.lastname@example.org.
Data privacy principles
The following Data Privacy Principles reflect the minimum rules that apply to the collection and processing of personal data at Rio Tinto.
Data Privacy Principle 1: We limit our processing of personal data
We must only collect, use, disclose, store and otherwise process personal data for specific and limited purposes. In particular, we can only process personal data:
- for the legitimate business purpose we collected it for (eg as explained in a collection notice);
- for a related purpose(s) that the data subject would reasonably expect;
- for other purposes that the data subject (the person that the data relates to) consents to; or
- if the processing is required in order to comply with our legal obligations.
We can’t process personal data unless this test is satisfied.
A stricter test applies when sensitive information is processed (see Data Privacy Principle 5: We are careful with sensitive information and Government-issued numbers).
Data Privacy Principle 2: Our collections are lawful and fair and we only collect what we need
Our collections of personal data need to be lawful, fair and necessary for a specific, legitimate business purpose. We must collect only that amount of personal data that we need in order to conduct business. Personal data collections must not be excessive.
Data Privacy Principle 3: We are open about what we collect
If we need personal data, we will, where practicable, collect it directly from the data subject.
We will notify data subjects that we’re collecting their personal data, by providing a collection notice either when personal data is collected, or as soon as possible afterwards.
A general overview of the types of personal data collected by Rio Tinto, the purposes of collection and how personal data is stored, can be viewed in Appendix 1.
Data Privacy Principle 4: We check data quality
When we collect and process personal data, we should take reasonable steps to ensure that the personal data is accurate, complete and up to date.
There are risks for both Rio Tinto and data subjects if we use inaccurate, incomplete or out of date personal data, particularly if it is relied upon to make decisions that affect data subjects. The more sensitive the data, the greater the risk to the data subject if poor quality personal data is used or disclosed.
Collecting personal data directly from the data subject (under Data Privacy Principle 3: We are open about what we collect) is a way to ensure the quality of personal data. If we intend to use personal data that is of the type that can change over time, its currency and accuracy should be checked.
Data Privacy Principle 5: We are careful with sensitive information and Government-issued numbers
Sensitive information is a type of personal data that is of a particularly private nature and includes (among other things) personal data about a person’s race, ethnic origins, trade union membership and health information.
We must ensure that sensitive information is collected only when absolutely necessary and only if:
- the data subject consents; or if
- the collection is
- required by law;
- necessary to prevent or lessen a serious and imminent threat to the life, health or safety of any person; or
- necessary for legal proceedings.
We can only process sensitive information for the purposes notified to the data subject (when we obtained consent) or for the other specific purposes listed above.
Government-issued numbers also need to be processed with care, as their collection, use and disclosure is strictly regulated in a number of Rio Tinto countries (for example, tax file numbers in Australia and social security numbers in France and Canada). We must only process Government-issued numbers as permitted under local laws.
We must never use a Government-issued number (in relation to a data subject) as the basis for how we organise personal data about a data subject. Government-issued numbers should not be our only way of identifying a data subject.
Data Privacy Principle 6: We take care when we share personal data
We must ensure that our disclosures of personal data are adequately protected and lawful. This is summarised below; but if you have questions please contact your Data Privacy Co-ordinator.
Disclosures outside the Rio Tinto Group
If we need to disclose personal data outside the Rio Tinto Group (for example, to an external service provider), we must ensure that:
- the disclosure is protected by contractual data privacy clauses approved by Rio Tinto Compliance or Rio Tinto Legal; or
- the relevant data subjects have consented to the disclosure.
Rio Tinto Compliance or Rio Tinto Legal should also confirm if disclosures are required by law.
Disclosures within the Rio Tinto Group
Disclosures within the Rio Tinto Group are protected by the Rio Tinto Data Transfer Deed. Company secretarial and each Group business need to ensure that new companies sign up to the Data Transfer Deed.
As a global company, we need to disclose personal data across national borders. However we must ensure such disclosures comply with data privacy laws.
More information about the countries where Rio Tinto operates, and the location of key external service providers (data processors) can be viewed in Appendix 2.
Data Privacy Principle 7: We must secure personal data
Personal data must be kept secure from unauthorised access, loss, destruction, misuse, modification or disclosure. This applies to personal data whether in hard copy form (eg paper) or in electronic form (eg in databases). The key rules are:
- access to personal data about other people should be on a “need to know” basis only; and
- each Group business must implement the Rio Tinto Information security standards (administered by Global security) to ensure that appropriate physical, technical and organisational security measures are in place at all stages of the personal data ‘life cycle’.
Data Privacy Principle 8: We don’t keep personal data forever
Personal data must be kept only for as long as it is needed for proper business purposes, or for the time required or permitted under local laws (whichever is the shorter). After such time, records containing personal data must be securely destroyed (in the case of physical records) or permanently deleted (in the case of electronic records).
Data Privacy Principle 9: We respect data subject rights
Data subjects have the right to:
Exceptions can apply in the case of access and correction rights, and Rio Tinto will review each request on a case by case basis.
More information about how data subject rights can be exercised (and relevant procedures) can be viewed in Appendix 3a.
Under some data privacy laws Rio Tinto is required to give data subjects the option of remaining anonymous or using a pseudonym (if practicable). More information can be viewed in Appendix 3c.
Data Privacy Principle 10: We are accountable for compliance
Each Group business must appoint at least one person to act as its Data Privacy Co-ordinator, and notify Rio Tinto Compliance when such appointments are made.
The Data Privacy Co-ordinator should be the first point of contact for data privacy questions from the Group business that she or he represents.
The Data Privacy Co-ordinator is accountable for data privacy compliance by the Group business they represent, and should have an understanding of the personal data processing that is carried out by that Group business. Data Privacy Co-ordinators must have sufficient authority and resources to conduct their duties under the Data privacy standard.
Everyone at Rio Tinto who processes personal data must comply with the Data privacy standard, and is accountable for compliance with data privacy laws. If you have questions about data privacy, ask your Data Privacy Co-ordinator.
Data Privacy Principle 11: We train our people
Everyone at Rio Tinto who processes personal data as a significant part of their role should receive data privacy training and be provided with information about how to access this Data privacy standard. Data Privacy Co-ordinators should receive additional training designed for their role. Training will be provided by Rio Tinto Compliance and must be completed as directed by Rio Tinto Compliance. More information is available in the Data Privacy Manual.
Data Privacy Principle 12: We don’t spam
One way we limit how we process personal data is to limit how we use personal data to send marketing communications. This is a broad term (reflecting the approach under anti-spam legislation in countries where Rio Tinto operates), but does not include Rio Tinto communications to staff.
All marketing communications (however distributed) must:
- clearly identify the relevant Group business or Group company as the sender, and how it can be contacted;
- be sent with the consent of the recipient/data subject (which may be able to be implied from an existing business relationship or shareholding);
- contain an unsubscribe or opt out facility. Opt outs must be acted upon and records amended accordingly.
Breaches of Data privacy standard
Breaches of the Data privacy standard or local data privacy laws may be reported to:
- your manager or supervisor;
- your local compliance manager or your Data Privacy Co-ordinator;
- a Rio Tinto lawyer;
- Rio Tinto Compliance; or
- via Speak-OUT
Breach reports need to be immediately brought to the attention of the Data Privacy Co-ordinator for the relevant Group business and Rio Tinto Compliance. Rio Tinto Compliance will work with the Data Privacy Co-ordinator plus the compliance manager for the Group business, Rio Tinto Legal and Global security to respond to the identified breach.
Review of Data privacy standard
This Standard will be reviewed at least once every three (3) years.
Collection notice: a notice that needs to be provided to data subjects when we collect their personal data, or as soon as possible thereafter. More information about what we need to include in collection notices can be viewed in Appendix 4.
Data Privacy Co-Ordinator: a person appointed under Data Privacy Principle 10.
Data Privacy Principles: the principles in the Data Privacy Standard that Rio Tinto Group companies and staff must apply when processing personal data.
Data subject: the individual to whom personal data relates.
Group business: includes all companies, product groups, business units, global functions and corporate offices in the Rio Tinto Group.
Legitimate business purpose: a purpose that is directed at Rio Tinto achieving its business objectives and that complies with all relevant laws and regulations.
Marketing communications: means communications and publications that have a purpose of marketing or promoting Rio Tinto or its products, but does not include staff communications.
Personal data: all information relating to any identifiable individual (whether living or deceased).
Processing: all actions taken in relation to personal data including collecting, using, disclosing, recording, organising, storing, transferring, amending, deleting, destroying, retrieving, accessing, hosting or otherwise handling .
Rio Tinto Data Transfer Deed: the deed executed between Rio Tinto Limited and Rio Tinto plc on 1 July 2009 (as amended from time to time) and to which Rio Tinto Group companies are bound under executed Deeds of Accession.
Rio Tinto Group: all the businesses which are wholly or majority owned or managed by Rio Tinto plc or Rio Tinto Limited (whether directly or indirectly).
Sensitive information: personal data (including information or an opinion) about an individual’s racial or ethnic origin, political opinions and memberships, religious or philosophical beliefs or associations, trade union membership, criminal record, health or the health services they have received or details of sexual life.
Overview of personal data collections and processing
Rio Tinto collects and processes personal data for a range of business purposes, including:
- Managing human resources: Personal data about employees and prospective employees and contractors is collected for HR purposes. This will include identity and contact information, information about employment history, training and qualifications, information required to pay salaries, compensation and other benefits, performance information;
- Managing business relationships with customers, suppliers and other external “stakeholders”. Personal data about individuals (data subjects) within external organisations is collected for ordinary business purposes such as supplying goods or acquiring services, entering into and fulfilling contracts and for communications purposes. This is usually limited to ‘business contact’ information;
- Managing shareholder relationships: Personal data from shareholders is collected for purposes related to their shareholding in Rio Tinto, including for the purposes of issuing or transacting in shares, paying dividends, regulatory reporting and shareholder communications. This personal data may include a shareholder’s name, address, shareholding details, tax file number, and bank account details. Shareholder personal data is collected by Rio Tinto and our behalf by the external manager of our share register. From time to time this data may be provided to other external service providers for the purposes of paying distributions or mailing shareholder communications, or to the extent permitted by legislation to authorised securities brokers, persons inspecting the register, bidders for Rio Tinto’s securities, or certain regulatory bodies including the Australian Taxation Office;
- Safety, security and legal obligations: Personal data is collected from visitors to our sites for safety and security purposes. This can include collection of images by closed circuit television (CCTV). Rio Tinto also collects personal data in the course of complying with its legal obligations (for example, to meet obligations under anti-money laundering legislation and whistleblowing legislation); and
- Managing community relationships: Personal data is collected from members of communities where Rio Tinto conducts mining and other operations, for the purposes of engaging and interacting with those communities.
Rio Tinto collects personal data directly from data subjects wherever possible.
Personal data may be stored in Rio Tinto’s local systems or databases, in the Rio Tinto Business Solution (a SAP system that is hosted in Australia), or on infrastructure owned and operated by external service providers engaged by Rio Tinto. Where external service providers are engaged to assist Rio Tinto to process personal data, Rio Tinto requires such service providers to comply with contractual privacy and data protection obligations and applicable data privacy laws.
[Privacy Act 1988: Australian Privacy Principle 1.4(a) and (b) and (c)]
An overview of Rio Tinto’s global operations and the countries where it operates can be viewed on the Our business page.
This explains where each of the Rio Tinto product groups operates, on a “country by country” basis.
If you are employed or engaged by or have business dealings with a particular Rio Tinto product group, your personal data may be exchanged between Rio Tinto Group companies that are in the countries listed for that product group.
Also, your personal data may be processed by Rio Tinto “shared services” companies and external service providers that provide services to the Rio Tinto Group in one or more of the following countries:
- Rio Tinto companies performing “shared services” are located in the following countries: Australia, Canada, India, Singapore, South Africa, the United Kingdom and the United States.
- External service providers that assist the Rio Tinto Group to perform HR and other shared service functions, and which process personal data on behalf of one or more companies in the Rio Tinto Group are located in: Australia, Canada, India, Malaysia, the Philippines, Poland, the United Kingdom and the United States.
Shareholder personal data is processed in Australia and the United Kingdom by Rio Tinto and by the external manager of our share register.
[Privacy Act 1988: Australian Privacy Principle 1.4(f) and (g)]
Data subject rights and complaints
a. General data subject rights
Please complete a Data subject request form if you wish to exercise your rights to:
- seek access to personal data that Rio Tinto holds about you;
- seek correction of inaccurate, incomplete or out of date personal data;
- be provided with information about how your personal data is processed; or
- request processing of your personal data to cease (eg if the processing is likely to cause; damage or distress, or if the processing is for direct marketing purposes).
Your request will be forwarded to the Data Privacy Co-ordinator for the Group business that you work for or deal with. A list of Data Privacy Co-ordinators is available at http://compliance.riotinto.org/dpc.asp or if you are external to Rio Tinto, from the Group business that you deal with. Data Privacy Co-ordinators can also provide you with the Data subject request form. Rio Tinto will aim to respond within 30 days of receipt of information required to process the request (or otherwise as required under local laws).
If you wish to make a complaint about the processing of your personal data, you can do so:
- by completing a Data subject request form;
- through Group business channels (eg by providing your complaint directly to the general manager of the Group business that you deal with); or
- through Speak-OUT.
Data Privacy Co-ordinators are responsible for investigating and responding to complaints, unless the complaint is about the Data Privacy Co-ordinator’s processing of personal data. In such circumstances, Rio Tinto Compliance or Rio Tinto Legal will investigate and respond to the relevant complaint. If you are not satisfied with how your complaint has been addressed, complaints may be made to the data privacy regulator or data protection authority in your country.
[Privacy Act 1988: Australian Privacy Principle 1.4(d) and (e)]
c. Anonymity and pseudonyms
Data Privacy Principle 9 refers to the fact that under some data privacy laws, data subjects need to be given the option of remaining anonymous or using a pseudonym when they deal with a company. Having regard to the purposes that Rio Tinto undertakes data processing (as described earlier), generally this will not be practicable as Rio Tinto needs to know the identity of the person it is hiring or doing business with. However, if there are circumstances where anonymity or the use of pseudonyms is practicable, this will be indicated on forms used to collect personal data (eg indicating that names and addresses are optional).
A collection notice must explain:
- the identity of who is collecting personal data and how they can be contacted
- the purposes the personal data is collected for
- whether personal data will be shared with anyone else
- that the data subject has rights of access and correction
- if the collection of the personal data is a legal requirement
- what happens if personal data isn’t collected; and
- if the personal data is likely to be disclosed to recipients in other countries (and specifying the countries where the data recipients are located, if practicable).