RT Contractor Privacy Statement
RT Contractor Privacy Statement
RT Contractor Privacy Statement
This Contractor Privacy Statement has been prepared for Contractors engaged by Rio Tinto Group
companies (Rio Tinto). Contractors are not Rio Tinto employees - ‘Contractors’ and other terms used
in this Contractor Privacy Statement are defined in the Glossary in section 8.
If you are a Contractor to Rio Tinto, this Contractor Privacy Statement explains how Rio Tinto and its
external service providers collect, use, disclose, access, store and otherwise process your personal
data to manage your engagement with Rio Tinto and for the other purposes explained in section 3.
The amount and extent of personal data collected about you will depend on whether you are:
a) a Category 1 Contractor, or
b) a Category 2 Contractor or a Category 3 Contractor.
For an overview of personal data collected by Rio Tinto, see the Contractor Personal Data Categories
document appended to this Statement or on the data privacy page on Element. The list of Contractor
Personal Data Categories may be updated from time to time to reflect current practices.
Rio Tinto processes personal data about its Contractors for three key business purposes:
• To administer and manage Contractor engagements;
• To pursue Rio Tinto’s legitimate business interests in relation to Contractor engagements; and
• To meet legal, regulatory and compliance obligations.
If Rio Tinto cannot collect this personal data about you from you or your employer, this may raise issues
for your ongoing engagement as a Contractor with Rio Tinto.
To pursue Rio Tinto’s legitimate business interests in relation to your engagement may include:
• Sharing your information with external service providers that assist Rio Tinto to conduct its
business, to perform its functions or to operate its systems (for example, IT hosting and IT
maintenance and support);
• Protecting the business against loss and fraud, and preventing and detecting crime;
• Monitoring and managing conflicts of interest;
• Providing information to potential or actual purchasers of any part of the business;
• Training and improving internal processes, procedures and electronic systems (including the
testing of these improvements);
• Facilitating internal company communications;
• Monitoring use of Rio Tinto electronic resources and communications systems in accordance with
the Group Standard for Acceptable Use of Information and Electronic Resources, which may
include email correspondence and use of the internet (to the extent permitted by local laws);
• Where applicable, monitoring the proper conduct of procurement processes, the use of corporate
credit cards and booking of business travel in line with Rio Tinto’s Group policies and standards,
including through data analytics described in such policies and standards;
• Implementing health and safety processes (such as Critical Risk Management - CRM) and analysis
of health and safety risks. See also section 4 on the processing of sensitive information.
Some of the data processing activities described above will involve the processing of sensitive
information, such as health information. Sensitive information will be processed where necessary for
Rio Tinto to meet legal or contractual obligations in connection with your engagement, to ensure safety
on its sites, or to address a health and safety emergency. By providing sensitive information you are
understood to agree to Rio Tinto and its service providers processing it for these purposes. Additional
information about data processing purposes will be provided when sensitive information is
collected from you.
The personal data which a Rio Tinto Group company holds (including any sensitive information) may,
for the purposes detailed above, be transferred by or on behalf of that company to other Rio Tinto Group
companies, external service providers or other third parties that are described above.
This may mean that your personal data is transferred across national borders, including to recipients in
countries that do not have data privacy legislation that is equivalent to that in the country where you are
located or where your personal data may be accessible by government agencies. In such
circumstances, to protect data transfers across national borders (or out of the European Economic
Area), the Rio Tinto Group puts in place contractual clauses intended to ensure an adequate level of
protection. By providing your personal data, you are also understood to consent to any such transfers.
The Data Privacy Standard contains information about the countries where Rio Tinto operates and the
locations of its key external service providers.
Personal data will only be processed for as long as this is required for the purposes it was collected for,
or for the time required or authorised by law. Questions about Rio Tinto’s Records Retention Procedure
should be directed to Group Ethics & Integrity (contact details below).
You have the right to seek access to the personal data that Rio Tinto holds about you (for which you
may be charged a fee in some countries), and the right to ask Rio Tinto to correct any inaccuracies in
that information, or in some cases, to erase it. You also have the right to complain about how your
personal data is processed. You also have rights to information about how personal data is processed
and to object to its processing in some circumstances.
For further information on or to exercise any of these rights, please refer to Rio Tinto’s Data Privacy
Standard or contact Group Ethics & Integrity ([email protected]), or ask your main contact at
Rio Tinto to put you in touch with the Group Ethics & Integrity team.
For Contractors in the European Economic Area (EEA), there is a listing of EEA companies who may
engage Contractors on the data privacy page on Element.
Where permitted by local law, Rio Tinto may use data analytics to ensure and monitor compliance with
Group policies, standards and procedures, including to promote workplace health and safety and
operational efficiency. If processing of personal data is necessary for analytics purposes, no personal
data will be included in analytics reports without prior notice to you. No decisions about you will be
made solely using data analytics or other automated processing.
8. Glossary
Category 1 Contractor means a Contractor who provides services under the direction of Rio Tinto
leaders.
Category 2 Contractor or Category 3 Contractor means a Contractor who delivers outcomes under
the direction of a supplier (not Rio Tinto), and includes consultants. Category 2 Contractors are
engaged for capital projects and Category 3 Contractors are engaged for operations.
Contractor means a person who is not a Rio Tinto employee, who is an employee of a supplier
temporarily engaged through a contract between Rio Tinto and the supplier to perform work at Rio Tinto
operations or projects for a specified length or time or for a specified activity.
Personal data means all information relating to any identifiable individual
Process includes anything that can be done with personal data
Rio Tinto Group means all companies or businesses wholly or majority owned or managed by Rio
Tinto plc or Rio Tinto Limited (whether directly or indirectly)
Sensitive information includes personal data about a person’s trade union membership, criminal
record, health or the health services they have received, race, ethnicity, religion, political opinions or
details of sexual life.
Appendix
Contractor Personal Data Categories
An overview of the types of personal data collected by Rio Tinto in relation to Category 1,
Category 2 and Category 3 Contractors
Where permitted by law in your country and where necessary for one or more of the specific,
legitimate business purposes described in the Contractor Privacy Statement, the contractor personal
data collected and otherwise processed by Rio Tinto may include:
• Emergency contact information (may be limited to contact details for Contractor Company)
• Marital status (where required to meet legal obligations)
• Date and place of birth
• Languages spoken
• Status of national service (where applicable)
• Passport and visa information (where necessary for business travel)
• Reference and referral information
• Drivers licence information (where a licence is required for work duties)
• Photographs (where necessary for identification purposes, or where volunteered or consented
to)