Cyber Security Assessment Survey — How We Use Your Information

This document explains, in plain language, what we collect when you complete our cyber security assessment survey, how we use it (including with AI tools), and how your responses feed into our research. It sits alongside — and where it differs, takes precedence over — the general RWTS Privacy Policy for matters specific to this survey.

Part A — The plain-language summary

• What you're doing. Answering questions about how your organisation works and handles cyber security, so we can assess your security posture and give useful feedback.
• Who sees your individual answers. Our people do. We do not hand your individual answers to your organisation's leadership — they receive a summarised, aggregated view across everyone who responded.
• The honest caveat on anonymity. In a small organisation the number of respondents may be low, so it can be possible to work out who said what. We can't promise true anonymity and won't pretend otherwise.
• How AI is involved. Real people review your answers, and we also send your responses to AI language models — our own self-hosted AI and enterprise tools from Anthropic and OpenAI — because testing how well these models assess cyber risk is part of the research. Under our enterprise agreements your data is not used to train their models. AI processing is a condition of taking part.
• What goes to the AI. The survey is mostly multiple choice. Free text is sent as you wrote it. We remove obvious identifiers like organisation names where we practically can, but can't promise to strip every identifier.
• It's research. Your responses help us develop and improve cyber security assessments — the questions, scoring, and methodology.
• We may ask you to take it again at around 6 and 12 months to measure change over time; to do that we link your rounds together, so repeat responses aren't anonymous to us.
• It's voluntary, with one condition. You can withdraw, but because AI processing is core to the research you can't take part and opt out of AI processing.
• Questions or concerns. Email [email protected] or call 1300 798 718.

Part B — Survey privacy statement

Who we are

This survey is run by Real World Technology Solutions Pty Ltd (RWTS), ABN 74 101 234 664, of Unit 12/2 Eden Park Drive, Macquarie Park NSW 2113. We are an Australian organisation bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

What we collect

• Your responses — answers, including any free-text comments and opinions you add.
• Identifying details you give us — name, role, email, and organisation where asked. Some may be optional; where they are, we'll say so.
• Technical information — basic data the platform records automatically (time of submission, limited diagnostics) to run the survey securely.

Why we collect it

To assess your organisation's posture and prepare a summarised report; to give feedback that helps you improve; and to conduct our Cyber Security Research and improve the assessment itself. We only use it for these purposes or directly related purposes you'd reasonably expect, consistent with APP 6.

How human experts and AI tools handle your answers

Real people review responses, and a member of our team is responsible for any conclusion that affects you. But here the AI isn't just a back-office helper — how AI models assess cyber risk is one of the things we're studying. We run your responses through several models and compare them:

• our own private, self-hosted AI; and
• public enterprise models from Anthropic (Claude, incl. Opus and Fable) and OpenAI (GPT‑5.5), under enterprise agreements.

Your responses — including free-text answers as written — are sent to these models. De-identification is best-effort, not guaranteed. Under our enterprise agreements your data is not used to train their models, is retained only for the minimum period needed (typically 30 days or less), access is restricted, and our people review AI output rather than treating it as the final word. This is why AI processing is a condition of participation.

Who we share it with

Your organisation receives a summarised, aggregated report — never your individual answers. Service providers who help us run and store data securely act under confidentiality and security obligations. No one else, unless you've consented, you'd reasonably expect it, or we're required by law. We don't sell your information or use it for marketing.

Overseas disclosure

The enterprise AI models and some providers store or process data outside Australia, including the United States. Your responses — including identifiers remaining after best-effort de-identification — are disclosed overseas. We take reasonable steps to ensure it's handled consistently with the APPs, including contractual protections. By taking part, you consent to this overseas disclosure.

Storage, security, retention & breaches

We protect survey data with access controls and appropriate security measures, and keep responses as long as needed for the assessment and research, after which we destroy or de-identify them. If we became aware of a data breach likely to result in serious harm, we would assess and notify affected individuals and the OAIC as required.

Part C — The anonymity and re-identification caveat

We only ever give your organisation summarised and aggregated results — never individual answers. But aggregation isn't a magic anonymity switch: in a small organisation, the content of a summary can sometimes make it possible to work out, or reasonably guess, who said something. So:

• We do not guarantee that your responses are anonymous.
• We design to reduce the risk — we aggregate, suppress or generalise small groups, and use judgement before including anything distinctive.
• You're in control of what you write — free text is where identification is most likely, and it's sent to the AI models as written.

Part D — Research participation

This survey is part of RWTS's Cyber Security Research, supported by the Australian Government's R&D Tax Incentive and a Commonwealth grant to develop cyber security solutions for small business. This is applied research: understanding what drives cyber risk in small organisations and what measurably improves their posture, and developing the assessment methodology itself. A specific aim is to test whether AI language models can accurately assess cyber risk — which is why AI processing is built in rather than optional.

Repeat surveys and measuring progress

We may invite your organisation to retake the survey at around 6 and 12 months. The questions may change between rounds; we link your rounds together to measure progress, so repeat responses are not anonymous to us; each round is voluntary; and we keep linked responses for the life of the longitudinal research, then destroy or de-identify them.

Standard disclaimers

• The assessment is not a guarantee or certification that your organisation is secure or compliant.
• It's a self-reported snapshot, not a penetration test or formal audit.
• No professional advice relationship — feedback is general in nature.
• The methodology is evolving, so results from different versions may not be directly comparable.

How many people should respond

For a meaningful result we recommend at least four people from your organisation respond. The assessment deliberately spreads different angles of each question across respondents, so more responses give a better-triangulated picture — and a larger group also reduces the re-identification risk noted above.

Your choices

• Taking part is voluntary; you can stop at any time and skip optional questions.
• You can ask us to withdraw your responses by emailing [email protected] (subject to the limits once data is merged into aggregate research data).
• You can access and correct the personal information we hold, subject to the Privacy Act's exceptions.
• AI processing is a condition of taking part — if you'd prefer your responses not be processed by AI, please don't complete the survey. There's no penalty for choosing not to take part.