Australia

International Regulations

Australian Privacy Act & the Australian Privacy Principles

Privacy Act 1988 ("Privacy Act"), including the 13 Australian Privacy Principles (“APPs”).

Highlights

Territorial Scope:

The Privacy Act and the APPs, apply to Commonwealth (federal) government agencies, organizations, and business operators (“APP Entity”) operating inside Australia, or outside of Australia but with an Australian link, and exceeding an annual turnover of AUD $3,000,000. The organization or business has an Australian link if they "carry on business" in Australia or an external Territory.

The APPs do not apply to the collection, holding, use or disclosure of Personal Information by an individual, or to Personal Information held by an individual only for purposes of, or in connection with their personal family or household affairs. There are additional obligations for organizations who are credit reporting bodies and credit providers when they process Individuals consumer credit information in part IIIA of the Privacy Act.

Exemptions:

Certain organizations are exempt from the APPs when Processing Personal Information including:

  • an employer in relation to Personal Information they hold in employee records about current or former employees and the Processing is directly related to the employment relationship;
  • small businesses (eg with less than AUD$3,000,000 in annual turnover) unless they provide certain services such as health services or for federal contracts; and
  • media organizations if the Processing is carried out in the course of journalism and they adhere to industry standards.

Some of the APP obligations do not apply with Processing Personal Information if a “Permitted General Situation” or a “Permitted Health Situation” exists, as defined below.

Lawfulness of Processing:

Processing of Personal Information is lawful only if and to the extent that only information has been collected that is reasonably necessary for the APP Entity’s functions or activities, it has been collected by lawful and fair means and directly from the Individual (unless it is unreasonable or impracticable to do so) and it is used and disclosed for the primary purpose for which it was collected unless an exception applies (eg there is express or implied consent).

APP Entity Obligations:

  • Implement practices, procedures, and systems to ensure its activities comply with the APPs and to enable it to respond to any requests or complaints from Individuals about their handling of Personal Information.
  • Publish a clear and up to date Privacy Policy informing Individuals about the Personal Information it collects or holds, the purpose of collection, use, holding or disclosure, international transfers, the privacy rights Individuals have and how their complaints may be handled. Also notify the Individual, before, at the time of collection or as soon as reasonably practical, that the APP Entity is collecting their Personal Information including if information is collected from someone other than the Individual.
  • Provide Individuals the opportunity to interact with it anonymously or using a pseudonym, unless the APP Entity is authorised by law to interact with an identifiable Individual, or it is impracticable to deal with the individual without identifying them.
  • Only collect Sensitive Information if the Individual to whom the information relates consents to its collection or the collection is required or authorised by Australian law or a Permitted General or Permitted Health Situation exists.
  • If the APP Entity receives unsolicited Personal Information, it must determine whether it would be lawful to collect and Process that information. If it determines that it could not have collected the Personal Information, the APP Entity must take steps to safely destroy or de-identify the information.
  • Not use the Personal Information other than for the purpose for which it was collected unless the Individual has consented, or the Individual would reasonably expect the entity to use or disclose the information for the secondary purpose and the secondary purpose is related to the primary purpose, or such use or disclosure is required under Australian law, a general permitted purpose or health situation exists.
  • Not use or disclose Personal Information for direct marketing unless it meets the conditions proscribed by the APPs (eg the Personal Information was collected directly from the Individual and they would reasonably expect the APP Entity to use or disclose the information for the purpose of direct marketing and they make an opt out mechanism available. If the direct marketing is being sent electronically the APP Entity must have the Individual recipient’s consent (as required by the Spam Act 2003).
  • Not adopt a government related identifier (GRI) as its own and not use or disclose GRIS unless reasonably necessary to verify the Identity of the individual, to fulfil its obligations to an Agency, is authorised by law, or if it believes disclosure is necessary for an enforcement activity.
  • Take steps to confirm the Personal Information it collects, uses or discloses is accurate, up-to date, complete and relevant having regard to the purpose for which it will be Processed.
  • Take all reasonable steps, including technical and organizational measures, to protect Personal Information the APP Entity holds (in its possession or control) from misuse, interference and loss, and from to unauthorised access, modification, or disclosure. 
  • Take reasonable steps to destroy or de-identify the Personal Information it holds when the information is no longer needed by the APP Entity unless it is required by law or to be kept or is in a federal record.

Data Subject Rights:

The APPs provide the following rights, subject to certain exceptions, to an Individual:

  • Right to access the Personal Information an APP Entity holds about them;
  • Right to request correction of the Personal Information an APP Entity holds about them;
  • Right to withdraw consent to the APP Entity Processing their Personal Information;
  • Right to not have their Personal Information processed for purposes of direct marketing.

APP Entities must respond to an Individual within a reasonable time of receiving a request from them exercising their rights (for Agencies, the time to respond to an access or correction request is 30 days which is a good guide).

Cross-border Data Transfers to Third Parties:

A disclosure of Personal Information to a third party in a foreign country (ie outside Australia) is permitted if any of the following conditions apply:

  • The APP Entity takes reasonable steps to ensure that the foreign recipient does not breach the APPs in relation to the Personal Information transferred (this generally occurs through an enforceable contractual arrangement). The APP Entity remains accountable for the Processing by the foreign recipient (including any breach of the APPs).
  • The APP Entity reasonably believes that the foreign recipient is subject to a law or, binding scheme that provides a substantially similar level of protection to the APPs, and there are mechanisms available to the Individual to enforce these rules or schemes.
  • The APP Entity expressly informs the Individual that it will not take steps to ensure the foreign recipient will comply with the APPs and it will not be responsible for any Processing of their Personal Information by the foreign recipient, and the Individual subsequently consents to the transfer.
  • The disclosure is required or authorised by Australian law.
  • A permitted General Situation exists.
  • The entity is an Agency, and the disclosure is required or authorised under an international agreement or the Agency believes the disclosure is required for enforcement activities and the recipient performs functions similar to that of an enforcement body.

Eligible Data Breach (EDB) Notification:

  • Timeline for Notification to the Commissioner: If an APP Entity (or a credit reporting body or credit provider or an organisation that processes Tax File Numbers) has a suspected EDB it must within 30 days assess the suspected EDB to determine is an EDB has in fact happened. Once they become aware that there are reasonable grounds to believe that there has been an EDB, the entity must notify the OAIC, as soon as reasonably practicable after it becomes aware using its online portal. The notification to the OAIC must contain a statement that:
    • Provides the identity and contact details of the Entity;
    • Describes the data breach that the Entity has reasonable grounds to believe has occurred;
    • Describes the kind of Personal Information affected;
    • Provides recommendations about the steps affected Individuals can take to mitigate the possible adverse effects of the EDB.
  • Requirements for Notification to Individuals: The Entity must either notify the contents of the statement outlined above to all Individuals affected by the EDB; or only to the affected Individuals at likely risk of serious harm using the method the Entity usually uses to communicate with them. If those options are impractical, the Entity may publish the Notification prominently on its website or via news media. Such notification may be mandated by the OAIC. 

More Details

Definitions:

  • Agency: an Australian Commonwealth (federal) department,
  • APP Entity: An Agency, organization, or small business operator. For purposes of this Act an Agency means a federal Minister, Department, government, court, police, or any other federal public entity; an Organization means an individual, corporate, partnership, trust or any other unincorporated association that is not a small business operator or Agency.
  • Eligible Data Breach: An unauthorised access to, unauthorised disclosure of, or loss of Personal Information (which may include a Tax File Number or credit information) in circumstances that is likely to result in unauthorised access to or disclosure of Personal Information by an APP Entity that is likely to result in serious harm to one or more Individuals.
  • Consent: Express or implied consent.
  • Individual: A natural, living person about whom the Personal Information relates. The Privacy Act does not apply to deceased individuals.
  • Personal Information: Any information or opinion about an identified Individual or an Individual who is reasonably identifiable, regardless of whether the information or opinion is true, or is recorded in a material form or not.
  • Government Related Identifier (GRI): An identifier of an Individual that has been assigned by an Agency, an Australian State or Territory authority, agent of an Agency or state, a contracted service provider of the government.
  • OAIC: the Office of the Australian Information Commissioner which administers compliance with the Privacy Act under the supervision of the Privacy Commissioner exercising their powers and functions
  • Permitted General Situation: Personal Information is collected, used or disclosed for the purpose of preventing serious threats to life, health or safety; to take action in relation to an unlawful activity or serious misconduct; locating a missing person; to establish or defence of a legal claim; conducting an alternative dispute resolution process; performing diplomatic consular functions; or conducting special defense force activities.
  • Permitted Health Situation: Includes the collection of Personal Information for the purpose of providing health services and the Processing is required or authorised by an Australian law; or the Personal Information is used and disclosed for certain types of permitted research; or other specified situations, such as the Personal Information is genetic information or the patient is incapable of providing consent.
  • Sensitive Information: Personal Information revealing an Individual’s race or ethnic origin, political opinions or membership in a political association, religious or philosophical beliefs, professional association or trade union membership, sexual orientation or practices, criminal record, health or genetic information or certain biometric information or templates.

Penalties:

The Privacy Act empowers the OAIC to pursue an order before the Federal Court of the Federal Circuit Court for civil penalties for serious interferences with privacy, the maximum penalty is AUD $2,500,000 for a non-corporate entity; and for a corporate entity an amount not exceeding the greater of AUD $50,000,000 or three times the value of the benefit obtained by the corporation, or 30% of the corporation’s adjusted turnover for the period in issue.

The Privacy Act also empowers the OAIC to pursue an order before the Federal Court of the Federal Circuit Court that are not serious interferences with privacy for an amount not exceeding 2,000 penalty units for a non-corporate entity and 10,000 penalty units for a corporate entity.

The OAIC can also issue compliance notices and infringement notices for breach of some of the APPs which may include a civil penalty of up to 60 penalty units per contravention for APP Entities who are not listed. (As at July 2025, the value of a penalty unit is AUD$330).

Remedies, Liability, and Complaints:

  • Right to Lodge a Complaint with the OAIC: Every Individual has the right to lodge a complaint with the OAIC if the Individual considers that the Processing of their Personal Data breaches any APP or the notification of an EDB by an APP Entity if they are not satisfied with Entity resolution of their request or complaint.

Effective Date:

July 1, 2020

Security of Critical Infrastructure Act 2018

Security of Critical Infrastructure Act 2018

Security of Critical Infrastructure Act (2018) (SOCI Act) and associated regulations.

Highlights

The SOCI Act applies in the Designated Sectors to defined critical infrastructure assets and includes obligations regarding Cyber Security Incidents.

Territorial Scope:

The SOCI Act applies to organisations that own, operate, or have a direct interest in critical infrastructure assets across Designated Sectors in Australia. Its scope includes both physical infrastructure and digital systems that, if disrupted, could significantly impact Australia’s national security, economy, or public safety.

Definitions:

  • Business Critical Data: refers to personal information that relates to at least 20,000 individuals; information relating to any research and development in relation to a critical infrastructure asset; information related to any systems needed to operate a critical infrastructure asset; information needed to operate a critical infrastructure asset; or information relating to risk management and business continuity in relation to a critical infrastructure asset.
  • Cyber Security Incident: involves unauthorised access to computer data or program; unauthorised modification of computer data or program; unauthorised impairment of electronic communication; or unauthorised impairment of the availability, reliability or security of a computer, computer data or program.
  • Designated Sectors: energy, communications, data storage and processing, financial services and markets, water and sewerage, healthcare and medical, higher education and research, food and grocery, transport, space technology and defence.
  • Responsible Entity: is defined according to the critical infrastructure asset and is generally the entity responsible for the operation of a critical infrastructure asset or license holder for the asset.
  • Relevant Impact: is an impact on the availability, integrity, reliability or confidentiality of a critical infrastructure asset.
  • Significant Impact: is an impact on the availability of a critical infrastructure asset if the asset is used in connection with the provision of essential goods and services, and the incident has materially disrupted the availability of those essential goods or services.

Cyber Security Incident Obligations:

  • Significant Incident Reporting: If a Cyber Security Incident that has a Significant Impact has occurred, is occurring or is imminent, the Responsible Entity must notify the Australian Signals Directorate (through the Australian Cyber Security Centre) within 12 hours of becoming aware of the incident.
  • Relevant Incident Reporting: If a Cyber Security Incident that has a Relevant Impact has occurred is occurring or is imminent, the Responsible Entity must notify the Australian Signals Directorate (through the Australian Cyber Security Centre) within 72 hours after the entity becomes aware of the incident.

More Details

Additional Obligations:

  • Notification: Responsible Entities must notify external data storage or processing service providers if they are storing or processing their Business Critical Data.
  • Registration: Designated Entities must register certain information related to critical infrastructure assets with the Critical Infrastructure Security Centre and keep this information updated.
  • Risk Management Program: Designated Responsible Entities must develop, maintain and comply with a Risk Management Program for their critical infrastructure assets which includes meeting prescribed security frameworks depending on the sector, and submitted an annual report on compliance with their Program within 90 days after the end of the financial year.

Cyber Security Act 2024

Cyber Security Act 2024

Cyber Security Act 2024 and Cyber Security (Ransomware Payment Reporting) Rules 2025.

Highlights

Purpose:

Part 3 of the Cyber Security Act includes the ransomware payment reporting obligations that apply to entities that make (or when third party make them on their behalf) a ransom payment following a Cyber Security Incident.

Territorial Scope:

The Cyber Security Act applies only to Reporting Business Entities in Australia. If an Australian entity is part of a global corporate group and is directly impacted by a Cyber Security Incident, and a related overseas group entity negotiates and/or makes the Ransomware Payment on behalf of the whole corporate group, the Australian entity in the group is a Reporting Business Entity and must comply with the Ransomware Payment Report obligations (but the other group entities do not need to comply).

Definitions:

  • Cyber Security Incident: has the meaning given by the Security of Critical Infrastructure Act 2018, or is one that involves the unauthorised impairment of electronic communication to or from a computer (and includes the mere interception of any such communication). 

  • Extorting Entity: makes a demand of the Reporting Business Entity, or any other entity, in order to benefit from the Cyber Sceurity Incident or the impact on the Reporting Business Entity.

  • Reporting Business Entity: is an entity which is, at the time the ransomware payment is made, carrying on business in Australia with an annual turnover in the previous year exceeding the turnover threshold (AUD$3,000,000) or a Responsible Entity for a critical infrastructure asset but not a Commonwealth or state body.

  • Ransomware Payment: is a payment or benefit made by or on behalf of a Reporting Business Entity to the Extorting Entity that is directly related to a ransomware demand.

  • Ransomware Payment Report: is a report prepared by the Reporting Business Entity to the designated Commonwealth body.

Definitions:

  • Ransomware Payment Report: A Reporting Business Entity must submit a Ransomware Payment Report to the designated Commonwealth body (the Australian Signals Directorate’s Australian Cyber Security Centre) within 72 hours of making the payment or becoming aware of it being made on its behalf. The report must include:
    • Contact and business details of the payer.
    • Details of the Cyber Security Incident and its impact.
    • The demand made by the Extorting Entity.
    • The Ransomware Payment made.
    • Communications with the Extorting Entity

Entities and their officers are not liable for damages for acts done in good faith in compliance with their reporting obligation.

  • Limited use provisions: Information contained in Ransomware Payment Reports can only be used for permitted purposes (eg assisting the Reporting Business Entity, national security coordination, criminal proceedings). Such information cannot be used for unrelated civil or regulatory enforcement purposes, is not admissible in evidence against the reporting entity in legal proceedings and must be handled in accordance with the Privacy Act 1988.

Penalties:

The civil penalty for non-compliance with the ransomware reporting requirements is 60 penalty units.

My Health Records Act 2012

My Health Records Act 2012

My Health Records Act 2012, My Health Records Regulation 2012 and My Health Records (National Application) Rules 2017.

Highlights

The My Health Records Act 2012 governs the My Health Record system which is a national public system designed to make health information available to support the provision of Healthcare. The Act governs the use, disclosure and obligations for the health records and breaches are deemed privacy interferences and may be investigated under the Privacy Act.

Territorial scope:

The My Health Records Act 2012 applies to all private sector health service providers anywhere in Australia. However, they do not apply to state and territory public sector health service providers, such as public hospitals.

Definitions:

  • Entity: for the purposes of the My Health Records Act refers to a person, partnership, any unincorporated association or body, trust or part of an entity.

  • Healthcare: refers to any health service that is intended or claimed by the individual or person performing it to assess, maintain or improve an individual’s health, to manage an individual’s health, to diagnose or treat an individual’s illness, disability or injury, or record an individual’s health for the purposes of assessing, maintaining, improving or managing an individual’s health.

  • Healthcare Recipient: is an individual who has received, receives or may receive, Healthcare.

  • Health Information: is defined in the Privacy Act 1988 and refers to information or an opinion about an identified or reasonably identifiable individual that is about the health of the  individual; the expressed wishes of the individual about the future provision of health services; health services provided to the individual; other personal information collected in providing a Healthcare Service; or any other personal information collected in connection with bodily donations; or genetic information that is or could be predictive of the health of the individual or a relative.

  • My Health Record: is the record of a healthcare recipient that is created and maintained by the System Operator. A Healthcare Recipient will have a My Health Record automatically created for them in the My Health Record system, unless the recipient elects to opt-out of the system. Obligations apply to Registered Healthcare Provider Organisations and individual healthcare providers that access, manage, or control information in a My Health Record.

  • My Health Record System: refers to a system that is for the collection, use and disclosure of information collected from Healthcare Recipients and is used and stored in accordance with their wishes; and facilitates the provision of Healthcare Services; and involves the performance of the System Operator’s functions.

  • Registered Healthcare Provider Organisation: means a healthcare provider organisation that is registered under the My Health Records Act.

  • System Operator: is the Secretary of the Department of Health, or any other body prescribed by Commonwealth regulations.

Use of Health Information:

Health information may be collected, used and disclosed from a healthcare recipient’s My Health Record for the purpose of providing Healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record.

Breach notification:

The My Health Records Act requires healthcare organisations to notify the Office of the Australian Information Commissioner (OAIC) and the My Health Record System Operator of a data breach involving the My Health Record system.

An eligible data breach occurs when there is:

  • unauthorised access or unauthorised disclosure of personal information, or a loss of personal information, that a Registered Healthcare Provider Organisation holds. Under the My Health Records Act, there are three types of data breaches:
    • a person has or may have contravened the My Health Records Act in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record;
    • any event that has, or may have, occurred (whether or not involving a contravention of the My Health Records Act) that compromises, may compromise, has compromised or may have compromised the security or integrity of the My Health Record system; or
    • any circumstances that have or may have arisen (whether or not involving a contravention of the My Health Records Act), that compromise, may compromise, have compromised or may have compromised the security or integrity of the My Health Record system; and
  • this is likely to result in serious harm to one or more individuals, and
  • the Organisation has not been able to prevent the likely risk of serious harm with remedial action.

A reporting entity must report a breach to the OAIC and the System Operator when the entity becomes aware or suspects that a data breach has, or may have, occurred and the data breach directly involved, may have involved or may involve the entity. The entity then must notify individuals at risk of serious harm of the contents of the statement. If it is not practicable to notify individuals at risk of serious harm, an entity must publish a copy of the statement prepared for the OAIC on its website and take reasonable steps to bring its contents to the attention of individuals at risk of serious harm.

More Details

Penalties:

  • Failure to report a breach: If a Registered Healthcare Provider Organisation becomes aware that a cyber security incident has occurred or that circumstances which may give rise to suspicion of such an event have arisen, and fails to, as soon as reasonably practicable, notify the System Operator or the OAIC, the maximum penalty is 1500 penalty units.
  • Unathorised User: There are criminal and civil penalties if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available.
  • Enforcement: The My Health Records Act states that any breach of the Act with respect to Health Information included in a Healthcare Recipient’s My Health Record is an ‘interference with the privacy of the Healthcare Recipient’ for the purposes of the Privacy Act 1988. This triggers the OAIC’s enforcement and investigatory powers under the Privacy Act. The My Health Records Act includes additional penalty provisions and enforcement powers that recognise and aim to protect the sensitivity of Health Information. For example, a healthcare organisation cannot use or disclose Health Information included in a Healthcare Recipient’s My Health Record if the use or access was via the My Health Record system and was unauthorised, with attached penalties amounting to 300 penalty units, imprisonment for 5 years, or both.

Redress:

  • Liability: The Act sets out clear responsibilities for those who handle information in the My Health Record system. It is an offence to access, use, or disclose Health Information without proper authorisation. Serious or intentional misuse, such as accessing records without a valid reason or using information for personal gain, can result in criminal penalties.
  • Complaints: Individuals are encouraged to raise a complaint with the Healthcare provider involved. If the matter isn’t resolved, it can be escalated directly to the OAIC, who has the power to investigate and take action. 

State and Territory Data Privacy Laws

Highlights

In most Australian States and Territories there are privacy laws that apply to State and Territory public sector bodies. These laws can also apply to contracted service providers for these bodies if required by the terms of the services agreement.

In some States and Territories there are also health records laws that apply to health service providers and to other entities that collect and hold health information in those jurisidictions. Entities in those States and Territories must comply with the applciable health records laws as well as applicable federal privacy laws (eg the Privacy Act 1988 and the My Health Record Act). In other States and Territories, entities only need to comply with the federal Acts in relation to the processing of health information.

More Details

State and Territory Privacy Acts:

The relevant state and territory Privacy Acts include information privacy principles that broadly align with the Australian Privacy Principles (APPs) in the federal Act. The relevant statutes are as follows:

  • Australian Capital Territory (ACT): The Information Privacy Act 2014 which includes 13 Territory Privacy Principles that regulate for processing personal information by public sector agencies in the ACT. The ACT Act does not mandate breach notification.
  • New South Wales: The Privacy and Personal Information Protection Act 1998 which includes Information Protection Principles that regulate the peocessing of personal information by NSW public sector agencies. It also has is a mandatory data breach notification scheme that operates on a similar basis to the notifiable data breach scheme in the Privacy Act 1988.
  • Northern Territory: The Information Act 2002, which includes the Information Protection Principles that regulate the way processing of personal information by NT public sector agencies.
  • Queensland: The Information Privacy Act 2009 includes the Queensland privacy principles. Chapter 3A of this Act requires organisations to take all reasonable steps to contain and mitigate data breaches, and where a breach is suspected to be an eligible data breach, to notify the data breach to the Information Commissioner and impacted individuals as soon as reasonably practicable. 
  • South Australia: There is currently no legislation that creates a general privacy right. However, there is a Cabinet Administrative Instruction which includes the Information Privacy Principles Instruction, which mandates compliance by all South Australian public sector agencies. 
  • Tasmania: The Personal Information Protection Act 2004 which includes the  Personal Information Protection Principles that regulate the processing of personal information by Tasmanian public sector organisations. Complaints under this Act can be made to the Ombudsman.
  • Victoria: The Privacy and Data Protection Act 2014 which includes the Information Privacy Principles which regulate the processing of personal information by Victorian public sector organisations as well as requiring most Victorian public sector entities to also comply with the Protective Data Security Standards in the Act, which include an obligation to notify incidents to the Office of the Victorian Information Commissioner. 
  • Western Australia: The Privacy and Responsible Information Sharing Act 2024 which includes privacy principles and a framework to govern the processing of personal information by the West Australian public sector. The legislation includes a mandatory information breach notification scheme for public sector entities, which requires serious breaches to be reported to the WA Information Commissioner and that impacted individuals be notified of the breach.

State and Territory Health Records:

Victoria, New South Wales, and the Australian Capital Territory has health privacy legislation. Each Act establishes legally enforceable rights for individuals to access and control their health information. The relevant Acts are:

  • In the Australian Capital Territory, the Health Records (Privacy and Access) Act 1997
  • In New South Wales, the Health Records and Information Privacy Act 2002
  • In Victoria, the Health Records Act 2001.

Each of the Acts include privacy principles that also broadly align with the APPs. They continue to apply for 30 years after an individual is deceased in Victoria and NSW, and there are additional considerations when responding to requests for access to health records. In the ACT, the health records laws continue to apply after an individual’s death, with no fixed time limit specified in the legislation; instead, the protections remain in place for as long as the health record exists and is held by a record-keeper, and access may be granted to authorised representatives such as the executor of the deceased’s estate.

Effective Date:

July [insert], 2025

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek