Privacy Policy

EMRAILS is committed to protecting the privacy of “individuals” personal information by complying with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). This Policy describes how OneSteel Manufacturing Pty Ltd (ABN 42 004 651 325) (Subject to Deed of Company Arrangement), its parent company and its related bodies corporate (“we”, “our” or “us”) handle personal information. For details of our parent company and its related bodies corporate, please contact us. Nothing in this Privacy Policy is intended to limit our obligations or permitted handling of personal information under privacy laws. For example, under the Privacy Act, we may rely on certain exemptions including in relation to employee records.

1. Collection of personal information - We may collect personal information about you in certain circumstances such as where you contact or transact with us. We collect current and historical personal information including information about your name, contact details, identification (eg, driver’s license or passport you provide to us), organisational affiliations, positions held, forms submitted, shareholdings in Arrium Limited, payment details, enquiry/complaint details, details of any injury or safety incident on any of our sites, results of drug and alcohol testing at our sites, GPS tracking at our sites and between our sites and details of any gifts or entertainment provided to you. We collect the information that you provide in your communications and transactions with us, including records of any contact we have with you by telephone, email or online.

We may also operate video and audio surveillance devices in our premises for purposes including security, training and dispute resolution. We collect personal information directly from you as well as from third parties including public sources, our related companies, share registry service providers, information service providers and the parties with whom we exchange information as described here.

2. Use of personal information - The personal information that you provide to us may be used for business purposes relevant to our relationship with you. This may include but is not limited to: assessing and responding to your enquiries, requests and applications; fulfilling your orders;

identifying other products and services that you might purchase; helping us improve our product and services offering; direct or other marketing of our products and services; market research; relationship management; injury and safety management and protecting our lawful interests.

We may not be able to do these things without your personal information. For example, we may be prevented from delivering our products and services, communicating with you and/or improving our product and service offering. We may contact you on an ongoing basis by telephone, email, SMS or other means regarding your account or, subject to any legal restrictions, for direct marketing. If you do not wish to receive direct marketing messages you can “unsubscribe” in accordance with the unsubscribe procedure specified in the relevant message.

3. Disclosure of personal information - We may exchange your personal information with our related companies, subcontractors, service
providers, your guarantors (where applicable) and your representatives in the course of conducting our business. The types of service providers we engage include those that assist us with archiving, auditing, accounting, customer contact, legal, business consulting, banking, payment, debt collection, delivery, data processing, data analysis, information broking, research, investigation, insurance, website or technology services.

These services may be provided by third parties located in Australia, New Zealand, USA, Japan, United Kingdom or other countries. We may also exchange your personal information with third parties when undertaking joint promotions. Your personal information may be disclosed to third parties transacting with Arrium in relation to our assets or businesses under an undertaking of confidentiality. Where you agree to this Privacy Policy you consent to disclosure of your personal information outside Australia and acknowledge and agree that: (a) privacy obligations overseas may not always apply or may differ from Australian privacy laws; (b) we may not be accountable under the Privacy Act for the overseas recipient’s storage, use or disclosure of the information; (c) you may not be able to seek redress under the Privacy Act for that disclosure or for the acts or omissions of the overseas recipient of the information; and (d) the overseas recipient of the information may be subject to foreign laws which might compel further disclosures of personal information (e.g. to government authorities).

4. Security and confidentiality - We implement various security measures to protect the security and confidentiality of your personal information, including taking reasonable steps to destroy or de-identify information that we hold about you when it is no longer required. We hold personal information electronically and in hard copy form, both at our own premises and with the assistance of our service  providers.

5. Recruitment - If you apply for a position with us, we may also collect information about your experience, character, qualifications and screening checks (including background, health, reference, directorship, financial probity, identity, eligibility to work, vocational suitability and criminal record checks). We collect, use and disclose your personal information to assess your application, conduct screening checks and consider and contact you about positions available. We may exchange your personal information with academic institutions, recruiters, screening check providers, health service providers, professional and trade associations, law enforcement agencies, referees and your current and previous employers. Without your personal information we may not be able to further consider you for positions with us.

6. Personnel - This section applies to our current and former employees and contractors in addition to the recruitment section above. We may collect information relating to your current or former employment or engagement including information about your training, disciplining, resignation, termination, terms and conditions, emergency contact details, performance, conduct, use of our IT resources, payroll matters, union or professional/trade association membership, recreation, drug/alcohol tests, leave and taxation, banking or superannuation affairs. We are required or authorised to collect your personal information under various laws including the Fair Work Act, Superannuation Guarantee (Administration) Act and Taxation Administration Act. We collect, use and disclose your personal information for purposes relating to your employment or engagement with us including engagement, training, disciplining, payroll, superannuation, health and safety, administration, insurance (including Workers Compensation) and staff management purposes. We may exchange your personal information with your representatives (including unions) and our service providers including providers of payroll, superannuation, banking, staff benefits, medical services, surveillance (where permitted by law) and training services. Without your personal information we may not be able to effectively manage your employment or engagement. If a current or former employee makes a claim under the workers compensation law in any state or territory, proper processing, assessing and management of the claim will necessitate that information be collected and provided to and from statutory authorities and other entities under the legal obligations imposed by the applicable state or territory.

7. Credit related information – This paragraph applies in addition to (and without limiting) the other parts of this Policy in connection with all trading and customer accounts with us. If you are an individual credit applicant or customer of ours or if you are a guarantor for another credit customer (eg, a company you represent), we may collect consumer credit-related personal information about you. The types of credit-related personal information we collect include your name, sex, date of birth and three most recent addresses; driver’s license number; employer; amount and type of credit you have applied for; credit limits; terms relating to credit arrangements; confirmation of previous information requests to credit reporting bodies (“CRBs”) made by other credit providers, mortgage insurers and trade insurers; details of your current and previous credit providers; start and end dates of credit arrangements; permitted payment default information including information about related payment arrangements and subsequent repayment; any credit provider’s opinion that you have committed a serious credit infringement (acted fraudulently or shown an intention not to comply with your credit obligations); information about court judgments against you; publicly available information about your credit worthiness; insolvency information from the National Personal Insolvency Index; and any credit score or credit risk assessment indicating a CRB’s or credit provider’s analysis of your eligibility for consumer credit.

a) Credit information from third parties – The credit information we collect may include information about your arrangements and applications with other credit providers as well as with us. We may collect credit-related personal information directly or indirectly from third parties including the CRBs listed below; records published by Australian Courts; and other credit providers (including through means such as credit references). We may also collect credit-related personal information directly or indirectly from you or an authorised representative assigned by your organisation, including when you or the authorised representative within your organisation applies for
a commercial credit facility with us; when you as a director of a company, owner of the business or in your own capacity as an individual,
provide personal guarantees as collateral for such a credit facility; when you or your organisation request an increase in an existing credit
facility and we require you to complete an application to facilitate such a request; or when you request access to, or correction of, your
credit-related personal information.

Our Credit Reporting Bodies include: (1) Veda Advantage, PO Box 964 North Sydney 2059, www.mycreditfile.com.au, 1300 762 207; (2) Dun & Bradstreet, Level 7, 479 St. Kilda Road Melbourne 3004, www.dnb.com.au, pacaustral@dnb.com.au, 1300 734 806; (3) Experian, GPO Box 1969, North Sydney NSW 2060, www.experian.com.au, 1300 784 134; (4) Tasmanian Collection Service, 29 Argyle Street, Hobart, www.tascol.com.au, enquiries@tascol.com.au, (03) 6213 5555.

You can contact these credit reporting bodies or visit their websites to see their policies on credit-related personal information, including
details of how to access or correct your credit-related personal information they hold. You can also request credit reporting bodies not to
use your credit information to determine your eligibility to receive direct marketing from credit providers or not to use or disclose your
credit information if you have been or are likely to be a victim of fraud.

b) Use and disclosure of credit-related personal information - We use credit-related personal information to (among other things)
determine a credit applicant’s (company or individual’s) eligibility to qualify for, or request an increase to, a commercial credit facility
with us; determine the strength of an individual’s offer to act as a guarantor in support of a commercial credit facility being provided or
an application for credit that has been submitted; manage the credit facility, guarantee, account and our relationship with you effectively,
including dealing with overdue debts, verifying your identity, maintaining and updating records and producing our own assessments and
ratings of your credit worthiness; assist a CRB to maintain records in relation to your credit worthiness; and enable debt collection agents
and/or solicitors to positively identify and recover any unpaid debts referred to them by us. We may not be able to do these things without
your personal information. We may disclose your credit-related personal information (including defaults and serious credit infringements)
to CRBs for this purpose. CRBs may disclose those records to third parties as permitted by law, including to other credit providers conducting their own credit assessment processes.

c) Queries and complaints in relation to credit-related personal information - If you request access to, or correction of, credit-related
personal information that is held by a CRB or another credit provider, we will endeavour to consult these businesses for a response. If you
submit a complaint in relation to our collection, use or disclosure of credit-related personal information, we will endeavour to acknowledge
receipt of your complaint, investigate and consult with any relevant associated entities (eg, a CRB) within applicable legally proscribed time
limits. If we believe that we will not be able to resolve your complaint or access or correction request within the proscribed time limits, we
will notify you of the delay and the expected timeframe to resolve the matter.

8. Online activity – If you use www.emrails.com and our other websites, mobile applications, social media profiles and online facilities (“Online Facilities”), we may record information such as the date and time of your use of our Online Facilities, the pages/sections accessed and any information downloaded. This information is used for statistical, reporting, administration and maintenance purposes in relation to our Online Facilities. Our Online Facilities may use ‘cookies’ from time to time. Cookies are electronic files that allow our system to identify and interact more effectively with your device and software. The cookie helps us to maintain the continuity of your browsing session and remember your preferences when you return. In many cases this happens anonymously, however where you have clicked a link in an email we have sent you or you have logged in or provided personal information to our Online Facilities, we may associate the cookie with you. You can configure your browser software to reject cookies however some parts of our Online Facilities may not have full functionality in that case. If you are considering sending us any other personal information through our Online Facilities or other electronic means, please be aware that the information may be insecure in transit, particularly where no encryption is used (e.g. email, standard HTTP). We are subject to laws requiring us to protect the security of personal information once it comes into our possession. Our Online Facilities may contain links to other websites and online services.

We are not responsible for the privacy practices or policies of those sites and services.

9. Access, correction and further queries - If you wish to find out more about our information handling practices, raise any privacy concerns or you wish to view or request amendment of your personal information, you may contact our Privacy Officer by emailing info@onesteel.com or calling +61 (02) 4935 5555. We may need to verify your identity. In the case of access and correction requests, please provide as much detail as you can about the particular information you seek, in order to help us locate it. Where we decide not to make a requested correction to your personal information and you disagree, you may ask us to make a note of your requested correction with the information. We take your privacy concerns very seriously. Where you express any concern that we have interfered with your privacy, we will respond to let you know who will be handling your matter and when you can expect a further response.

10. Notification of changes - This Privacy Policy will be amended and updated from time to time. You will be notified of any changes to this Policy by an announcement on our website. The date on the bottom of this page indicates when this Policy was last updated.
Last updated: April 2017