ÌÇÐÄvlogÈë¿Ú

Privacy and cookies


Privacy policy

ÌÇÐÄvlogÈë¿Úis a leading international mining group headquartered in the UK, combining ÌÇÐÄvlogÈë¿Úplc, a London and New York Stock Exchange listed company, and ÌÇÐÄvlogÈë¿ÚLimited, which is listed on the Australian Securities Exchange. The 2 companies are joined in a dual listed companies structure as a single economic entity, called the ÌÇÐÄvlogÈë¿ÚGroup.

This Privacy Policy applies to the processing of personal data by all ÌÇÐÄvlogÈë¿Ústaff and all the companies in the ÌÇÐÄvlogÈë¿ÚGroup (which may be described as "Rio Tinto", "Group businesses", "we" or "us" in this Privacy Policy also).

This Privacy Policy is in 2 parts. It contains:

  1. Rio Tinto's Data privacy standard includes 12 Data Privacy Principles that apply whenever and wherever ÌÇÐÄvlogÈë¿Úcollects and processes personal data including but not limited to any personal data processing through this website. The Data Privacy Standard is Rio Tinto’s organisation-wide privacy policy.
  2. Online privacy statement and cookies privacy statement sets out additional information about your privacy if you use this website.

A Glossary has been included at the end of the Standard which defines key terms.

Questions and contact information

If you have any questions or complaints about your privacy or wish to exercise your rights as a data subject, please refer to Data Privacy Principle 8 in the Data Privacy Standard.

If you are a ÌÇÐÄvlogÈë¿Ústaff member, contact the Data Privacy Lead for your region otherwise, contact your local ÌÇÐÄvlogÈë¿Úoffice or email us at aske&c@riotinto.com. Your email will be forwarded to the ÌÇÐÄvlogÈë¿ÚData Privacy Lead for the relevant region to consider.

This Privacy Policy may be updated from time to time. This Privacy Policy was last updated in June 2022.

Data privacy standards

The Data Privacy Standard sets out the minimum rules (Data Privacy Principles) that apply whenever and wherever ÌÇÐÄvlogÈë¿Úcollects and processes personal data in any format, including electronic and paper. The Data Privacy Principles reflect the benchmark for processing personal data across the ÌÇÐÄvlogÈë¿ÚGroup.

  • Personal data means all information relating to any identifiable individual. For example, professional contact details, photographs, and information about their activities or characteristics. However, personal data does not include information that cannot be associated with an identifiable individual either directly or indirectly (considering the means reasonably likely to be used to make such an association, as well as the costs and the amount of time required and the available technologies).
  • Process and processing covers everything we might do with personal data.

The Glossary at the end of the Standard defines these and other terms used in this Standard.

As Rio Tinto’s organisation-wide privacy policy, this Standard applies to everyone who works for ÌÇÐÄvlogÈë¿Úand to each ÌÇÐÄvlogÈë¿ÚGroup business. 

At Rio Tinto, the lawful and correct handling of personal data is critical. At its simplest, people need to be able to trust us to respect their privacy and how we handle their personal data when working with us or doing business with us.

In addition, we need to comply with privacy and data protection laws around the world. Applying the Data Privacy Principles in this Data Privacy Standard helps us to do this. Failure to comply with these principles could lead to financial and reputational damage to Rio Tinto, as well as resulting in a loss of trust from the individuals we employ, engage or do business with.

The Data Privacy Principles create a global standard that helps ÌÇÐÄvlogÈë¿Úensure that we act consistently with our obligations under the many different local data privacy laws around the world.

At Rio Tinto, it is important that we comply with the Data Privacy Principles below and with any additional requirements under local data privacy laws that apply to the processing of personal data. If there is a conflict between the requirements under the Data Privacy Principles and local data privacy laws, we comply with the most stringent requirements.

  • Data privacy control

    Any proposed personal data processing that can potentially lead to data subject complaints, regulatory investigations, enforcement actions or damage to Rio Tinto’s reputation must be subject to a Privacy Impact Assessment (PIA) from Ethics and Compliance. The Chief Ethics and Compliance Officer may suspend or block proposed personal data processing activities that, as assessed by Ethics and Compliance, represent a high risk of producing complaints, regulatory investigations, enforcement actions or which could damage Rio Tinto’s reputation.

  • Data privacy principles

    The following Data privacy principles reflect the minimum rules that apply to the processing of personal data at Rio Tinto.

    Data privacy principle 1

    Our processing of personal data is lawful, fair and transparent

    Lawful basis for processing: We will only process personal data:

    • for the legitimate business purpose we collected it for, as explained in a privacy statement
    • for other purposes that the data subject (the person that the data relates to) consents to
    • where necessary for the performance of a contract with the data subject
    • if the processing is required in order to comply with our legal obligations
    • if the processing is expressly permitted under local data privacy laws and the relevant personal data originates in that jurisdiction.

    Notification of processing: We will notify data subjects that we're collecting their personal data, by providing a privacy statement at or before the time we collect personal data from them.

    Collections by or from third parties: Where personal data has been collected by or from third parties, we will ensure that the personal data is lawfully disclosed to us. This includes confirming that data subjects were notified and that a lawful basis exists for the disclosure. We will only process the personal data as permitted by applicable data privacy laws.

    Appendix 1 provides an overview of the purposes for which ÌÇÐÄvlogÈë¿Úundertakes personal data processing.
    Additional information about privacy statements (also known as ‘collection notices’) is at the end of Appendix 3

    Data privacy principle 2

    We limit our personal data processing

    Purpose limitation: Our personal data processing must be for specific and limited purposes, as notified to the data subject.

    If we process personal data for a different purpose than that notified, we need to inform the relevant data subject(s) of that new purpose (in accordance with Data privacy principle 1) and confirm that:

    • the data subject consents to the processing of his or her personal data for this new purpose
    • the processing is required to comply with an applicable law
    • the new purposes for processing the personal data are compatible with the original processing purposes
    • the processing otherwise is lawful under applicable data privacy laws.

    Processing for a new purpose will only be found to be compatible with the original purpose where applicable law so provides, or we have assessed and concluded that it is taking into account such factors as the relationship between the initial purposes and the new purpose; the context in which the personal data was collected and expectations of data subjects; the nature of the personal data; the consequences of the new processing for data subjects; and whether there are privacy safeguards in place.

    Data minimisation: We must process only that amount of personal data that we need for the relevant processing purpose, and only to the extent necessary for that purpose. Our personal data processing must be adequate, relevant and not excessive.

    Data privacy principle 3

    We maintain data quality

    When we process personal data, we take reasonable steps to ensure that: the personal data is accurate and where necessary, is kept up to date; and if personal data is needed to make decisions about a data subject but is inaccurate, such personal data is erased, rectified or supplemented (having regard to the processing purpose).

    Data privacy principle 4

    We are careful with sensitive information

    Sensitive information is a type of personal data that is of a particularly private nature and includes (among other things) personal data about a person's race, ethnic origins, trade union membership and health and biometric information, as well as criminal record information. We must ensure that sensitive information is processed only when necessary and only if: the data subject consents; or if processing is:

    • required in order to comply with our legal obligations,
    • is expressly permitted under local data privacy laws or local labour laws and the relevant personal data originates in that jurisdiction; or
    • necessary to prevent or lessen a serious and imminent threat to the life, health or safety of any person.
    Data privacy principle 5

    We protect our disclosures of personal data

    We protect disclosures of personal data (including but not limited to when it is transferred across national borders) as follows:

    Disclosures outside the ÌÇÐÄvlogÈë¿ÚGroup: If we need to disclose personal data outside the ÌÇÐÄvlogÈë¿ÚGroup (for example, to an external service provider or to a third party who is authorised to receive the personal data), we must ensure that:

    • the disclosure is protected by contractual data privacy clauses approved by Ethics & Compliance or ÌÇÐÄvlogÈë¿ÚLegal. This must include an assessment of whether any transfers across national borders comply with applicable data privacy laws
    • the relevant data subjects have consented to the disclosure
    • the disclosure is otherwise required by law or is or is expressly permitted under local data privacy laws and the relevant personal data originates in that jurisdiction.

    Disclosures within the ÌÇÐÄvlogÈë¿ÚGroup: Disclosures within the ÌÇÐÄvlogÈë¿ÚGroup are protected by the ÌÇÐÄvlogÈë¿ÚData Transfer Deed if it is necessary to share personal data outside of the jurisdiction where the personal data was first collected. Company secretarial and each Group business will ensure that any new Group companies sign up to the ÌÇÐÄvlogÈë¿ÚData Transfer Deed.

    An overview of international disclosures/transfers (both within the ÌÇÐÄvlogÈë¿ÚGroup and to external service providers) is at Appendix 2a. Also, Appendix 2b outlines requirements for assessments prior to international disclosures.

    Data privacy principle 6

    We must secure personal data

    General data security obligations: Personal data must be kept secure and protected against accidental, unauthorised or unlawful processing, including against loss and unauthorised access, destruction, misuse, modification or disclosure. This means ensuring that ÌÇÐÄvlogÈë¿Úhas appropriate technical and organisational measures in place. Data security obligations apply whether personal data is stored in hard copy form (eg paper) or in electronic form (eg in databases). The key rules are:

    • access to personal data about other people should be on a "need to know" basis only
    • each Group business must implement the ÌÇÐÄvlogÈë¿ÚGroup Standard on Acceptable Use of Information and Electronic Resources and the Group Procedure on Information and Cyber Security (administered by Cyber Security in IS&T) to ensure that appropriate physical, technical and organisational security measures are in place at all stages of the personal data 'life cycle'.

    Internal reporting of Data Privacy Incidents: Each Data Privacy Incident must be immediately reported to Ethics and Compliance. Where required by applicable data privacy laws, Ethics & Compliance will ensure that a data breach is notified to the competent authority(ies) and affected data subjects.

    Data privacy principle 7

    We limit retention of personal data

    Personal data must be kept only for as long as necessary for the lawful purpose for which it is processed (as notified to the relevant individuals), or for the time required or permitted under local laws (whichever is the shorter).

    Personal data will be retained in accordance with the Records Retention and Disposition Schedule (made under the ÌÇÐÄvlogÈë¿ÚRecords Management Standard and as updated from time to time), which sets out periods for which different types of records containing personal data are needed. After such time, records containing personal data must be securely destroyed (in the case of physical records) or permanently deleted (in the case of electronic records) in accordance with Rio Tinto’s Records Retention and Disposition Schedule or applicable local laws (whichever imposes the strictest obligations). To the extent possible, all archived copies and back-up copies should be destroyed at the same time and in the same manner as any original records that contain the personal data.

    Data privacy principle 8

    We respect data subject rights

    Data subjects have the right to:

    • seek access to personal data that ÌÇÐÄvlogÈë¿Úholds about them
    • seek correction of inaccurate, incomplete or out of date personal data
    • seek erasure of their personal data
    • be provided with information about how their personal data is processed
    • ask for processing of their personal data to cease (particularly if the processing is likely to cause damage or distress, or if the processing is for direct marketing purposes)
    • be notified if the Group business has made a decision about the data subject that is based on automated data processing alone (so that the data subject can ask for a review of the decision, if necessary)
    • complain about the processing of their personal data
    • withdraw previously given consent regarding Rio Tinto's processing of their personal data.

    There are legal exceptions to the exercise of these rights, and ÌÇÐÄvlogÈë¿Úwill review each request on a case by case basis, by reference to the laws of the country where the data subject is located (or if the country where the data subject is located has no data privacy laws, or no data privacy laws containing the relevant right, by reference to the data privacy laws in Australia). Requests from data subjects to access their rights should be referred to the Data Privacy Lead for the relevant region who will advise on how the request needs to be responded to.

    Appendix 3 contains more information about how to exercise data privacy rights.

    Data privacy principle 9

    We apply Privacy by Design

    We must ensure that data privacy compliance is integrated into our personal data processing activities. Threshold Privacy Assessment:

    Ethics & Compliance will undertake a Threshold Privacy Assessment if it is proposed to:

    • introduce a new or expanded personal data processing technology or system
    • outsource personal data processing functions
    • collect or generate new personal data categories, or to process existing personal data for a new purpose.

    The Threshold Privacy Assessment will consider:

    • the nature of the personal data
    • the proposed processing purpose
    • proposed disclosures of the personal data, including any proposed trans-border data flows.

    This information will be collected as part of the Security Risk Assessment (SRA) process undertaken by Cyber Security, or separately by Ethics & Compliance.

    Privacy Impact Assessment: If the Threshold Privacy Assessment indicates that the proposed processing is likely to result in a high risk to the privacy rights of data subjects, Ethics & Compliance will conduct a Privacy Impact Assessment. The Privacy Impact Assessment will identify steps that must be taken to mitigate the risk and to ensure that ÌÇÐÄvlogÈë¿Úcomplies with its obligations under this Standard and applicable data privacy laws.

    Data privacy principle 10

    We don't spam

    We must limit our use of personal data to send marketing communications. All marketing communications (however distributed) must:

    • clearly identify the relevant Group business or Group company as the sender, and how it can be contacted;
    • be sent with the consent of the recipient/data subject, unless Ethics & Compliance has advised that consent is not required in the relevant country where the proposed recipients are located; and
    • contain an unsubscribe or opt out facility. Opt outs must be acted upon and records amended accordingly.
  • Glossary

    Glossary

    Consent

    Consent of a data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes.

    Criminal record information

    Personal data relating to criminal convictions and offences.

    Data breach

    A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

    Data Privacy Incident

    A data breach or a known or suspected breach of any of the other Data privacy principles in this Data Privacy Standard.

    Data Privacy Lead

    A member of Ethics & Compliance who is the first point of contact for data privacy questions from a region, as listed on the data privacy page on Element (the ÌÇÐÄvlogÈë¿Úintranet). If you are outside ÌÇÐÄvlogÈë¿Úand cannot access Element, email aske&c@riotinto.com if you wish to contact the Data Privacy Lead for your region.

    Data privacy principles

    The principles in the Data Privacy Standard that ÌÇÐÄvlogÈë¿ÚGroup companies and staff must apply when processing personal data.

    Data subject

    The individual to whom personal data relates.

    Disclosure

    The act by which personal data is made accessible to others.

    Group business

    This includes all companies, product groups, business units, global functions, and corporate offices in the ÌÇÐÄvlogÈë¿ÚGroup.

    Legitimate business purpose

    A purpose that is directed at ÌÇÐÄvlogÈë¿Úto achieve its business objectives and that complies with all relevant laws and regulations, and with Rio Tinto’s policies and standards.

    Marketing communications

    Communications and publications that have a purpose of marketing or promoting ÌÇÐÄvlogÈë¿Úor its products, but does not include communications from ÌÇÐÄvlogÈë¿Úto its employees that relate to the administration of the employment relationship.

    Personal data

    All information relating to any identifiable individual.

    Privacy Impact Assessment

    An assessment of the impact of proposed processing operations on the rights and freedoms of data subjects and the protection of personal data.

    Privacy Statement

    A notice needs to be provided to data subjects when we collect their personal data.

    Processing

    All actions taken in relation to personal data including collecting, using, disclosing, recording, organising, storing, transferring, amending, deleting, destroying, retrieving, accessing, hosting or otherwise handling.

    ÌÇÐÄvlogÈë¿ÚData Transfer Deed

    The deed executed between ÌÇÐÄvlogÈë¿ÚLimited and ÌÇÐÄvlogÈë¿Úplc on 1 July 2009 (as amended from time to time), and to which ÌÇÐÄvlogÈë¿ÚGroup companies are bound under executed Deeds of Accession.

    ÌÇÐÄvlogÈë¿ÚGroup

    All the businesses that are wholly or majority owned or managed by ÌÇÐÄvlogÈë¿Úplc or ÌÇÐÄvlogÈë¿ÚLimited (whether directly or indirectly).

    Sensitive information

    Personal data (including information or an opinion) about an individual’s racial or ethnic origin, political opinions and memberships, religious or philosophical beliefs or associations, trade union membership, criminal record information, genetic data, biometric data (processed for the purpose of uniquely identifying a natural person), health or the health services they have received or details of sexual life.

  • Appendices

    Appendix 1

    Overview of personal data collections and processing

    ÌÇÐÄvlogÈë¿Úcollects and processes the following categories of personal data for a range of business purposes, including:

    • Managing people data: Personal data about employees, prospective employees and contractors (HR Personal Data) is collected for human resources (HR) purposes, such as administering and managing employment contacts and contracts of engagement, for other legitimate business reasons relating to employment and to meet legal, regulatory and compliance obligations. The personal data that is processed includes identity and contact information, data about employment history, training and qualifications, performance information and information needed to pay salaries and other benefits and to manage the employment or engagement process or for the purposes of recruitment.
    • Managing business relationships with individuals within customers, suppliers and other external parties such as public sector agencies and joint venture partners. Personal data about individuals within external organisations is collected for business purposes such as supplying goods to corporate customers or acquiring services from corporate suppliers, entering into and fulfilling contracts, for communications and external relations purposes. This is often limited to 'business contact' information about contact people within companies and agencies, and information about interactions with Rio Tinto.
    • Managing shareholder relationships: Personal data from shareholders (Shareholder Personal Data) is collected for purposes related to their shareholding in Rio Tinto, including for the purposes of issuing or transacting in shares, paying dividends, regulatory reporting and shareholder communications. Shareholder Personal Data may include a shareholder's name, address, shareholding details, tax file number, and bank account details. Shareholder Personal Data is collected by ÌÇÐÄvlogÈë¿Úand our behalf by the external manager of our share register. From time to time this data may be provided to other external service providers for the purposes of paying distributions or mailing shareholder communications, or to the extent permitted by legislation to authorised securities brokers, persons inspecting the register, bidders for Rio Tinto's securities, or certain regulatory bodies including the Australian Taxation Office.
    • Safety, security and legal obligations: Personal data is collected from visitors to our sites (staff and non-staff) for safety and security purposes (HSES Personal Data). This can include information to verify identity and collection of images by closed circuit television (CCTV). ÌÇÐÄvlogÈë¿Úalso collects personal data in the course of complying with its legal obligations (for example, to meet obligations under anti-money laundering legislation and whistleblowing legislation). In addition, ÌÇÐÄvlogÈë¿Úcollects aggregated data from the open-source internet that might contain user names and other personal data published by users of public pages, to alert or signal potential security risks and threats.
    • Managing community relationships: Personal data is collected from members of communities where ÌÇÐÄvlogÈë¿Úconducts mining and other operations, for the purposes of engaging and interacting with those communities (Communities Personal Data). This will include names, contact details and information about the interactions of individual community members with Rio Tinto, where needed to respond to correspondence and to manage community relationships.

    ÌÇÐÄvlogÈë¿Úcollects personal data directly from data subjects wherever possible.

    ÌÇÐÄvlogÈë¿Údoes not sell and does not propose to sell personal data.

    Unless described above (ie in relation to Shareholder Personal Data) or unless required by law or for the purposes of legal proceedings, disclosures of personal data are generally limited to other members of the ÌÇÐÄvlogÈë¿ÚGroup (eg ÌÇÐÄvlogÈë¿Úshared services companies) or to external service providers that help ÌÇÐÄvlogÈë¿Úto conduct its business. Sometimes this involves transfers across national borders - more information about international disclosures is contained in Appendix 2.

    Personal data may be stored in Rio Tinto's local systems or databases, in the ÌÇÐÄvlogÈë¿ÚBusiness Solution (currently a SAP system that is hosted in Australia), or on infrastructure owned and operated by external service providers engaged by Rio Tinto. Where external service providers are engaged to assist ÌÇÐÄvlogÈë¿Úto process personal data, ÌÇÐÄvlogÈë¿Úrequires such service providers to comply with contractual privacy and data protection obligations and applicable data privacy laws. Disclosures within the ÌÇÐÄvlogÈë¿ÚGroup are governed by Rio Tinto’s internal Data Transfer Deed. More information about personal data processing can also be located in Privacy Statements that ÌÇÐÄvlogÈë¿Úmakes available when personal data is collected (see references in Appendix 3 below).

    [Privacy Act 1988: Australian Privacy Principle 1.4(a) and (b) and (c); also California Consumer Privacy Act]

    Appendix 2

    International disclosures

    a. Overview of international disclosures

    An overview of Rio Tinto's global operations and the countries where it operates is on the ÌÇÐÄvlogÈë¿Úwebsite.

    This explains where each of the ÌÇÐÄvlogÈë¿Úproduct groups operates, on a "country by country" basis.

    If you are employed or engaged by or have business dealings with a particular ÌÇÐÄvlogÈë¿Úproduct group, your personal data may be exchanged between ÌÇÐÄvlogÈë¿ÚGroup companies that are in the countries listed for that product group.

    Also, your personal data may be processed by ÌÇÐÄvlogÈë¿Ú"shared services companies and external service providers that provide services to the ÌÇÐÄvlogÈë¿ÚGroup in one or more of the following countries:

    • ÌÇÐÄvlogÈë¿Úcompanies performing "shared services" are located in the following countries: Australia, Canada, India, Mongolia, Singapore, South Africa, the United Kingdom and the United States.
    • External service providers that assist the ÌÇÐÄvlogÈë¿ÚGroup to perform HR and other shared service functions, and which process personal data on behalf of one or more companies in the ÌÇÐÄvlogÈë¿ÚGroup are located in: Australia, Canada, the European Union, India, Malaysia, the Philippines, Poland, the United Kingdom and the United States.

    Shareholder personal data is processed in Australia and the United Kingdom by ÌÇÐÄvlogÈë¿Úand by the external manager of our share register.

    [Privacy Act 1988: Australian Privacy Principle 1.4(f) and (g)]

    b. Assessment prior to international disclosures

    Prior to transferring personal data outside the country where it was collected, the relevant Group business will carry out the following assessment (with assistance from Ethics & Compliance):

    • We will verify whether the data subjects were informed that their personal data will be transferred.
    • We will verify whether the transfer is covered by onward transfer provisions or other provisions in Rio Tinto’s inter-company agreement (the ÌÇÐÄvlogÈë¿ÚData Transfer Deed), or whether additional clauses are required.
    • International transfers of sensitive information require review from Ethics & Compliance.
    • For disclosures outside the ÌÇÐÄvlogÈë¿ÚGroup, we will ensure that the third party can ensure the security and privacy of the personal data. We may ask the third party to provide a description of the technical and organisational measures in place to protect the personal data. Rio Tinto’s Cyber Security team will assess whether these measures are sufficient (eg as part of its Security Risk Assessment).
    Appendix 3

    Data subject rights and complaints

    a. General data subject rights

    Please complete a if you wish to exercise your rights under data privacy principle 8, including to:

    • seek access to personal data that ÌÇÐÄvlogÈë¿Úholds about you
    • seek correction or erasure of inaccurate, incomplete or out of date personal data
    • be provided with information about how your personal data is processed
    • subject to whether the right of ‘data portability’ is a right under the data privacy laws of your country, receive a copy of your personal data in a structured, commonly used and machine-readable format and request that we transmit personal data you provide to us to a third party
    • subject to whether the right to request cessation of processing is a right under the data privacy laws of your country, request processing of your personal data to cease on a temporary or permanent basis (eg if the accuracy of the personal data is contested or the processing is unlawful in your opinion, or if the processing is likely to cause damage or distress, or if the processing is for direct marketing purposes)
    • seek information about or a copy of the mechanisms we use to transfer your personal data
    • request processing of your personal data to cease (eg if the processing is likely to cause; damage or distress, or if the processing is for direct marketing purposes)
    • withdraw consent you have previously provided in relation to Rio Tinto's processing of your personal data.

    Your request will be forwarded to the Data Privacy Lead for your region, who can also provide you with the data subject request form. ÌÇÐÄvlogÈë¿Úwill aim to respond within a reasonable period after the request is made or from when information required to process the request is received (or otherwise as required under local laws).

    As explained in data privacy principle 8, there are legal exceptions to the exercise of the rights listed above, and ÌÇÐÄvlogÈë¿Úwill review each request on a case by case basis, by reference to the laws of the country where the data subject is located.

    b. Questions or complaints

    If you have any questions or wish to make a complaint about the processing of your personal data or a complaint about Rio Tinto’s response to your request to exercise your data subject rights, you can do so by emailing aske&c@riotinto.com or by reporting this as a Data Privacy Incident to Ethics & Compliance.

    Data Privacy Leads are responsible for investigating and responding to complaints, unless the complaint is about the Data Privacy Lead's processing of personal data. In such circumstances, another person will be appointed to investigate and respond to the relevant complaint.

    If you are not satisfied with how your complaint has been addressed, complaints may be made to, where available, the relevant data privacy regulator or data protection authority in your country. This will be explained in the response to your complaint or you can find out more information about how to complain to the data privacy regulator or data protection authority in your region from your Data Privacy Lead or by contacting aske&c@riotinto.com

    [Privacy Act 1988: Australian Privacy Principle 1.4(d) and (e)]

    Certain functions of the ‘person in charge of the protection of personal information’ under Quebec data privacy law are delegated to the Data Privacy Lead for Canada (who is supported by the Ethics & Compliance data privacy team in undertaking such functions). If you are in Quebec, you can contact them by emailing aske&c@riotinto.com.

    [Act Respecting the Protection of Personal Information in the Private Sector, Quebec, section 3.1]

    c. Privacy Statements

    A privacy statement will be provided at the time personal data is collected from you (in accordance with data privacy principle 1). In addition, copies of privacy statements can be accessed as follows:

    • if you are an employee, the Employee Privacy Statement can be accessed by contacting askhr@riotinto.com or by calling the number for your region listed or from the data privacy page on Element. This document is also available from the data privacy page on Element.
    • if you are a Category 1, 2 or 3 Contractor, the Contractor Privacy Statement can be accessed below:

Online privacy and cookies

This section of the Privacy Policy describes how ÌÇÐÄvlogÈë¿Úprocesses personal data and other data collected or obtained through this website.

ÌÇÐÄvlogÈë¿Úplc, a company registered in England, controls the personal data collected or obtained through this website.

  • How we process personal data provided or obtained through this website

    Online privacy statement

    With the exception of the use of cookies (explained below), ÌÇÐÄvlogÈë¿Úgenerally does not seek to collect personal data through this website.

    However if you choose to provide personal data to ÌÇÐÄvlogÈë¿Úthrough this website (for example, by sending us an email), we will process that personal data to answer your query and if relevant, to manage our business relationship with you or your company. We won't process that personal data for other purposes except where required to meet our legal obligations or otherwise as authorised by law and notified to you.

    Part 1 of this Privacy Policy contains the ÌÇÐÄvlogÈë¿ÚData Privacy Standard, which provides an overview of Rio Tinto’s approach to personal data processing. There is additional information in the appendices to the Data Privacy Standard, including information about disclosures, trans-border data transfers, the exercise of data subject rights and how to make complaints or obtain further information relating to Rio Tinto’s processing of your personal data.

    If you choose to subscribe to our media releases or other communications, you can unsubscribe at any time by following the instructions in the email or by contacting us at digital.comms@riotinto.com.

  • Information about our use of cookies

    Cookies privacy statement

    With your consent, our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

    A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

    As some data privacy laws regulate IP addresses and other information collected through the use of cookies as personal data, Rio Tinto’s processing of such personal data needs to comply with its Data Privacy Standard (see Part 1 of this Privacy Policy), and also applicable data privacy laws.

  • Performance and analytics cookies

    We use the following cookies performance and analytical cookies.

    They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

    You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

    You can find more information about the individual cookies we use and the purposes for which we use them in the tables below:

    First party cookies

    Strictly necessary cookies

    Azure

    ARRAAffinity

    This cookie is essential for our site and enables us to load balance site traffic between web servers. The server connection is maintained and tracked for the duration of the session.

    Duration: At end of session

    ASP.NET_SessionId

    General purpose platform session cookie, used by sites written with Miscrosoft .NET based technologies. Usually used to maintain an anonymised user session by the server.

    Performance and analytical cookies

    Sitecore Analytics

    SC_ANALYTICS _GLOBAL_COOKIE

    These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Visit Google support Safeguarding your data to learn more.

    Duration: 10 years

    Functional cookies

    Site Selector

    Sxa_site and Site_name#lang

    These cookies are used to record which location and language the users has selected.

    Duration: At end of session

    Cookie policy

    privacy-notification

    This cookie is used for our cookie notification banner. The cookie banner will appear the first time you accept or reject the cookie policy as laid out in the privacy notification. This is how we collect and confirm your consent to the use of cookies. If you choose to clear your cookies prior to each visit to our website, you will see the cookie banner upon entry to the website on each visit.

    Duration: 1 year

    Third party cookies

    Performance and analytical cookies

    ShareThis

    pxcelBcnLcy

    Part of the ShareThis sharing button functionality. Unique identifiers given to each computer to allow traffic analysis to ShareThis.

    Duration: At end of session

    pxcelPage _c010_B

    Part of the ShareThis sharing button functionality. Unique identifiers given to each computer to allow traffic analysis to ShareThis.

    Duration: 2 months

    __stid

    ShareThis cookies to help to share site content on social media sites.

    Duration: Session

    Functional cookies

    YouTube

    Pref

    This cookie stores your preferences and other information, in particular preferred language, how many search results you wish to be shown on your page, and whether or not you wish to have Google’s SafeSearch filter turned on.

    Duration: 8 months

    VISITOR_INFO1 _LIVE

    A cookie that YouTube sets that measures your bandwidth to determine whether you get the new player interface or the old.

    Duration: 179 days

    GPS

    Registers a unique ID on mobile devices to enable tracking based on geographical GPS location.

    Duration: 1 day

    YSC

    This cookie is set by the YouTube video service on pages with embedded YouTube video.

    Duration: Session

    Instagram

    ig_did

    This is an Instagram cookie that enables social media functionality within the site.

    Duration: 10 years

    mid

    This is an Instagram cookie that enables social media functionality within the site.

    Duration: Session

    rur

    This is an Instagram cookie that enables social media functionality within the site.

    Duration: Session

     
    shbid

    This is an Instagram cookie that enables social media functionality within the site.

    Duration: 5 days
     
    shbts

    This is an Instagram cookie that enables social media functionality within the site.

    Duration: 5 days
     
    urlgen

    This is an Instagram cookie that enables social media functionality within the site.

    Duration: Session
     
    csrftoken

    This is an Instagram cookie that enables social media functionality within the site.

    Duration: 1 year

    Investis

    Investis cookies are set by Investis controlled domains and are included for completeness.

    ASP.NET _SessionId

    General purpose platform session cookie, used by sites written with Miscrosoft .NET based technologies. Usually used to maintain an anonymised user session by the server.

    Duration: Session

    AWSELB

    This cookie is essential for enables Investis to load balance site traffic between web servers.

    Duration: Session
     
    AWSALB

    This cookie is essential for enables Investis to load balance site traffic between web servers.

    Duration: 1 week
     
    _ga

    These cookies are used to collect information about how visitors use the Investis site.

    Duration: 2 years

  • Online security and transfer of personal data via the website

    This website relies on a range of security measures to protect data that is exchanged through this site, including firewalls, intrusion detection systems and virus scanning tools. These are intended to protect against unauthorised persons and viruses from accessing the information that you provide to us, and we to you. However, please be aware that there are inherent risks in transmitting information by use of the Internet and other online or electronic transmission systems and that we cannot guarantee the security of information transmitted in this way.

    As with personal data that we collect in other ways, personal data that is collected online through this website may be shared between companies in the ÌÇÐÄvlogÈë¿ÚGroup and with external service providers who assist us with our services and functions. Personal data that is collected through this website may be stored and processed in any country where ÌÇÐÄvlogÈë¿Úor its external service providers operate. More information about the countries where ÌÇÐÄvlogÈë¿Úoperates, and the location of key external service providers (data processors) is in Appendix 2 of the ÌÇÐÄvlogÈë¿ÚData Privacy Standard (in Part 1 of this Privacy Policy and available under the Privacy Policy link).

    This website may contain links to third party websites (ie. that are not provided by Rio Tinto). Before providing personal data to third party websites, we recommend you examine the privacy policies on those websites. ÌÇÐÄvlogÈë¿Úis not responsible for the privacy practices on third party websites. Please note that such third parties may also use cookies, over which we have no control, so we recommend you check their cookies policy also.