CSR respects the privacy of individuals. This policy outlines the way we manage personal information that we collect or that is provided to us. It applies to CSR Limited and Australian companies in the CSR group (CSR, we, us).

CSR is bound by the Australian Privacy Principles (Principles) applicable to private sector organisations under the Privacy Act 1988 (Cth). In summary, the Principles apply to 'personal information' as information (or an opinion) relating to an individual that can be used to identify that individual. CSR sometimes handles personal information relying on exemptions under the Privacy Act, for example in relation to employee records. Where there is any inconsistency, we may rely on those exemptions despite what this privacy policy says.

WHY DOES CSR COLLECT PERSONAL INFORMATION?

CSR is major manufacturer and supplier of building materials. We are also a large sugar producer and have a substantial investment in aluminium smelting. We collect personal information about people we deal with and others, where relevant, in order to operate our businesses. As a publicly listed company, we also maintain records of our shareholders. Collecting personal information is also necessary in some circumstances to meet our legal obligations.

WHAT KIND OF PERSONAL INFORMATION DOES CSR COLLECT AND HOW DOES CSR COLLECT IT?

CSR generally collects and holds personal information about:

• our employees;
• contractors who provide services to CSR;
• our customers;
• our suppliers;
• our shareholders;
• job applicants; and
• other people who may come into contact with CSR or one of CSR's businesses.

 The type of information we collect varies, depending on the purpose, and may include (but is not limited to) your name, address, contact details, organisation, identification, positions held, payment details, credit information and marketing information.

This information may be obtained by way of forms filled out, information provided in person or by telephone, email or online by the individuals themselves, or from a public source or third party (for example, referees, other CSR companies, your organisation, your representatives and information service providers). For additional information about our handling of personal information we collect through our web sites, please see the Security and Privacy Statement on the relevant site.

HOW DO WE USE PERSONAL INFORMATION AND TO WHOM MAY WE DISCLOSE IT?

In general, CSR collects, uses and discloses personal information to:

• provide products or services that have been requested;
• maintain relationships with suppliers, contractors and other parties;
• communicate;
• verify your identity and personal information;
• maintain and update our records;
• provide ongoing information and marketing communications about CSR products and services to CSR customers and prospective customers by telephone, email, online and other means as permitted by law, unless they opt out; and
• comply with legal obligations and protect our lawful interests.

We may not be able to do these things without your personal information. For example, we may not be able to respond to your enquiries or provide you a product or service you have requested.

We may also collect, use and disclose your personal information in connection with:

• reasonable information requests from courts, government bodies and lawyers
• suspected fraud, misconduct and unlawful activity, and
• any sale or potential sale of any part of our business.

CSR uses the personal information it collects about CSR shareholders to fulfil its legal obligations and to keep its shareholders informed of CSR’s progress. We are required or authorised to collect shareholder personal information under certain laws including the Taxation Administration Act and the Corporations Act, and we are also required to make limited shareholder details available to members of the public on request. CSR's share registry is managed by Computershare Investor Services Pty Limited (Computershare). Computershare’s privacy policies are available via www.computershare.com.au.

Depending on the product or service concerned, personal information may be disclosed to:

• other divisions or organisations within CSR;
• service providers and specialist advisers to CSR who have been contracted to provide CSR with
administrative, archival, auditing, accounting, • customer contact, legal, business consulting, banking, payment, debt collection, delivery, data processing, data analysis, information broking, research, investigation, website, technology or other services;
• insurers, credit providers, courts, tribunals and regulatory authorities as agreed or authorised by law;
• credit reporting or reference agencies or insurance investigators; or
• a person authorised by an individual.

Some of the third parties described above may be located in New Zealand and other countries. While those third parties will often be subject to confidentiality or privacy obligations, they may not always follow the particular requirements of the Privacy Act.

Generally, we require that organisations outside CSR who handle or obtain personal information as service providers to CSR acknowledge the confidentiality of this information and undertake to comply with the Principles.