security of personal information...
TRANSCRIPT
1
Version 1. Last update Sept 2014
Security of Personal Information Policy
2
Version 1. Last update Sept 2014
Table of Contents
Table of Contents ................................................................................................................................................... 2
1. Purpose .......................................................................................................................................................... 3
2. Scope .............................................................................................................................................................. 3
3. Responsibilities .............................................................................................................................................. 3
4. Definitions ...................................................................................................................................................... 4
5. Overview ........................................................................................................................................................ 5
6. Physical, IT, Communications and Third Party Data Security ........................................................................ 6
7. Destroying or de-identifying personal information ....................................................................................... 9
8. Personnel Security and Training .................................................................................................................. 10
9. Regular Monitoring and Review .................................................................................................................. 10
Appendix 1 – Work Place Self Assessment - Security of Personal Information .................................................... 11
Policy Version Control .......................................................................................................................................... 12
3
Version 1. Last update Sept 2014
1. Purpose
This Security of Personal Information (‘Policy’) outlines the requirements and processes essential for all WDH
Pacific businesses to ensure the security of personal information it holds is compliant with applicable laws,
including the Privacy Act 1988 (Cth).
This Policy aims to provide guidelines on required steps for WDH Pacific businesses to take in order to prevent
the misuse, loss or inappropriate accessing, modification or disclosure of personal information held.
This Policy should be read in conjunction with the following related policies:
Privacy Policy
Privacy Notice and Consent Requirements Policy
DGS IT Security Policy
Third Party Contract Policy
Employee Manual
2. Scope
This Policy applies to WDH Pacific group businesses (‘Group’) operating under Sonic Innovations Pty Ltd
(includes Sonic Innovations, Hearing Life, Adelaide Digital Hearing Solutions), Oticon Australia Pty Ltd (includes
Oticon Australia, Oticon Medical, AudioClinic, Western Hearing Services), Interacoustics Pty Ltd (includes
Interacoustics, Diatec, Sanibel) and Bernafon Australia Pty Ltd (includes Bernafon Australia, FrontRow)
This policy outlines the Group guidelines to ensure that personal information is safe and secure from misuse,
interference, loss, unauthorised access, modification and disclosure during its lifecycle.
3. Responsibilities
The management positions responsible for implementation and monitoring compliance of this policy include:
Group General Managers and Regional Managers, Group Marketing Managers, and the Privacy Officer.
Any queries in relation to this Policy should be referred to the Privacy Officer.
4
Version 1. Last update Sept 2014
4. Definitions
Personal information
∙ Is any information or an opinion about an identified individual, or an individual who is reasonably
identifiable.
Personal information - Sensitive
∙ Is a subset of personal information that includes information that is of a particularly sensitive
nature such as racial or ethnic origin, religious beliefs, health, and criminal records.
∙ In the context of a hearing health care business, sensitive information most often relates to
health, lifestyle and audiological information.
∙ Health information includes information or an opinion about an individual’s:
- physical or mental health or a disability
- express wishes about their future provision of health services
- health services provided, or to be provided
- other personal information collected to provide, or in providing, a health service
- healthcare identifiers
Records
∙ Means any records, files, information, data, accounts, dairies, claim forms, appointment
schedules, documents etc that are created or maintained which contains personal information
5
Version 1. Last update Sept 2014
5. Overview
∙
5.1. Key Points
There are a variety of ways in which personal information may be misused, lost or inappropriately accessed,
modified or disclosed. Examples include:
∙ unauthorised access or misuse of records by a staff member
∙ failure to store records containing personal information appropriately or dispose of them
securely
∙ loss or theft of hard copy documents, computer equipment or portable storage devices
containing personal information
∙ mistaken release of records to someone other than the intended recipient
∙ hacking or other illegal access of databases by someone outside the entity.
The consequences of any personnel found to be acting in breach of this Policy may include disciplinary action,
up to and including dismissal.
5.2. Steps to ensure security of personal information
The Group is committed to undertaking steps to ensure security of personal information; these include the
management of the following areas:
∙ Physical, IT, Communications and Third Party Data security
∙ Destroying or de-identifying personal information
∙ Personnel security and training
∙ Regular monitoring and review
6
Version 1. Last update Sept 2014
6. Physical, IT, Communications and Third Party Data Security
6.1. Physical Security
The Group is committed to ensuring the physical security of personal information by undertaking practices to
ensure that personal information is secure and not inappropriately accessed or disclosed.
The minimal requirements to be implemented and maintained by the business units include:
∙ Work space security
- Work stations or screens not easily read or accessed by third parties. Ways this may be
achieved include:
∙ screen position or work station is positioned so that computer screen cannot be
easily read by others, or
∙ privacy screen installed
- Use of screen lock whenever desk is left unattended or when working on sensitive
information and a third party visits the desk.
∙ Secure storage
- Where possible, locking away any records that contain personal information at the end
of each day in pedestals, filing cabinets, or offices as appropriate
- Clinic/office external doors are locked at the end of each day and when clinic /office is
unattended.
- Records containing personal information are not left where they can be easily read of
accessed by a third party
- Documents containing personal information are not left in an unsecure place
- Movement of physical files is adequately recorded
∙ Disposal
- Records are securely disposed of as per Section 7 of Policy. Under no circumstances is
personal information to be placed in general waste disposal.
To implement this section each employee is required to undertake a Workplace Self-Assessment – refer to
Appendix 1
6.2. IT Security
The Group is committed to IT security practices that ensure protection of computer hardware and the data
that the hardware holds from unauthorised use, access, theft or damage.
7
Version 1. Last update Sept 2014
The minimal requirements include the following:
∙ Policies and Procedures:
- IT security measures are in place and aim to protect hardware and electronic data from
unauthorised use, access, theft of damage.
- These measures are regularly monitored for operation and effectiveness, and are
responsive to changing threats and vulnerabilities that may impact personal information
security
- IT security measures and protection of personal information is considered as part of the
decision to use, purchase, build or upgrade ICT systems.
- If conducting online services or engaging in electronic commerce (e.g. online retail), IT
security measures must ensure that the online environment is safe for individuals to
make payments, provide banking details and personal information.
- IT security measures are in place to ensure appropriate level of access for employees.
6.3. Communications Security
The Group is committed to ensuring appropriate measures are in place to support communications security of
personal information from being improperly accessed or disclosed when it is transmitted. For example,
personal information may be disclosed if it is left on a fax machine or printer or if it is discussed over the
telephone in an open office.
The minimal requirements to be implemented and maintained by the business units include:
∙ Identification
- Records containing personal information are only disclosed to the individual
- Checking identity of individual before disclosing any personal information over the
phone. Recommendations include asking three identification questions (e.g. DOB,
Address, Client number, etc)
∙ Consent
- Records containing personal information are only disclosed to third parties with consent
(includes faxing, mailing, emailing, verbally discussing information). Refer Privacy Notice
and Consent Policy.
∙ Disclosure
- Not discussing personal information anywhere that it may be overheard by a third party
- Removal of all documents from fax machines and printers immediately after use
8
Version 1. Last update Sept 2014
∙ Data Transfer
- Appropriate security measures are undertaken to protect personal information when:
∙ passed internally within the organisation and externally to a third party
organisation. This includes sharing the data by email internally within the WDH
organisation, such as transfer of data between Business Intelligence and
Marketing, or People and Culture to Payroll.
∙ sharing data externally to and from third party organisations, such as transfer of
data between Business Intelligence and Data wash company, or external mail
house and Internal Call Centre.
- These security measures include the following, listed from minimal level security to
higher level security.
∙ Password security – with password sent separately
∙ Encryption of data/file
∙ Secure Portal
6.4. Third Party Data Security
The Group is responsible for ensuring personal information that we use, store, disclose is subject to the Privacy
Act, and that we maintain the security of that personal information even when that information is received
from or disclosed to third parties; this applies whether or not the third party is subject to the Privacy Act.
The minimal requirements of engaging third parties to handle personal information are provided in the Third
Party Contract Policy. In addition any sharing of personal information between us and the Third Party is
required to be communicated as per clause 6.3 of this Policy.
9
Version 1. Last update Sept 2014
7. Destroying or de-identifying personal information
The Group is committed to ensuring that reasonable steps are undertaken to destroy, or ensure de-
identification, of any personal information no longer needed. This includes when no longer needed for either
the primary purpose of collection or for a secondary purpose (for which consent has been obtained).
Consideration will also be given to the required length of time certain sensitive information must be retained.
The minimal requirements to be implemented and maintained by the business units include:
∙ Retaining Personal Information:
- Medical/health related records kept for a minimum period of 7 years from the date of
last service.
- Potential employee records kept 12 months from the date of last contact
∙ Destroying and Archiving Records:
- Records containing personal information must be destroyed securely.
- Examples by which this can be achieved include the use of:
∙ personal shredders,
∙ engagement of third party, secure document deposal service,
∙ onsite security bins
- When engaging a third party to handle, archive and destroy information, ensure
compliance with Third Party Contract Policy.
∙ Electronic Personal Information
- Person information held in electronic format will be irretrievably destroyed, de-
identified or put ‘beyond use’.
10
Version 1. Last update Sept 2014
8. Personnel Security and Training
Human error can cause data breaches and undermine security practices. The Group is committed to ensuring
all personnel understand the importance of good information handling and security practices so to avoid
practices that would breach The Group’s privacy obligations.
The minimal requirements to be implemented by the business units include:
∙ Training
- Initial training provided to all existing and new personnel, includes short term and
temporary personnel.
- Refresher training provided to all personnel on an annual basis
∙ Work Place Self Assessment:
- All personnel complete a workplace self assessment on an annual basis
- Refer to Appendix 1
∙ Change Management
- All personnel are informed of changes to policy and procedures as they occur
∙ Exit Procedures
- Personnel exit procedures ensure physical and network access is cancelled and personal
information returned.
9. Regular Monitoring and Review
The Group will regularly monitor and review the operations and effectiveness of its information security
measures, and implement changes as a result of the monitoring and review.
11
Version 1. Last update Sept 2014
Appendix 1 – Work Place Self Assessment - Security of Personal Information
My computer can be screen easily read by third parties YES NO
Screen lock is used whenever I leave my desk or when working on sensitive YES NO
information and I have a visitor at my desk
Records containing personal information are:
∙ not left where they can be easily read or accessed by a third party YES NO
∙ never thrown in the general rubbish disposal (unless shredded) YES NO
∙ are locked away (e.g. pedestal, cabinet, office, clinic as appropriate) at the YES NO
end of every day
∙ are not left in a an unsecure place YES NO
Personal information discussed only in areas where it cannot be overheard by YES NO
a third party
Hard Copy records containing personal information are securely destroyed YES NO
Documents are removed from fax machines and printers promptly after use YES NO
Medical/health related records are kept for a minimum period of 7 years from the YES NO
date of last service
The identity of individuals is checked before disclosing any personal information YES NO
over the phone
Personal information is only disclosed to a third party if consent has been obtained YES NO
Employee Name _____________________________ Signature________________________ Date __________
12
Version 1. Last update Sept 2014
Policy Version Control
Version Conducted by Approval Version date Changes Date Introduced
1 Kylie Luiten-Hand,
Business Improvement
Janet Muir,
Director Retail
July 2014 Initial Policy September 2014