Table of Contents
Management of Personal Information
MANAGEMENT OF PERSONAL INFORMATION
Personal information we collect, hold or access
(2) Working Directly with client systems
How we collect personal information
How personal information may be accessed or corrected
Complaint handling for Privacy and Security Policy Breaches
Virtual Private Network connections
Anti-Virus, Anti- Spam Anti-Malware
Centrally managed Workstations
Centrally Controlled Password Management Systems
Blocked Port Thin Client Terminals
What are the security considerations?
Stage 3 :: Verbal Communication Skills
Stage 4: Recorded Technical Test
EXECUTIVE OVERVIEW
This document provides detail on the Data Privacy and Security Policies (DDPSP) for DyCom Group and its various entities.
Security and integrity of our clients business information and data is of paramount importance to us and we ensure this in the following ways that are outlined in this document :
Management of Personal Information
- Type of personal information collected and held
- How personal information is collected and held
- The purposes for which personal information is collected, held, used and disclosed
- How an individual may access their personal information and seek its correction
- How an individual may complain if the entity breaches the DDSPP
- How personal information is handled by overseas recipients
Data Security
- Data security policies
- Data security systems
Staff Selection Process
- Staff Selection processes
- Staff management processes
Corporate Responsibility
DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia. We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.
DPP Updates
DyCom review and update our Privacy Policy annually to ensure that it reflects our information handling practices.
DPP Levels
DyCom uses a ‘layered’ approach to presenting the organisations Data Security and Privacy policies.
Level 1 : DyCom Group Summary
DyCom Group consists of a number of individual entities and the ‘Summary Data Security and Privacy Policy’ applies to all entities. The summary is a condensed version of all components of the main document.
Level 2 : DyCom Group Detail
The detailed Policy provides more detail on all components of the full policy.
Level 3 : DyCom individual entity detail
Individual DyCom entities have different requirements for data security and privacy. Privacy and Data Security documents are tailored for each entity as required by the types of client and information being handled.
MANAGEMENT OF PERSONAL INFORMATION
The first step in defining the management of personal information is to identify the type of personal information that DyCom Group and its entities have access to. DyCom Group is primary a combination of individual entities providing technical and back office services to their clients.
Personal information we collect, hold or access
DyCom has two key requirements to either store or access our clients personal information:
(1) Service Provision
We provide a wide range of support and professional services to our clients. In providing these services we deal directly with staff of our clients and as such we collect basic personal information such as Company Name, Contact Name, Contact Phone numbers and Email addresses. This information is stored on our service management system located in Australia.
Access to this database is controller through a centrally managed password system (MYKI) and staff do not have access to passwords. If and when staff leave the organisation, access to this database is automatically terminated.
(2) Working Directly with client systems
There are times where our staff require access to client information systems and applications such client accounting systems, service management systems and websites that that we are developing.
DyCom Group and all its members do not keep any personal information from these systems on any of its servers or local desktop or notebook computers. All client personal information is maintained on servers or databases under client control.
In situations where clients personal information is particularly sensitive we have the following systems that can be applied as required :
Thin Client Terminals
Staff working on these sensitive systems are provided with thin client terminals that have no accessible ports or hard drives.
Managed and Monitored Client access
Staff terminals in these situations are centrally managed and monitored using Kaseya which is our Remote Management Tool for InfoTech Service management.
Managed Password Systems
We use and recommend the use of Myki which is a centrally controlled password Management system. Passwords are fully encrypted and staff require a special authentication process to
More information is available from the Myki Website : https://myki.com/app/
Two Factor Authentication
We also use and recommend the Myki two factor authentication systems where appropriate.
How we collect personal information.
The only personal information we collect is information related to clients requiring our professional services. This information includes the following :
- Company Name
- Company Address
- Company Phone Number
- Contact Name
- Contact Position
- Contact Phone Number
- Contact Email Address
This information is stored in our Service Management portal Connectwise. Connectwise is located on servers in Australian data centres and had encrypted access with a centrally managed password control system.
The information is collected in one of two ways :
(1) Email
Our clients can send through the information via email and our team will enter it directly into our Service Management Portal.
(2) Phone
Our client can provide the required information to our office staff over the phone. This will be entered directly into our service management portal.
How personal information may be accessed or corrected
Information held by DyCom is kept within our Service Management portal. This information is not available publicly and can be accessed by clients who have been giving remote access if required. A client may be able to correct personal information through the portal or may request one of our team to correct either by submitting a service request by email or direct phone call to our team.
Complaint handling for Privacy and Security Policy Breaches
In the event that one of our Privacy Policies is breached, complaints may be made by phone or preferably by sending an Urgent Service request to service@dycom.com.au
Complaints like this will go into an urgent service queue and be dealt with immediately.
Overseas Disclosures
DyCom employs staff from Australia and the Philippines. We have three key ways of ensuring data security, privacy and integrity when our offshore team are involved :
Systems
Two of the DyCom entities (DyCom Technology and DyCom SmartStaff) specialise in IT systems and Cyber Security solutions and we have up to date, monitored and comprehensive IT Security solutions that are applied across the group.
Policies
DyCom have strict policies when it comes to dealing with client information and we ensure that our staff read, understand and sign off on these policies.
Organisational culture
DyCom has been in business since 1989 and we pride ourselves on the culture of integrity that we have developed of the past 30 years. All our staff, local and offshore are trained and nurtured in this culture and we run regular workshops to ensure that this is ingrained into our team members.
Staff Selection and Management
Our team in the Philippines are all full-time staff and are carefully and diligently selected as described in our ‘Staff Selection Process’ later in this document.
Types of Information our staff access
Contact Details
Contact details required for service management. These details are only required for staff of clients who will be submitting service requests and the nature of the personal information is quite basic and relatively low risk. It includes the information outlined below :
- Company Name
- Company Address
- Company Phone Number
- Contact Name
- Contact Position
- Contact Phone Number
- Contact Email Address
Application Specific Information
There are times that our staff need to access client information systems that include personal information. This might be for the purpose or providing services using client applications such as accounting systems or for doing development work on client systems such as websites or IT infrastructure. In these cases, our clients control the access to the personal information.
Location of Information
There is no personal data or information that is kept offshore. All information is located on servers in Australia.
Offshore Staff Policies
Our offshore team are subject to the same non-disclosure policies that our local staff are and we ensure that access to personal information is controlled through our IT systems data security systems and policies.
DATA SECURITY
One of the DyCom Group of companies is our network integration business DyCom Technology which was founded in 1989 and has significant expertise in data security. All data is located on our client’s network or in one of our secure data centres and access to and from data is fully encrypted.
Taking reasonable steps
The ‘reasonable steps’ that an DYCOM PRIVACY POLICY entity should take to ensure the security of personal information will depend upon circumstances that include:
- the nature of the DYCOM PRIVACY POLICY entity. Relevant considerations include an DYCOM PRIVACY POLICY entity’s size, resources, the complexity of its operations and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or that outsources its personal information handling to a third party may be different to those it would take if it did not operate in this manner.
- the amount and sensitivity of the personal information held. Generally, as the amount and/or sensitivity of personal information that is held increases, so too will the steps that it is reasonable to take to protect it. ‘Sensitive information’ (defined in s 6(1)) is discussed in more detail in Chapter B (Key concepts)
- the possible adverse consequences for an individual in the case of a breach. More rigorous steps may be required as the risk of adversity increases
- the practical implications of implementing the security measure, including time and cost involved. However an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances
- whether a security measure is in itself privacy invasive. For example, while an DYCOM PRIVACY POLICY entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (DYCOM PRIVACY POLICY 12)).
Reasonable steps should include, where relevant, taking steps and implementing strategies in relation to the following:
- governance, culture and training
- internal practices, procedures and systems
- ICT security
- access security
- third party providers (including cloud computing)
- data breaches
- physical security
- destruction and de-identification
- standards
As part of taking reasonable steps to protect personal information (also known as ‘personal information security’) an DYCOM PRIVACY POLICY entity should consider how it will protect personal information at all stages of the information lifecycle. This should be considered before an entity collects personal information (including whether it should collect the information at all), as well as when the information is collected and held, and when it is destroyed or de‑identified when no longer needed.
For further discussion of personal information security and the information lifecycle and examples of steps that may be reasonable for an DYCOM PRIVACY POLICY entity to take under DYCOM PRIVACY POLICY 11.1, see the OAIC’s Guide to Securing Personal Information.[3]
Managed Anti-Virus
All staff have centrally managed Anti-Virus, Anti-Spam and Anti-Malware setup on their local desktop or notebook computers.
The Cyber Security systems we use on our servers, desktops, workstations and Notebook computers is Webroot.
Managed Passwords
DyCom has adopted a centrally controlled password management system. This ensures integrity of passwords. We encourage our clients use this system on sensitive data.
Myki : Myki.com
Multi-Factor Authentication
For sensitive data and websites DyCom has a Multi-Factor Authentication system that we recommend and use.
Virtual Private Network connections
We use and recommend VPN connections where possible and appropriate.
Centrally managed Workstations
Kaseya
Blocked Port Thin Client Terminals
Other Security considerations?
The six terms listed in DYCOM PRIVACY POLICY 11, ‘misuse’, ‘interference’, ‘loss’, ‘unauthorised access’, ‘unauthorised modification’ and ‘unauthorised disclosure’, are not defined in the Privacy Act. The following analysis and examples of each term draws on the ordinary meaning of the terms. As the analysis indicates, there is overlap in the meaning of the terms.
Misuse
Personal information is misused if it is used by an DYCOM PRIVACY POLICY entity for a purpose that is not permitted by the Privacy Act. DYCOM PRIVACY POLICY 6 sets out when an entity is permitted to use personal information (see Chapter 6). DYCOM PRIVACY POLICYs 7 and 9 also contain requirements relating to an organisation’s use of personal information for the purpose of direct marketing, and use of government related identifiers, respectively (see Chapters 7 and 9).
Interference
‘Interference’ with personal information occurs where there is an attack on personal information that an DYCOM PRIVACY POLICY entity holds that interferes with the personal information but does not necessarily modify its content. ‘Interference’ includes an attack on a computer system that, for example, leads to exposure of personal information.
Loss
‘Loss’ of personal information covers the accidental or inadvertent loss of personal information held by an DYCOM PRIVACY POLICY entity. This includes when an DYCOM PRIVACY POLICY entity:
- physically loses personal information, (including hard copy documents, computer equipment or portable storage devices containing personal information), for example, by leaving it in a public place, or
- electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure
Loss may also occur as a result of theft following unauthorised access or modification of personal information or as a result of natural disasters such as floods, fires or power outages.
However, it does not apply to intentional destruction or de-identification of that personal information that is done in accordance with the DYCOM PRIVACY POLICYs.
Unauthorised Access
‘Unauthorised access’ of personal information occurs when personal information that an DYCOM PRIVACY POLICY entity holds is accessed by someone who is not permitted to do so. This includes unauthorised access by an employee of the entity[4] or independent contractor, as well as unauthorised access by an external third party (such as by hacking).
Unauthorised modification
‘Unauthorised modification’ of personal information occurs when personal information that an DYCOM PRIVACY POLICY entity holds is altered by someone who is not permitted to do so, or is altered in a way that is not permitted under the Privacy Act. For example, unauthorised modification may occur as a result of unauthorised alteration by an employee, or following unauthorised access to databases by an external third party.
Unauthorised disclosure
‘Unauthorised disclosure’ occurs when an DYCOM PRIVACY POLICY entity:
- makes personal information accessible or visible to others outside the entity, and
- releases that information from its effective control in a way that is not permitted by the Privacy Act[5]
STAFF SELECTION PROCESS
Selecting the right staff is one of the most important things we do. Our remuneration and benefits are amongst the best in the industry and consequently we attract the best people. We still have a very rigorous selection process and for every successful posting there are between 200 and 300 applicants that are screened. All staff have NBI (National Bureau of Investigation) Security clearance and have excellent references and backgrounds.
Stage 1 : Initial Selection
This first stage starts with a basic review of the resumes and we select only those who pass our requirements for the position. This includes things like Years of experience, type of experience and references. This process generally narrows the list of applicants down to around 30.
NBI and Barangay Clearance
All Philippines staff are required to get National Bureau of Investigation clearance. This is a rigorous integrity and criminal checkup. It is very difficult and time consuming to get this clearance and staff protect it. In addition to this we also require Barangay clearance which is local council behavioural assessment.
Stage 2 : Recorded Interview
This recorded interview takes around than 10 minutes and has 5 to 10 personality questions and 5 to 10 technical questions. This process generally narrows the selection down to between 10 and 12 prospects.
Stage 3 :: Verbal Communication Skills
For candidates who need to deal directly with clients, verbal communication skills are important. For those who pass the recorded interview, the recording is passed onto a senior staff member for assessment. This generally narrows the field down to around 5.
Stage 4: Recorded Technical Test
The next part of the process could be a recorded technical test. This should really be designed to be less than 10 minutes.
Stage 5: Final Interviews
First Interview
These final candidates can be interviewed by a team leader which will hopefully get the list down to 3 or less
Final Interview
Final interviews are conducted by senior staff members and generally the selected candidate stands out.
CORPORATE RESPONSIBILITY
DyCom Group and its entities employ staff in Australia and the Philippines. Our DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia. We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.