top of page
Search

Data Security Policy

  • Mar 31
  • 8 min read

1. PURPOSE

The purpose of this Policy is to safeguard data and information belonging to DCIRS Community Care (“DCIRS” or “company”) within a secure environment. This Policy informs DCIRS’s staff and other persons authorised to use its facilities of the principles governing the retention, use and disposal of information.

This Policy will commence from 31 July 2025. It replaces all other data security policies of DCIRS (whether written or not).


2. APPLICATION

This Policy applies to employees of DCIRS who use computer systems or work with documents or information concerning customers, suppliers or other partners for whom the organisation has collected information in the normal course of its business.


All non-employees, such as agents and contractors (including temporary contractors) of DCIRS are expected to abide by this Policy for the duration of their work period or contract. All relevant individuals are collectively referred to in this Policy as “worker”. The Policy includes work that is undertaken away from the usual workplace.


3. DEFINITIONS

Personal information is a category of information including personal identifiers, such as, but not limited to, name, address, DOB, tax file number, email address, etc.

Sensitive information is a form of personal information that contains details about a person’s beliefs, origin, political opinions, etc. and includes health information and opinions about them.


4. GOALS AND OBJECTIVES FOLLOWED

This Data Security Policy outlines behaviours expected of workers when dealing with company data. All forms of data are considered company assets. Shared information is a powerful tool and loss or misuse can be costly, if not illegal. This Policy intends to protect the information assets of the organisation.


The main objective of this Policy is to establish and maintain adequate and effective data security measures for users to ensure that the confidentiality, integrity, and operational availability of information is not compromised.


Personal and sensitive information must therefore be protected from unauthorised disclosure, modification, access, use, destruction or delay in service.

Each user has a duty and responsibility to comply with the information protection policies and procedures described in this document.

The goals and objectives of this Policy are:

  • Protect information from unauthorised access or misuse;

  • Ensure the confidentiality of information;

  • Maintain the integrity of information;

  • Maintain the availability of information systems and information for service delivery;

  • Comply with regulatory, contractual, and legal requirements;

  • Maintain physical, logical, environmental, and communications security; and

  • Dispose of information in an appropriate and secure manner when it is no longer in use.


5. AUTHORISED USERS OF INFORMATION SYSTEMS

All users of the company’s information systems must be formally authorised via the company's ICT provider. Authorised users will be in possession of a unique user identity. Users must not disclose their password to any other person.


Authorised users shall take all necessary precautions to protect DCIRS’s information in their personal possession. Confidential, personal or private information must not be copied or transported without consideration of:

  • The permission of the owner of the information;

  • The risks associated with loss of information or it falling into the wrong hands; and

  • How the information will be secured during transport to its destination.


6. ACCEPTABLE USE OF INFORMATION SYSTEMS

User accounts on the company's computer systems must only be used for the company's business and must not be used for personal activities during working hours. During breaks or mealtimes, limited personal use is permitted, but use must be legal, honest, and reasonable while considering the rights and sensitivities of others.

  • Users shall not engage in any activity that could reasonably be considered to:

    • harass other users;

    • degrade the performance of the system;

    • divert system resources to their own use; or

    • gain access to company systems for which they do not have authorisation.

  • Users will not attach devices on their PCs or workstations, unless they have received specific authorisation from the workers' manager and/or the company ICT provider.

  • Users shall not download unauthorised software from the Internet onto their PCs or workstations.

Unauthorised use of the system may constitute a violation of the law or theft and may be punishable by law. Therefore, unauthorised use of the company's computer system and facilities may constitute grounds for civil or criminal prosecution.


7. ACCESS CONTROL

The fundamental purpose of this Policy is the control of access to critical information resources that require protection against unauthorised disclosure or modification.

Access control refers to the permissions assigned to persons or systems that are authorised to access specific resources. Access controls exist at different layers of the system, including the network. Access control is implemented by username and password and may include multi-factor authentication. At the application and database level, other access control methods can be implemented to further restrict

access.

Finally, application and database systems can limit the number of applications and databases available to users based on their job requirements. This provides a further layer of data security.


8. NORMAL USER IDENTIFICATION

All users must have a unique username and password to access the systems. The user's password must remain confidential, and under no circumstances should it be shared with management and supervisory staff and/or anyone else. All users must comply with the following rules regarding password creation and maintenance:

  • Passwords must not be found in any English or foreign dictionary. This means, do not use a common noun, verb, adverb or adjective. These can be easily cracked using standard "hacking tools"

  • Passwords should not be displayed on or near computer terminals or be easily accessible in the terminal area;

  • Password must be changed every 2 months;

  • User accounts will be frozen after 3 days of failed logon attempts; and

  • Logon IDs and passwords will be suspended after 90 days without use.

In addition:

  • Users are not allowed to access password files on any network infrastructure component. Password files on servers will be monitored for access by unauthorised users. Copying, reading, deleting, or modifying a password file on any computer system is prohibited.

  • Users will not be allowed to logon as a System Administrator. Users who need this level of access to production systems must request a Special Access account from Bold ICT.

  • Worker Logon IDs and passwords will be deactivated as soon as possible if the worker is terminated, suspended, placed on leave, or otherwise leaves the employment of the company.

  • Workers who forget their password must call the IT provider to get a new password assigned to their account. The worker must identify themselves by first and last name and employee ID to the ICT provider.

  • Workers will be responsible for all transactions occurring during logon sessions initiated by use of the worker's password and ID. Workers will not logon to a computer and then allow another individual to use the computer or otherwise share access to the computer systems.


9. CONFIDENTIALITY OF INFORMATION

Any information or documents that are not to be made public are designated as "Confidential Information". This information is invaluable to the company and therefore, all workers who, in the course of their duties, handle this type of information are expected to behave as follows:

  • All confidential documents should be stored in locked receptacles or rooms accessible only to those who are authorised to access the relevant information.

  • All electronic confidential information should be protected via firewalls, encryption, and passwords.

  • Workers should clear their desks of any confidential information before going home at the end of the day.

  • Workers should refrain from leaving confidential information visible on their computer monitors when they leave their workstations.

  • All confidential information, whether contained on written documents or electronically, should be marked as ‘confidential’.

  • All confidential information should be disposed of in accordance with DCIRS procedures.

  • Workers should refrain from discussing confidential information in public places.

  • Workers should avoid using e-mail to transmit certain sensitive or controversial information, remembering that emails can be forwarded or intercepted. Consider uploading to ShiftCare or providing a hard copy to the authorised person.

  • Limit the acquisition of confidential and personal client information (e.g. bank accounts, or driver's licence numbers) unless it is integral to business and employment transactions, and restrict access on a ‘need-to-know’ basis.

  • Before disposing of an old computer, use software programs to wipe out the data contained on the computer or have the hard drive destroyed.


10. SECURITY OF INFORMATION

Information stored on computer systems must be regularly backed up so that it can be restored if or when necessary.

All care and responsibility must be taken in the destruction of sensitive information. Electronic information relating to customers and administrative / commercial information must be disposed of in a secure manner. Sensitive or confidential paper documents must be shredded or otherwise destroyed as defined from time- to-time by your management.


DCIRS will ensure the confidentiality of personal information collected in the course of its duties, ensuring only relevant information is collected. The collection, use and disclosure of personal and sensitive information will be managed pursuant to the Privacy Act 1988 (Act), and other applicable regulations in force, from time to time. Health information is a form of sensitive information and will be collected and used

on a ‘need to know’ basis.


Participants and employees have the right to request access to certain personal information held about them. DCIRS will facilitate these requests according to regulations in force at the time of the request. Not all forms of personal information are accessible (for example, confidential management notes).


11. USER RESPONSIBILITIES

Any data security system relies on system users to follow the procedures necessary for upholding data security. Users are required to report any weaknesses in the company computer security, and any incidents of misuse or violation of this Policy promptly to the Managing Director.

Workers are therefore expected to:

  • Comply with data security procedures and policies;

  • Protect their user ID and passwords;

  • Inform the ICT provider of any data security questions, issues, problems or concerns;

  • Assist the ICT provider in solving data security problems;

  • Ensure that all IT systems supporting tasks are backed up in a manner that mitigates both the risk of loss and the costs of recovery;

  • Be aware of the vulnerabilities of remote access, including use of public networks, and their obligation to report intrusions, misuse or abuse to the ICT provider; and

  • Be aware of their obligations if they store, secure, transmit and dispose of vital information concerning the activities or operations of the company, customers, partners or strategic information on the company's products and services.


12. MONITORING OF THE COMPUTER SYSTEM

The company has the right and capability to monitor electronic information created and/or communicated by persons using company computer systems and networks, including e-mail messages and usage of the Internet. DCIRS reserves the right to continually monitor its computer systems and networks.


Users of the systems should be aware that the company may monitor their usage, including, but not limited to, patterns of usage of the Internet (e.g. sites accessed, on-line length, time of day access), and workers'; electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with company policy.


13. SYSTEM ADMINISTRATOR

System administrators, network administrators and data security administrators will have access to the host systems, routers, hubs and firewalls necessary to perform their tasks.

All system administrator passwords will be deleted immediately after a worker who has access to these passwords has been terminated, dismissed or otherwise left the company's employment. A senior management representative will authorise Bold ICT in accordance with DCIRS’s cessation of employment protocols.


14. MANAGER’S DUTY

Supervisors and Managers will immediately contact the company ICT provider directly to report a change in worker status that requires terminating or modifying worker logon access privileges.


15. DISCIPLINARY ACTION

Workers must comply with the terms and conditions contained in this Policy. Those who cause data or security breaches may face disciplinary action. The type and severity of the disciplinary action will depend upon the circumstances of the case and the seriousness of the breach. In serious cases, this may include termination of employment.


Contractors or agents of DCIRS who are found to have breached this Policy may have their contracts with DCIRS terminated or not renewed.


16. CONTACT INFORMATION

Bold ICT: (03) 5410 8999 or help@bold-ict.com.au


17. ASSOCIATED DOCUMENTS

  • Cyber Security Policy

  • Risk Management Policy

  • Code of Conduct Policy

  • Employer Property Policy


18. VERSION AND REVIEW INFORMATION

DCIRS reserves the right to amend and vary this policy from time to time.

Version 1.0: 12 June 2023

Version 1.2: 31 July 2025 | Review date: 31 July 2028

Version 1.3: 18 March 2026 | Review date: 31 July 2028

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.

TERMS & CONDITIONS

bottom of page