Security of Personal Information...

1

Version 1. Last update Sept 2014

Security of Personal Information Policy

2


Table of Contents

Table of Contents ................................................................................................................................................... 2

1. Purpose .......................................................................................................................................................... 3

2. Scope .............................................................................................................................................................. 3

3. Responsibilities .............................................................................................................................................. 3

4. Definitions ...................................................................................................................................................... 4

5. Overview ........................................................................................................................................................ 5

6. Physical, IT, Communications and Third Party Data Security ........................................................................ 6

7. Destroying or de-identifying personal information ....................................................................................... 9

8. Personnel Security and Training .................................................................................................................. 10

9. Regular Monitoring and Review .................................................................................................................. 10

Appendix 1 – Work Place Self Assessment - Security of Personal Information .................................................... 11

Policy Version Control .......................................................................................................................................... 12

3


1. Purpose

This Security of Personal Information (‘Policy’) outlines the requirements and processes essential for all WDH

Pacific businesses to ensure the security of personal information it holds is compliant with applicable laws,

including the Privacy Act 1988 (Cth).

This Policy aims to provide guidelines on required steps for WDH Pacific businesses to take in order to prevent

the misuse, loss or inappropriate accessing, modification or disclosure of personal information held.

This Policy should be read in conjunction with the following related policies:

Privacy Policy

Privacy Notice and Consent Requirements Policy

DGS IT Security Policy

Third Party Contract Policy

Employee Manual

2. Scope

This Policy applies to WDH Pacific group businesses (‘Group’) operating under Sonic Innovations Pty Ltd

(includes Sonic Innovations, Hearing Life, Adelaide Digital Hearing Solutions), Oticon Australia Pty Ltd (includes

Oticon Australia, Oticon Medical, AudioClinic, Western Hearing Services), Interacoustics Pty Ltd (includes

Interacoustics, Diatec, Sanibel) and Bernafon Australia Pty Ltd (includes Bernafon Australia, FrontRow)

This policy outlines the Group guidelines to ensure that personal information is safe and secure from misuse,

interference, loss, unauthorised access, modification and disclosure during its lifecycle.

3. Responsibilities

The management positions responsible for implementation and monitoring compliance of this policy include:

Group General Managers and Regional Managers, Group Marketing Managers, and the Privacy Officer.

Any queries in relation to this Policy should be referred to the Privacy Officer.

4


4. Definitions

Personal information

∙ Is any information or an opinion about an identified individual, or an individual who is reasonably

identifiable.

Personal information - Sensitive

∙ Is a subset of personal information that includes information that is of a particularly sensitive

nature such as racial or ethnic origin, religious beliefs, health, and criminal records.

∙ In the context of a hearing health care business, sensitive information most often relates to

health, lifestyle and audiological information.

∙ Health information includes information or an opinion about an individual’s:

- physical or mental health or a disability

- express wishes about their future provision of health services

- health services provided, or to be provided

- other personal information collected to provide, or in providing, a health service

- healthcare identifiers

Records

∙ Means any records, files, information, data, accounts, dairies, claim forms, appointment

schedules, documents etc that are created or maintained which contains personal information

5


5. Overview

∙

5.1. Key Points

There are a variety of ways in which personal information may be misused, lost or inappropriately accessed,

modified or disclosed. Examples include:

∙ unauthorised access or misuse of records by a staff member

∙ failure to store records containing personal information appropriately or dispose of them

securely

∙ loss or theft of hard copy documents, computer equipment or portable storage devices

containing personal information

∙ mistaken release of records to someone other than the intended recipient

∙ hacking or other illegal access of databases by someone outside the entity.

The consequences of any personnel found to be acting in breach of this Policy may include disciplinary action,

up to and including dismissal.

5.2. Steps to ensure security of personal information

The Group is committed to undertaking steps to ensure security of personal information; these include the

management of the following areas:

∙ Physical, IT, Communications and Third Party Data security

∙ Destroying or de-identifying personal information

∙ Personnel security and training

∙ Regular monitoring and review

6


6. Physical, IT, Communications and Third Party Data Security

6.1. Physical Security

The Group is committed to ensuring the physical security of personal information by undertaking practices to

ensure that personal information is secure and not inappropriately accessed or disclosed.

The minimal requirements to be implemented and maintained by the business units include:

∙ Work space security

- Work stations or screens not easily read or accessed by third parties. Ways this may be

achieved include:

∙ screen position or work station is positioned so that computer screen cannot be

easily read by others, or

∙ privacy screen installed

- Use of screen lock whenever desk is left unattended or when working on sensitive

information and a third party visits the desk.

∙ Secure storage

- Where possible, locking away any records that contain personal information at the end

of each day in pedestals, filing cabinets, or offices as appropriate

- Clinic/office external doors are locked at the end of each day and when clinic /office is

unattended.

- Records containing personal information are not left where they can be easily read of

accessed by a third party

- Documents containing personal information are not left in an unsecure place

- Movement of physical files is adequately recorded

∙ Disposal

- Records are securely disposed of as per Section 7 of Policy. Under no circumstances is

personal information to be placed in general waste disposal.

To implement this section each employee is required to undertake a Workplace Self-Assessment – refer to

Appendix 1

6.2. IT Security

The Group is committed to IT security practices that ensure protection of computer hardware and the data

that the hardware holds from unauthorised use, access, theft or damage.

7


The minimal requirements include the following:

∙ Policies and Procedures:

- IT security measures are in place and aim to protect hardware and electronic data from

unauthorised use, access, theft of damage.

- These measures are regularly monitored for operation and effectiveness, and are

responsive to changing threats and vulnerabilities that may impact personal information

security

- IT security measures and protection of personal information is considered as part of the

decision to use, purchase, build or upgrade ICT systems.

- If conducting online services or engaging in electronic commerce (e.g. online retail), IT

security measures must ensure that the online environment is safe for individuals to

make payments, provide banking details and personal information.

- IT security measures are in place to ensure appropriate level of access for employees.

6.3. Communications Security

The Group is committed to ensuring appropriate measures are in place to support communications security of

personal information from being improperly accessed or disclosed when it is transmitted. For example,

personal information may be disclosed if it is left on a fax machine or printer or if it is discussed over the

telephone in an open office.


∙ Identification

- Records containing personal information are only disclosed to the individual

- Checking identity of individual before disclosing any personal information over the

phone. Recommendations include asking three identification questions (e.g. DOB,

Address, Client number, etc)

∙ Consent

- Records containing personal information are only disclosed to third parties with consent

(includes faxing, mailing, emailing, verbally discussing information). Refer Privacy Notice

and Consent Policy.

∙ Disclosure

- Not discussing personal information anywhere that it may be overheard by a third party

- Removal of all documents from fax machines and printers immediately after use

8


∙ Data Transfer

- Appropriate security measures are undertaken to protect personal information when:

∙ passed internally within the organisation and externally to a third party

organisation. This includes sharing the data by email internally within the WDH

organisation, such as transfer of data between Business Intelligence and

Marketing, or People and Culture to Payroll.

∙ sharing data externally to and from third party organisations, such as transfer of

data between Business Intelligence and Data wash company, or external mail

house and Internal Call Centre.

- These security measures include the following, listed from minimal level security to

higher level security.

∙ Password security – with password sent separately

∙ Encryption of data/file

∙ Secure Portal

6.4. Third Party Data Security

The Group is responsible for ensuring personal information that we use, store, disclose is subject to the Privacy

Act, and that we maintain the security of that personal information even when that information is received

from or disclosed to third parties; this applies whether or not the third party is subject to the Privacy Act.

The minimal requirements of engaging third parties to handle personal information are provided in the Third

Party Contract Policy. In addition any sharing of personal information between us and the Third Party is

required to be communicated as per clause 6.3 of this Policy.

9


7. Destroying or de-identifying personal information

The Group is committed to ensuring that reasonable steps are undertaken to destroy, or ensure de-

identification, of any personal information no longer needed. This includes when no longer needed for either

the primary purpose of collection or for a secondary purpose (for which consent has been obtained).

Consideration will also be given to the required length of time certain sensitive information must be retained.


∙ Retaining Personal Information:

- Medical/health related records kept for a minimum period of 7 years from the date of

last service.

- Potential employee records kept 12 months from the date of last contact

∙ Destroying and Archiving Records:

- Records containing personal information must be destroyed securely.

- Examples by which this can be achieved include the use of:

∙ personal shredders,

∙ engagement of third party, secure document deposal service,

∙ onsite security bins

- When engaging a third party to handle, archive and destroy information, ensure

compliance with Third Party Contract Policy.

∙ Electronic Personal Information

- Person information held in electronic format will be irretrievably destroyed, de-

identified or put ‘beyond use’.

10


8. Personnel Security and Training

Human error can cause data breaches and undermine security practices. The Group is committed to ensuring

all personnel understand the importance of good information handling and security practices so to avoid

practices that would breach The Group’s privacy obligations.

The minimal requirements to be implemented by the business units include:

∙ Training

- Initial training provided to all existing and new personnel, includes short term and

temporary personnel.

- Refresher training provided to all personnel on an annual basis

∙ Work Place Self Assessment:

- All personnel complete a workplace self assessment on an annual basis

- Refer to Appendix 1

∙ Change Management

- All personnel are informed of changes to policy and procedures as they occur

∙ Exit Procedures

- Personnel exit procedures ensure physical and network access is cancelled and personal

information returned.

9. Regular Monitoring and Review

The Group will regularly monitor and review the operations and effectiveness of its information security

measures, and implement changes as a result of the monitoring and review.

11


Appendix 1 – Work Place Self Assessment - Security of Personal Information

My computer can be screen easily read by third parties YES NO

Screen lock is used whenever I leave my desk or when working on sensitive YES NO

information and I have a visitor at my desk

Records containing personal information are:

∙ not left where they can be easily read or accessed by a third party YES NO

∙ never thrown in the general rubbish disposal (unless shredded) YES NO

∙ are locked away (e.g. pedestal, cabinet, office, clinic as appropriate) at the YES NO

end of every day

∙ are not left in a an unsecure place YES NO

Personal information discussed only in areas where it cannot be overheard by YES NO

a third party

Hard Copy records containing personal information are securely destroyed YES NO

Documents are removed from fax machines and printers promptly after use YES NO

Medical/health related records are kept for a minimum period of 7 years from the YES NO

date of last service

The identity of individuals is checked before disclosing any personal information YES NO

over the phone

Personal information is only disclosed to a third party if consent has been obtained YES NO

Employee Name _____________________________ Signature________________________ Date __________

12


Policy Version Control

Version Conducted by Approval Version date Changes Date Introduced

1 Kylie Luiten-Hand,

Business Improvement

Janet Muir,

Director Retail

July 2014 Initial Policy September 2014

Security of Personal Information...

Documents

Transcript of Security of Personal Information...