Management of Personal Information
MANAGEMENT OF PERSONAL INFORMATION
Personal information we collect, hold or access
(2) Working Directly with client systems
How we collect personal information
How personal information may be accessed or corrected
Complaint handling for Privacy and Security Policy Breaches
Virtual Private Network connections
Anti-Virus, Anti- Spam Anti-Malware
Centrally managed Workstations
Centrally Controlled Password Management Systems
Blocked Port Thin Client Terminals
What are the security considerations?
Stage 3 :: Verbal Communication Skills
Stage 4: Recorded Technical Test
This document provides detail on the Data Privacy and Security Policies (DDPSP) for DyCom Group and its various entities.
Security and integrity of our clients business information and data is of paramount importance to us and we ensure this in the following ways that are outlined in this document :
DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia. We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.
DyCom review and update our Privacy Policy annually to ensure that it reflects our information handling practices.
DyCom uses a ‘layered’ approach to presenting the organisations Data Security and Privacy policies.
DyCom Group consists of a number of individual entities and the ‘Summary Data Security and Privacy Policy’ applies to all entities. The summary is a condensed version of all components of the main document.
The detailed Policy provides more detail on all components of the full policy.
Individual DyCom entities have different requirements for data security and privacy. Privacy and Data Security documents are tailored for each entity as required by the types of client and information being handled.
The first step in defining the management of personal information is to identify the type of personal information that DyCom Group and its entities have access to. DyCom Group is primary a combination of individual entities providing technical and back office services to their clients.
DyCom has two key requirements to either store or access our clients personal information:
We provide a wide range of support and professional services to our clients. In providing these services we deal directly with staff of our clients and as such we collect basic personal information such as Company Name, Contact Name, Contact Phone numbers and Email addresses. This information is stored on our service management system located in Australia.
Access to this database is controller through a centrally managed password system (MYKI) and staff do not have access to passwords. If and when staff leave the organisation, access to this database is automatically terminated.
There are times where our staff require access to client information systems and applications such client accounting systems, service management systems and websites that that we are developing.
DyCom Group and all its members do not keep any personal information from these systems on any of its servers or local desktop or notebook computers. All client personal information is maintained on servers or databases under client control.
In situations where clients personal information is particularly sensitive we have the following systems that can be applied as required :
Staff working on these sensitive systems are provided with thin client terminals that have no accessible ports or hard drives.
Staff terminals in these situations are centrally managed and monitored using Kaseya which is our Remote Management Tool for InfoTech Service management.
We use and recommend the use of Myki which is a centrally controlled password Management system. Passwords are fully encrypted and staff require a special authentication process to
More information is available from the Myki Website : https://myki.com/app/
We also use and recommend the Myki two factor authentication systems where appropriate.
The only personal information we collect is information related to clients requiring our professional services. This information includes the following :
This information is stored in our Service Management portal Connectwise. Connectwise is located on servers in Australian data centres and had encrypted access with a centrally managed password control system.
The information is collected in one of two ways :
Our clients can send through the information via email and our team will enter it directly into our Service Management Portal.
Our client can provide the required information to our office staff over the phone. This will be entered directly into our service management portal.
Information held by DyCom is kept within our Service Management portal. This information is not available publicly and can be accessed by clients who have been giving remote access if required. A client may be able to correct personal information through the portal or may request one of our team to correct either by submitting a service request by email or direct phone call to our team.
In the event that one of our Privacy Policies is breached, complaints may be made by phone or preferably by sending an Urgent Service request to service@dycom.com.au
Complaints like this will go into an urgent service queue and be dealt with immediately.
DyCom employs staff from Australia and the Philippines. We have three key ways of ensuring data security, privacy and integrity when our offshore team are involved :
Two of the DyCom entities (DyCom Technology and DyCom SmartStaff) specialise in IT systems and Cyber Security solutions and we have up to date, monitored and comprehensive IT Security solutions that are applied across the group.
DyCom have strict policies when it comes to dealing with client information and we ensure that our staff read, understand and sign off on these policies.
DyCom has been in business since 1989 and we pride ourselves on the culture of integrity that we have developed of the past 30 years. All our staff, local and offshore are trained and nurtured in this culture and we run regular workshops to ensure that this is ingrained into our team members.
Our team in the Philippines are all full-time staff and are carefully and diligently selected as described in our ‘Staff Selection Process’ later in this document.
Contact details required for service management. These details are only required for staff of clients who will be submitting service requests and the nature of the personal information is quite basic and relatively low risk. It includes the information outlined below :
There are times that our staff need to access client information systems that include personal information. This might be for the purpose or providing services using client applications such as accounting systems or for doing development work on client systems such as websites or IT infrastructure. In these cases, our clients control the access to the personal information.
There is no personal data or information that is kept offshore. All information is located on servers in Australia.
Our offshore team are subject to the same non-disclosure policies that our local staff are and we ensure that access to personal information is controlled through our IT systems data security systems and policies.
One of the DyCom Group of companies is our network integration business DyCom Technology which was founded in 1989 and has significant expertise in data security. All data is located on our client’s network or in one of our secure data centres and access to and from data is fully encrypted.
The ‘reasonable steps’ that an DYCOM PRIVACY POLICY entity should take to ensure the security of personal information will depend upon circumstances that include:
Reasonable steps should include, where relevant, taking steps and implementing strategies in relation to the following:
As part of taking reasonable steps to protect personal information (also known as ‘personal information security’) an DYCOM PRIVACY POLICY entity should consider how it will protect personal information at all stages of the information lifecycle. This should be considered before an entity collects personal information (including whether it should collect the information at all), as well as when the information is collected and held, and when it is destroyed or de‑identified when no longer needed.
For further discussion of personal information security and the information lifecycle and examples of steps that may be reasonable for an DYCOM PRIVACY POLICY entity to take under DYCOM PRIVACY POLICY 11.1, see the OAIC’s Guide to Securing Personal Information.[3]
All staff have centrally managed Anti-Virus, Anti-Spam and Anti-Malware setup on their local desktop or notebook computers.
The Cyber Security systems we use on our servers, desktops, workstations and Notebook computers is Webroot.
DyCom has adopted a centrally controlled password management system. This ensures integrity of passwords. We encourage our clients use this system on sensitive data.
Myki : Myki.com
For sensitive data and websites DyCom has a Multi-Factor Authentication system that we recommend and use.
We use and recommend VPN connections where possible and appropriate.
Kaseya
The six terms listed in DYCOM PRIVACY POLICY 11, ‘misuse’, ‘interference’, ‘loss’, ‘unauthorised access’, ‘unauthorised modification’ and ‘unauthorised disclosure’, are not defined in the Privacy Act. The following analysis and examples of each term draws on the ordinary meaning of the terms. As the analysis indicates, there is overlap in the meaning of the terms.
Personal information is misused if it is used by an DYCOM PRIVACY POLICY entity for a purpose that is not permitted by the Privacy Act. DYCOM PRIVACY POLICY 6 sets out when an entity is permitted to use personal information (see Chapter 6). DYCOM PRIVACY POLICYs 7 and 9 also contain requirements relating to an organisation’s use of personal information for the purpose of direct marketing, and use of government related identifiers, respectively (see Chapters 7 and 9).
‘Interference’ with personal information occurs where there is an attack on personal information that an DYCOM PRIVACY POLICY entity holds that interferes with the personal information but does not necessarily modify its content. ‘Interference’ includes an attack on a computer system that, for example, leads to exposure of personal information.
‘Loss’ of personal information covers the accidental or inadvertent loss of personal information held by an DYCOM PRIVACY POLICY entity. This includes when an DYCOM PRIVACY POLICY entity:
Loss may also occur as a result of theft following unauthorised access or modification of personal information or as a result of natural disasters such as floods, fires or power outages.
However, it does not apply to intentional destruction or de-identification of that personal information that is done in accordance with the DYCOM PRIVACY POLICYs.
‘Unauthorised access’ of personal information occurs when personal information that an DYCOM PRIVACY POLICY entity holds is accessed by someone who is not permitted to do so. This includes unauthorised access by an employee of the entity[4] or independent contractor, as well as unauthorised access by an external third party (such as by hacking).
‘Unauthorised modification’ of personal information occurs when personal information that an DYCOM PRIVACY POLICY entity holds is altered by someone who is not permitted to do so, or is altered in a way that is not permitted under the Privacy Act. For example, unauthorised modification may occur as a result of unauthorised alteration by an employee, or following unauthorised access to databases by an external third party.
‘Unauthorised disclosure’ occurs when an DYCOM PRIVACY POLICY entity:
Selecting the right staff is one of the most important things we do. Our remuneration and benefits are amongst the best in the industry and consequently we attract the best people. We still have a very rigorous selection process and for every successful posting there are between 200 and 300 applicants that are screened. All staff have NBI (National Bureau of Investigation) Security clearance and have excellent references and backgrounds.
This first stage starts with a basic review of the resumes and we select only those who pass our requirements for the position. This includes things like Years of experience, type of experience and references. This process generally narrows the list of applicants down to around 30.
All Philippines staff are required to get National Bureau of Investigation clearance. This is a rigorous integrity and criminal checkup. It is very difficult and time consuming to get this clearance and staff protect it. In addition to this we also require Barangay clearance which is local council behavioural assessment.
This recorded interview takes around than 10 minutes and has 5 to 10 personality questions and 5 to 10 technical questions. This process generally narrows the selection down to between 10 and 12 prospects.
For candidates who need to deal directly with clients, verbal communication skills are important. For those who pass the recorded interview, the recording is passed onto a senior staff member for assessment. This generally narrows the field down to around 5.
The next part of the process could be a recorded technical test. This should really be designed to be less than 10 minutes.
These final candidates can be interviewed by a team leader which will hopefully get the list down to 3 or less
Final interviews are conducted by senior staff members and generally the selected candidate stands out.
DyCom Group and its entities employ staff in Australia and the Philippines. Our DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia. We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.
