Table of Contents

EXECUTIVE OVERVIEW

       Management of Personal Information

       Data Security

       Staff Selection Process

       Corporate Responsibility

       DPP Updates

       DPP Levels

MANAGEMENT OF PERSONAL INFORMATION

       Personal information we collect, hold or access

          (1)       Service Provision

          (2)       Working Directly with client systems

       How we collect personal information

          (1)       Email

          (2)       Phone

       How personal information may be accessed or corrected

       Complaint handling for Privacy and Security Policy Breaches

       Overseas Disclosures

          Contact Details

          Application Specific

          Location of Information

DATA SECURITY

       Taking reasonable steps

       Managed Anti-Virus

       Managed Passwords

       Multi-Factor Authentication

       Virtual Private Network connections

       Data Security Systems

          Anti-Virus, Anti- Spam Anti-Malware

          Centrally managed Workstations

          Centrally Controlled Password Management Systems

          Encrypted VPN’s

          Blocked Port Thin Client Terminals

       What are the security considerations?

       Misuse

       Interference

       Loss

       Unauthorised Access

       Unauthorised modification

       Unauthorised disclosure

STAFF SELECTION PROCESS

       Stage 1 : Initial Selection

          NBI and Barangay Clearance

       Stage 2 : Recorded Interview

       Stage 3 ::  Verbal Communication Skills

       Stage 4:   Recorded Technical Test

       Stage 5: Final Interviews

          First Interview

          Final Interview

CORPORATE RESPONSIBILITY


 

EXECUTIVE OVERVIEW

This document provides detail on the Data Privacy and Security Policies (DDPSP) for DyCom Group and its various entities.

Security and integrity of our clients business information and data is of paramount importance to us and we ensure this in the following ways that are outlined in this document :

Management of Personal Information

  • Type of personal information collected and held
  • How personal information is collected and held
  • The purposes for which personal information is collected, held, used and disclosed
  • How an individual may access their personal information and seek its correction
  • How an individual may complain if the entity breaches the DDSPP
  • How personal information is handled by overseas recipients

Data Security

  • Data security policies
  • Data security systems

Staff Selection Process

  • Staff Selection processes
  • Staff management processes

Corporate Responsibility

DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia.  We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.

DPP Updates

DyCom review and update our Privacy Policy annually to ensure that it reflects our information handling practices.

DPP Levels

DyCom uses a ‘layered’ approach to presenting the organisations Data Security and Privacy policies.

Level 1 : DyCom Group Summary

DyCom Group consists of a number of individual entities and the ‘Summary Data Security and Privacy Policy’ applies to all entities.  The summary is a condensed version of all components of the main document.

Level 2 : DyCom Group Detail

The detailed Policy provides more detail on all components of the full policy.

Level 3 : DyCom individual entity detail

Individual DyCom entities have different requirements for data security and privacy.  Privacy and Data Security documents are tailored for each entity as required by the types of client and information being handled.

 

MANAGEMENT OF PERSONAL INFORMATION

The first step in defining the management of personal information is to identify the type of personal information that DyCom Group and its entities have access to.  DyCom Group is primary a combination of individual entities providing technical and back office services to their clients.

Personal information we collect, hold or access

DyCom has two key requirements to either store or access our clients personal information:

(1)  Service Provision

We provide a wide range of support and professional services to our clients.  In providing these services we deal directly with staff of our clients and as such we collect basic personal information such as Company Name, Contact Name, Contact Phone numbers and Email addresses.  This information is stored on our service management system located in Australia.

Access to this database is controller through a centrally managed password system (MYKI) and staff do not have access to passwords.  If and when staff leave the organisation, access to this database is automatically terminated.

(2)  Working Directly with client systems

There are times where our staff require access to client information systems and applications such client accounting systems, service management systems and websites that that we are developing.

DyCom Group and all its members do not keep any personal information from these systems on any of its servers or local desktop or notebook computers.  All client personal information is maintained on servers or databases under client control.

In situations where clients personal information is particularly sensitive we have the following systems that can be applied as required :

Thin Client Terminals

Staff working on these sensitive systems are provided with thin client terminals that have no accessible ports or hard drives.

Managed and Monitored Client access

Staff terminals in these situations are centrally managed and monitored using Kaseya which is our Remote Management Tool for InfoTech Service management.

Managed Password Systems

We use and recommend the use of Myki which is a centrally controlled password Management system.  Passwords are fully encrypted and staff require a special authentication process to

More information is available from the Myki Website : https://myki.com/app/

Two Factor Authentication

We also use and recommend the Myki two factor authentication systems where appropriate.

  

How we collect personal information.

The only personal information we collect is information related to clients requiring our professional services.  This information includes the following :

  • Company Name
  • Company Address
  • Company Phone Number
  • Contact Name
  • Contact Position
  • Contact Phone Number
  • Contact Email Address

This information is stored in our Service Management portal Connectwise.  Connectwise is located on servers in Australian data centres and had encrypted access with a centrally managed password control system.

The information is collected in one of two ways :

(1) Email

Our clients can send through the information via email and our team will enter it directly into our Service Management Portal.

(2) Phone

Our client can provide the required information to our office staff over the phone.  This will be entered directly into our service management portal.

How personal information may be accessed or corrected

Information held by DyCom is kept within our Service Management portal.  This information is not available publicly and can be accessed by clients who have been giving remote access if required.  A client may be able to correct personal information through the portal or may request one of our team to correct either by submitting a service request by email or direct phone call to our team.

Complaint handling for Privacy and Security Policy Breaches

In the event that one of our Privacy Policies is breached, complaints may be made by phone or preferably by sending an Urgent Service request to service@dycom.com.au

Complaints like this will go into an urgent service queue and be dealt with immediately.

 

Overseas Disclosures

DyCom employs staff from Australia and the Philippines.  We have three key ways of ensuring data security, privacy and integrity when our offshore team are involved :

Systems

Two of the DyCom entities (DyCom Technology and DyCom SmartStaff) specialise in IT systems and Cyber Security solutions and we have up to date, monitored and comprehensive IT Security solutions that are applied across the group.

Policies

DyCom have strict policies when it comes to dealing with client information and we ensure that our staff read, understand and sign off on these policies.

Organisational culture

DyCom has been in business since 1989 and we pride ourselves on the culture of integrity that we have developed of the past 30 years.  All our staff, local and offshore are trained and nurtured in this culture and we run regular workshops to ensure that this is ingrained into our team members.

Staff Selection and Management

Our team in the Philippines are all full-time staff and are carefully and diligently selected as described in our ‘Staff Selection Process’ later in this document.

Types of Information our staff access

Contact Details

Contact details required for service management.  These details are only required for staff of clients who will be submitting service requests and the nature of the personal information is quite basic and relatively low risk.  It includes the information outlined below :

  • Company Name
  • Company Address
  • Company Phone Number
  • Contact Name
  • Contact Position
  • Contact Phone Number
  • Contact Email Address

Application Specific Information

There are times that our staff need to access client information systems that include personal information.  This might be for the purpose or providing services using client applications such as accounting systems or for doing development work on client systems such as websites or IT infrastructure.  In these cases, our clients control the access to the personal information.

Location of Information

There is no personal data or information that is kept offshore.  All information is located on servers in Australia.

Offshore Staff Policies

Our offshore team are subject to the same non-disclosure policies that our local staff are and we ensure that access to personal information is controlled through our IT systems data security systems and policies.

DATA SECURITY

One of the DyCom Group of companies is our network integration business DyCom Technology which was founded in 1989 and has significant expertise in data security.  All data is located on our client’s network or in one of our secure data centres and access to and from data is fully encrypted.

Taking reasonable steps

The ‘reasonable steps’ that an DYCOM PRIVACY POLICY entity should take to ensure the security of personal information will depend upon circumstances that include:

  • the nature of the DYCOM PRIVACY POLICY entity. Relevant considerations include an DYCOM PRIVACY POLICY entity’s size, resources, the complexity of its operations and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or that outsources its personal information handling to a third party may be different to those it would take if it did not operate in this manner.
  • the amount and sensitivity of the personal information held. Generally, as the amount and/or sensitivity of personal information that is held increases, so too will the steps that it is reasonable to take to protect it. ‘Sensitive information’ (defined in s 6(1)) is discussed in more detail in Chapter B (Key concepts)
  • the possible adverse consequences for an individual in the case of a breach. More rigorous steps may be required as the risk of adversity increases
  • the practical implications of implementing the security measure, including time and cost involved. However an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances
  • whether a security measure is in itself privacy invasive. For example, while an DYCOM PRIVACY POLICY entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (DYCOM PRIVACY POLICY 12)).

Reasonable steps should include, where relevant, taking steps and implementing strategies in relation to the following:

  • governance, culture and training
  • internal practices, procedures and systems
  • ICT security
  • access security
  • third party providers (including cloud computing)
  • data breaches
  • physical security
  • destruction and de-identification
  • standards

As part of taking reasonable steps to protect personal information (also known as ‘personal information security’) an DYCOM PRIVACY POLICY entity should consider how it will protect personal information at all stages of the information lifecycle. This should be considered before an entity collects personal information (including whether it should collect the information at all), as well as when the information is collected and held, and when it is destroyed or de‑identified when no longer needed.

For further discussion of personal information security and the information lifecycle and examples of steps that may be reasonable for an DYCOM PRIVACY POLICY entity to take under DYCOM PRIVACY POLICY 11.1, see the OAIC’s Guide to Securing Personal Information.[3]

Managed Anti-Virus

All staff have centrally managed Anti-Virus, Anti-Spam and Anti-Malware setup on their local desktop or notebook computers.

The Cyber Security systems we use on our servers, desktops, workstations and Notebook computers is Webroot.

Managed Passwords

DyCom has adopted a centrally controlled password management system.  This ensures integrity of passwords.  We encourage our clients use this system on sensitive data.

Myki : Myki.com

Multi-Factor Authentication

For sensitive data and websites DyCom has a Multi-Factor Authentication system that we recommend and use.

Virtual Private Network connections

We use and recommend VPN connections where possible and appropriate.

Centrally managed Workstations

Kaseya

Blocked Port Thin Client Terminals

Other Security considerations?

The six terms listed in DYCOM PRIVACY POLICY 11, ‘misuse’, ‘interference’, ‘loss’, ‘unauthorised access’, ‘unauthorised modification’ and ‘unauthorised disclosure’, are not defined in the Privacy Act. The following analysis and examples of each term draws on the ordinary meaning of the terms. As the analysis indicates, there is overlap in the meaning of the terms.

Misuse

Personal information is misused if it is used by an DYCOM PRIVACY POLICY entity for a purpose that is not permitted by the Privacy Act. DYCOM PRIVACY POLICY 6 sets out when an entity is permitted to use personal information (see Chapter 6). DYCOM PRIVACY POLICYs 7 and 9 also contain requirements relating to an organisation’s use of personal information for the purpose of direct marketing, and use of government related identifiers, respectively (see Chapters 7 and 9).

Interference

‘Interference’ with personal information occurs where there is an attack on personal information that an DYCOM PRIVACY POLICY entity holds that interferes with the personal information but does not necessarily modify its content. ‘Interference’ includes an attack on a computer system that, for example, leads to exposure of personal information.

Loss

‘Loss’ of personal information covers the accidental or inadvertent loss of personal information held by an DYCOM PRIVACY POLICY entity. This includes when an DYCOM PRIVACY POLICY entity:

  • physically loses personal information, (including hard copy documents, computer equipment or portable storage devices containing personal information), for example, by leaving it in a public place, or
  • electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure

Loss may also occur as a result of theft following unauthorised access or modification of personal information or as a result of natural disasters such as floods, fires or power outages.

However, it does not apply to intentional destruction or de-identification of that personal information that is done in accordance with the DYCOM PRIVACY POLICYs.

Unauthorised Access

‘Unauthorised access’ of personal information occurs when personal information that an DYCOM PRIVACY POLICY entity holds is accessed by someone who is not permitted to do so. This includes unauthorised access by an employee of the entity[4] or independent contractor, as well as unauthorised access by an external third party (such as by hacking).

Unauthorised modification

‘Unauthorised modification’ of personal information occurs when personal information that an DYCOM PRIVACY POLICY entity holds is altered by someone who is not permitted to do so, or is altered in a way that is not permitted under the Privacy Act. For example, unauthorised modification may occur as a result of unauthorised alteration by an employee, or following unauthorised access to databases by an external third party.

Unauthorised disclosure

‘Unauthorised disclosure’ occurs when an DYCOM PRIVACY POLICY entity:

  • makes personal information accessible or visible to others outside the entity, and
  • releases that information from its effective control in a way that is not permitted by the Privacy Act[5]

STAFF SELECTION PROCESS

Selecting the right staff is one of the most important things we do.  Our remuneration and benefits are amongst the best in the industry and consequently we attract the best people.  We still have a very rigorous selection process and for every successful posting there are between 200 and 300 applicants that are screened.  All staff have NBI (National Bureau of Investigation) Security clearance and have excellent references and backgrounds.

Stage 1 : Initial Selection

This first stage starts with a basic review of the resumes and we select only those who pass our requirements for the position.  This includes things like Years of experience, type of experience and references.  This process generally narrows the list of applicants down to around 30.

NBI and Barangay Clearance

All Philippines staff are required to get National Bureau of Investigation clearance.  This is a rigorous integrity and criminal checkup.  It is very difficult and time consuming to get this clearance and staff protect it.  In addition to this we also require Barangay clearance which is local council behavioural assessment.

Stage 2 : Recorded Interview

This recorded interview takes around than 10 minutes and has 5 to 10 personality questions and 5 to 10 technical questions.  This process generally narrows the selection down to between 10 and 12 prospects.

Stage 3 ::  Verbal Communication Skills

For candidates who need to deal directly with clients, verbal communication skills are important.  For those who pass the recorded interview, the recording is passed onto a senior staff member for assessment.  This generally narrows the field down to around 5.

Stage 4:   Recorded Technical Test

The next part of the process could be a recorded technical test.  This should really be designed to be less than 10 minutes.

Stage 5: Final Interviews

First Interview

These final candidates can be interviewed by a team leader which will hopefully get the list down to 3 or less

Final Interview

Final interviews are conducted by senior staff members and generally the selected candidate stands out.

CORPORATE RESPONSIBILITY

DyCom Group and its entities employ staff in Australia and the Philippines.  Our DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia.  We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.