Data Protection Policy

The purpose of this document is to demonstrate the management team’s commitment to the protection of personal and sensitive information.

Colton Computer Technologies located at 156 Moulder St Orange NSW operates primarily in business of Managed IT Services.
We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets relevant to meet the purpose and goals of the organisation. This includes the handling of personal information or “Personally Identifiable Information” (PII).

Furthermore, we are committed to ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP), and any other data protection legislation or regulation relevant to our business operations.

In complying with the above-mentioned legislation and regulation, the organisation makes commitments to implement policies and processes related to that compliance and to make staff and relevant third parties aware of their responsibilities when handling personal information.

More detailed policies and processes support this policy, including our Information Security Policy. A European Union General Data Protection Regulation (GDPR) compliance workspace is also maintained in line with Information Commissioner Office recommendations. These are located and managed within the ISMS.online platform.

This policy will be reviewed regularly to respond to any changes in the law, the business, its risk assessment, or risk treatment plan, at least annually.

All employees and relevant interested parties associated with the organisation’s handling of personal information must comply with this policy.
Appropriate training and materials to support it are available.

The key definitions of terms used within or referred to by this policy are based upon those in the APP or other recognised documentation and are contained in Annex A.

Our Privacy Officer has overall responsibility for the day-to-day implementation of this policy.
This policy will be reviewed regularly to respond to any changes in the business, it’s risk assessment or risk treatment plan, at least annually.

All staff will receive training on this policy. New recruits will receive training as part of their induction. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided on a regular basis and when specific trigger events occur e.g. threats or incidents affecting all or part of the organisation, its supply chain or other Interested Parties that might impact the organisation financially or reputationally.

It will cover:

Completion of this training is mandatory and where appropriate will be evidenced by task completion in the ISMS.online platform.

Being transparent and providing accessible information to individuals about how we will use their personal information is important for our organisation and is required under the Australian Privacy Principles (APP). Whenever personal information is being collected we will document and provide a Privacy Notice in line with the requirements of APP 5.

A template privacy notice is located within the ISMS.online platform.

We will ensure any use of personal information is justified using at least one of the conditions for use (described further below) and this will be specifically documented in the ISMS.online platform. All staff who are responsible for the use of personal information will be aware of the conditions of use. The conditions of use will be available to individuals in the for a privacy notice.

We will process information in compliance with all 13 Australian Privacy Principles.

We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.

In most cases where we collect and use sensitive information we will require the individual’s explicit consent to do this unless exceptional circumstances apply, or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to identify clearly what the relevant data is, why it is being processed and to whom it will be disclosed.

We must process personal information in accordance with the APP.

Under APP 8, this means that we cannot disclose or use personal information unless:

Our Terms of Business and website contains a Privacy Notice to clients on data protection.

The notice:

The data that we collect is subject to implied consent by the individual. This consent can be revoked at any time.

We will ensure that any personal information we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. Individuals may ask that we correct personal information relating to them. If you believe that information is inaccurate, you should record the fact that the accuracy of the information is in dispute and inform the Privacy Officer.

Upon request, an individual should have the right to receive a copy of their data in a structured format. Note that there are exceptions to this, including where we believe the provision of this information would pose a serios threat to the life, health or safety of an individual, the request would have an unreasonable impact on the privacy of other individuals, or the request is frivolous or vexatious. These requests should be processed within one month, provided there is no undue burden.

An individual may also request that their data is transferred directly to another system.

We must give the individuals the option of not identifying themselves or of using a pseudonym, if it is practical.

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Privacy Officer will be responsible for conducting Privacy Impact Assessments (PIA) and ensuring that all IT and other relevant projects commence with a privacy plan. ISMS.online provides a PIA framework that is used for managing the process and documenting the approach.

When relevant, and when it does not have a negative impact on the individual, privacy settings will be set to the most private by default.

No data may be transferred outside of the Australia without first discussing it with the data Privacy Officer. Specific consent from the individual must be obtained prior to transferring their data outside Australia.

We must keep personal information secure against loss, interference or misuse. Where other organisations process personal information as a service on our behalf, the Privacy Officer will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.

The organisation has a documented “Information Security Policy” and a set of subordinate security policies and controls relating to our management of data and information security. These are held within the ISMS.online platform.

We must not retain personal information for longer than is necessary. What is “necessary” will depend on the circumstances of each case, taking into account the reasons that the personal information was obtained, but should be determined in a manner consistent with our data retention guidelines.

Data retention schedules will be maintained showing the minimum and maximum periods of retention for each data set. We must destroy the information or ensure that the information is de-identified when we no longer need the information for any purpose for which it was obtained and we are not required to retain it under any laws.

Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

All individual staff members are responsible for playing their part in maintaining the confidentiality, integrity and availability of personal information in compliance with the APP and Privacy Act 1988 (Cth) as well as organisational policies, standards and procedures.

You must familiarise yourself with the requirements contained in this policy and any other relevant security policy and comply with any requirements relating to the proper handling and security of personal information.

You must take reasonable steps to ensure that personal information we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Privacy Officer or the HR Department so that they can update your records.

You must familiarise yourself with the organisational responsibilities detailed above and ensure that you comply with these whenever you are handling personal information. Special care and attention must be given when handling sensitive information.

You must abide by any request from an individual not to use their personal information for direct marketing purposes. Notify the Privacy Officer about any such request if it falls outside of the normal processes or you have any reason to be unsure about the appropriate practice.

Contact the Privacy Officer for advice on direct marketing before starting any new marketing activity to ensure compliance with all relevant data protection and other legislation.

All members of staff have an obligation to report actual or potential data protection weaknesses, events and incidents where compliance may be breached. This allows us to:

The reporting of such weaknesses, events and incidents will be managed through our Information Security Incident Management Processes.

Everyone must observe this policy this policy. The Privacy Officer has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.