How we protect your personal information
Cooee is committed to protect your privacy and ensure that your personal information doesn’t get misused. In this update we discuss our obligations to you and how seriously important it is for us, that your personal information is kept secure.
In February 2018, the OAIC released the Notifiable Data Breaches (NDB) scheme to form part of the Privacy Act 1988, which is the Australian law that regulates the handling of your personal information.
We also understand and respect that, in the event of a notifiable data breach, you are entitled to be made aware of this breach, so you can take appropriate actions to protect yourself.
The measures we have put in place to protect your personal information and data include (but are not limited to):
- Application of two step (2SA) authentication to access across all sensitive applications
- Restriction of remote access to specific locations and/or block overseas access to our systems
- Track and monitor attempted access to our systems and identify suspicious activity
- Log usage in an audit trail and retrospectively determine a suspected source for a breach to report to authorities. With our new tool we can see what applications were accessed, when they were accessed and from where.
- Terminate user access to all sensitive cloud applications by disabling a single user account
- Remotely wipe mobile devices in the event they’re breached or lost. We can restrict access to reasonable times such as business hours
- Share access to applications using a single user ID without having to divulge cloud app passwords to staff
- Signle sign on for staff to all sensitive applications decreasing the risk associated with ‘password sprawl’
- The ability to federate our identity systems so that access to desktops, servers and browser-based cloud applications are accessed via one single identity
We have policies and documentation in place that:
- Educates and sets expectations on best practice password and access management to staff in the form of an IT and Internet usage policy
- Third party access agreements that govern and limit liability in the event a third party such as an IT contractor or outsourced provider should breach our data security policies
- A data breach response plan that lays out the steps we take in the event of a breach and communicates our obligations under the Notifiable Breach Legislation
- A specialist data security legal service contracted to support us in the event of a breach to ensure the appropriate remediation and notification steps are taken
- A retainer-based engagement with a specialist cyber-security firm that provides guidance and best practice systems to protect our clients’ privacy
- This cloud best practice certification that validates our firm as a responsible data custodian
We also have access to external advisors with expertise to handle privacy and data protection matters.