Phil Labor: Information Security Policy

Phil Labor Information Security Policy

1. Purpose

This policy establishes the framework for protecting Phil Labor's information assets, including technology, data, and systems, to ensure confidentiality, integrity, and availability.It aligns with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), particularly APP 11 (security of personal information), by mandating safeguards against unauthorized access, misuse, or loss. This complements our Data Security Policy, which focuses on data classification and handling.

2. Scope

This policy applies to all employees, contractors, and third parties who access Phil Labor's information systems, networks, devices, or data. It covers all company-owned assets and personal devices used for work (BYOD).

3. Definitions

Information Assets: Includes data (personal and non-personal), hardware, software, networks, and intellectual property.
Personal Information: As defined in the Privacy Act 1988, information or an opinion about an identified individual (or reasonably identifiable), handled in line with APP 1 (open and transparent management).**
Confidential Information: Sensitive data requiring protection, including client details and internal records.
Incident/Breach: Any unauthorized access, disclosure, alteration, or loss of information, including notifiable data breaches under the NDB scheme.

4. Responsibilities

Employees/Contractors: Must comply with this policy, report incidents immediately, and handle personal information responsibly (e.g., per APP 6 on use/disclosure limits).
IT Department: Implements and monitors security controls, conducts training, and responds to incidents.
Management/HR: Ensures policy enforcement, acknowledgment forms, and alignment with broader privacy obligations (e.g., APP 5 on notification of privacy practices).
Data Protection Officer (if applicable): Oversees APP compliance, including privacy impact assessments for new systems.***

5. Key Security Controls

5.1 Access Controls

All users must use strong, unique passwords (minimum 12 characters, changed every 90 days) and enable multi-factor authentication (MFA) where available.
Access to systems and personal information is granted on a need-to-know basis, reviewed annually, and revoked upon termination (aligning with APP 11.2 on access limitation).
Personal information must not be accessed or shared beyond what's necessary for your role, per APP 6 (use or disclosure of personal information). Report any suspicious access attempts to IT immediately.

5.2 Device and Network Security

Company devices must be locked when unattended (e.g., auto-lock after 5 minutes).
Use approved antivirus software, keep systems updated, and avoid public Wi-Fi for sensitive tasks.
For BYOD: Personal devices handling work-related personal information must have encryption enabled (e.g., BitLocker or FileVault) to protect against loss or theft, supporting APP 11's requirement for reasonable security steps. Phil Labor may remotely wipe work data from lost devices.

5.3 Data Handling and Storage

Store and backup data using approved tools (e.g., OneDrive for Business, not personal drives).
Encrypt sensitive and confidential information in transit and at rest.
When handling personal information, ensure it's collected, used, and stored transparently (APP 1 and APP 3). Dispose of it securely when no longer needed (e.g., via secure delete tools), per APP 11.2. Cross-reference our Data Security Policy for classification guidelines.

5.4 Acceptable Use

Company resources are for business purposes only; no unauthorized software, personal emailing of sensitive data, or sharing credentials.
Prohibited: Downloading torrents, visiting high-risk sites, or using unapproved cloud services.
Respect privacy in all uses—e.g., do not monitor colleagues' personal communications without cause, aligning with APP 1's transparency principles.

6. Incident Reporting and Response

Report any suspected security incident or breach (e.g., phishing, lost device) to the IT Help Desk immediately (within 1 hour) via [email/phone details].
If the incident involves personal information, assess for NDB scheme notification (e.g., if likely to cause serious harm). IT/HR will determine if disclosure to the Office of the Australian Information Commissioner (OAIC) or affected individuals is required under APP 11.2 and the NDB scheme. This process integrates with our Data Security Policy's breach response procedures.

7. Monitoring and Enforcement

Phil Labor may monitor systems for compliance (e.g., logs, audits), but personal information handling will respect APP 1 (openness).
Violations may result in disciplinary action, up to termination.
Annual training on this policy and APP basics will be mandatory.

8. Review and Acknowledgment

This policy is reviewed annually or after major incidents, ensuring ongoing APP alignment.
All personnel must acknowledge receipt and understanding upon hiring and annually.

Contact Us

For privacy concerns, reach our Privacy Officer atprivacy@philLabor.com, or write to: Phil Labor Pty Ltd, 57 Harnham Drive Bairnsdale Victoria 3875 Australia

Whatever industry you are in, from real estate specialists, to information technology firms, needing skills from sales support, digital marketing and customer service, Phil Labor can support your business!