Data Protection Policy

Updated 1 October 2024

1. POLICY OVERVIEW

Definitions

Service: The service that is provided by Felcorp Support

Client : A client of Felcorp Support that may be an individual or corporate entity

Supplier: A 3rd party supplier of Felcorp Support that is not involved in the management or operation of Felcorp Support

Purpose

This Data Protection Policy outlines our approach to safeguarding data, defines our responsibilities, and provides the framework through which our data protection standards are maintained.

Felcorp Support adheres to both Australian Privacy Principles Act 1988 (Act) and GDPR compliance measures. In any case in which there are discrepancies between GDPR and the Act, we will abide by the latter.

Scope

This policy applies to all employees and suppliers who handle Felcorp’s data and any customer information, whether electronic or physical. It encompasses data stored or transmitted in any format.

Who is this policy designed for

This policy is designed for all employees, clients and suppliers of Felcorp Support who utilise our service or access our stored data in the normal course of business.

Data Protection Principles

Felcorp adheres to the following data protection principles:

1. Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and transparent to the data subject.
2. Purpose Limitation: Collect data only for specified, explicit, and legitimate purposes.
3. Data Minimisation: Ensure that data collected is adequate, relevant, and limited to what is necessary.
4. Accuracy: Keep personal data accurate and up to date.
5. Storage Limitation: Retain personal data only for as long as necessary for the purposes for which it is processed.
6. Integrity and Confidentiality: Process data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Data Security Measures

To protect data, Felcorp implements the following security measures:

• Access Controls: Limiting access to data to authorised personnel only.
• Encryption: Utilising encryption for data both in transit and at rest.
• Regular Audits: Conducting regular security audits and vulnerability assessments.
• Training: Providing data protection training to employees and associated personnel.
• Incident Response: Establishing and maintaining an incident response plan to react promptly to data breaches.

Australian Privacy Principles Act 1988 Summary

The Australian Privacy Principles (APPs) contained within the Privacy Act 1988 (Cth) set out standards, rights, and obligations in respect to how personal information should be handled. Key points include:

• Open and Transparent Management of Personal Information: Entities must manage personal information in an open and transparent way, including having a clearly expressed and up-to-date privacy policy.
• Anonymity and Pseudonymity: Individuals must have the option of not identifying themselves, or of using a pseudonym in certain circumstances.
• Collection of Solicited Personal Information: Personal information must only be collected by lawful and fair means and directly from the individual, unless it is unreasonable or impracticable to do so.
• Dealing with Unsolicited Personal Information: If unsolicited personal information is received, steps must be taken to determine whether it could have been collected under the APPs and, if not, it must be destroyed promptly.
• Notification of the Collection of Personal Information: Individuals must be notified about the collection of their personal information, including the purposes of collection and details of how it will be used.
• Use or Disclosure of Personal Information: Personal information can only be used or disclosed for the primary purpose for which it was collected, unless an exception applies.
• Direct Marketing: Restrictions are placed on the use of personal information for direct marketing purposes unless certain conditions are met.
• Cross-Border Disclosure of Personal Information: Entities must take steps to ensure that overseas recipients do not breach the APPs.
• Adoption, Use, or Disclosure of Government Related Identifiers: Such identifiers can only be adopted, used, or disclosed in limited circumstances.
• Quality of Personal Information: Information must be accurate, up-to-date, and complete.
• Security of Personal Information: Reasonable steps must be taken to protect personal information from misuse, interference, and loss, as well as unauthorized access, modification, or disclosure.
• Access to Personal Information: Individuals have the right to access their personal information and to correct any inaccuracies, subject to some exceptions.
• Correction of Personal Information: Entities must take reasonable steps to correct personal information to ensure that it is accurate, up-to-date, and complete.

GDPR Compliance Standards

To ensure compliance with the General Data Protection Regulation (GDPR), Felcorp adheres to the following standards:

• Accountability: Maintain records of data processing activities and demonstrate compliance through documented policies and procedures.
• Data Protection Impact Assessments (DPIAs): Conduct DPIAs for high-risk data processing activities to identify and mitigate potential privacy risks.
• Data Protection Officer (DPO): Appoint a DPO to oversee data protection strategy and compliance.
• Consent Management: Obtain and document clear, affirmative consent from data subjects for data processing activities.
• Breach Notification: Notify relevant supervisory authorities and affected data subjects of personal data breaches within 72 hours where feasible.
• Third-party Agreements: Ensure data processing agreements with third-party processors comply with GDPR requirements.
• Privacy by Design and Default: Implement organisational and technical measures to protect data privacy from the outset of any new project or process.
• International Data Transfers: Implement appropriate safeguards for transferring personal data outside the European Economic Area (EEA).
• Data Protection Training: Provide regular training to employees and contractors on GDPR compliance and data protection practices.
• Rights of Data Subjects: Facilitate and respond to data subject requests regarding their rights under GDPR within the stipulated time frames.

Responsibilities

All personnel are responsible for adhering to Australian Privacy Principles Act (1988) and GDPR compliance standards.

Policy Review

This Data Protection Policy is reviewed annually and updated as necessary to reflect changes in legislation, business practices, and technological advancements.

2. COLLECTING OR RECEIVING DATA

1. Methods of Collecting or Receiving Data

Data will be collected or received as part of the normal operations of Felcorp Support service as outlined in our Engagement Letter. This may include personal financial data, banking data, contact information and other privileged information generally accepted to be reasonably required within a professional services capacity.

Collecting of data is exclusively limited to the following applications:

• receiving data by email, file transfer, access to a software environment or approved communication portal in which authorised personnel of the Client have either given express permission to access data or have directly given data to the receiving authorised Felcorp Support personnel.
• collection of data through phone or video call of industry suppliers who hold confidential data that is necessary to satisfy a job. A relevant Third Party Authority form must be properly lodged and express permission by Client is given to attempt collecting data.

2. Lawful Collection of Data

Data collection must be lawful, direct and necessary. Felcorp must only:

• Collect personal information for a lawful purpose, which is directly related to the Client's function or activities and necessary for that purpose .
• Collect personal information only from the methods above (2.1), unless the Client has authorised collection from someone else or some other method and details clearly how to access data in lawful and reasonable safe way.•
• Inform the Client that they have accessed personal information and why it is being collected, what primary purpose it will be used for.
• Collect personal information that is relevant, accurate, complete, up-to-date and not excessive

3. ORGANISING, STORING & HANDLING DATA

1. STORING DATA

Effective management, including the secure storage of Client data is an important and integral part of efficient service operations. Consideration should be given to the type, frequency, volume and flow of data being collected, and these factors will inform the selection of appropriate organisation, transmission and storage methods. Data is to be appropriately protected during transmission and at rest. Felcorp must in the collection of data only:

• store it within Felcorp's approved file storage software (Felcorp App) and organise data in a straightforward and transparent way or;
• store it within the Client's nominated cloud file storage system and organise data in a straightforward and transparent way.

2. ACCESSING DATA

Access of data must be limited to approved personnel i.e the dedicated staff member working with the Client and the relevant Felcorp management team (company directors, assigned team manager, HR manager and IT manager). In regards to the software environment whether internal or external, Felcorp must:

• In an external Client cloud software system, ensure the authorised staff have the minimum user privileges and access requirements to comfortably render efficient services to the Client,
• ensure non-management staff have the standard access user privileges in the Felcorp App
• control at all times who has access to data, including developing, implementing and enforcing robust user access rules and employing audit processes to verify authorised access,
• review access privileges are routinely reviewed to ensure users have the least amount of permissions to perform their role, noting that access is removed when a person changes roles or terminates employment.

3. HANDLING OF CONFIDENTIAL DATA

The day to day handling of data must be used in a way that is line with the delivery of the Service while ensuring the confidential data is:

• appropriately and reasonably protected in the transmission from one storage location to another,
• not seen, used or stored by non-authorised personnel,
• not left unattended or easily visible by other people in the office environment
• not printed or stored outside of a secure software system unless express permission to do so by the Client.

4. DISPOSING AND ARCHIVING DATA

1. ARCHIVING DATA AFTER NON-USE

Confidential data collected, generated and transformed by Felcorp held within Felcorp controlled software environments (Felcorp App) should be archived within 3 months of non-use of data. As data is globally held on the Felcorp App and not held anywhere else, the Client has the required user privileges to delete data when necessary and is strongly encouraged to delete temporary work-in-progress data on the Felcorp App and transfer data to the Client's own cloud software system at their earliest convenience.

2. ARCHIVING DATA ON TERMINATION

Upon the termination of the agreement with the Client, it is our policy to dispose of all data stored from our systems within 60 days of the initial date of termination. During this period, we will securely transfer all personal data back to the client through electronic means, ensuring the data is encrypted and transmitted via secure channels. This process guarantees that clients have a complete copy of their data before it is permanently erased from our systems and is no longer accessible.

5. DATA BREACH DISCLOSURE AND PROCEDURES

1. Definition of Data Breach

A data breach occurs when personal information or intellectual property held by Felcorp Support is subject to unauthorised access, disclosure, modification, or is lost. Data breaches can occur in a number of ways, including but not limited to:

• Unauthorised third-party security breaches (e.g. Hackers)
• Unauthorised access, disclosure or modification by Employees and users
• Data breaches of third-party services used by Felcorp Support that affect user data

2. Assessing a Data Breach

All Felcorp Support personnel who are aware of, informed of, or suspect a data breach must inform Felcorp Management and IT team immediately. The IT team must then assess the suspected breach to determine whether or not a breach has in fact occurred. If a data breach has, in fact, occurred, then the IT team will manage the breach according to the steps outlined in the Data Breach Response Plan.

3. Data Breach Response Plan

In accordance with OAIC recommendations, the following steps will be taken in response to a verified Data Breach.

(a)         Contain the breach as soon as possible. Containment is ensuring that the breach itself is stopped. How a breach is stopped would depend on the particular instance but can include:

(i)            The suspension of compromised accounts;

(ii)           Removal of malware, where identified;

(iii)          Temporary platform downtime if necessary;

(iv)          Recovering any lost data, if possible;

(v)           Repairing unauthorised modification of data, if possible;

(vi)          Restoring access to the platform when able.

(b)         Assess the risks involved and the repercussions on respective stakeholders. The following may be considered in assessing the stakeholder risks:

(i)            The type of information involved;

(ii)           Establish the cause and the extent of the breach;

(iii)          Assess the risk of harm to affected persons;

(iv)          Assess the risk of other harms: reputational damage;

(v)           Notify Management and Affected Individuals where appropriate;

(vi)          Management must be notified of breaches as and when they occur, whether or not the breach is an eligible breach under the Notifiable Data Breach Scheme;

(vii)         Felcorp Support Pty is an APP 11 entity under the Privacy Act 1988 (Cth) and is and must, therefore, comply with its obligations under the Notifiable Data Breach Scheme;

(viii)        Data Breaches that are not eligible under the Notifiable Data Breach Scheme need not be reported and may be addressed internally.

4. Disclosure of Data Breach

Where an eligible breach has occurred, Felcorp must inform affected users through at least one of the following methods:

• Email newsletter announcements
• Phone or direct email
• In person
• Notification on website
• Notification in the Felcorp App

6. Email Security

Email Security (DMARC, SPF, DKIM, TLS, Threat Intelligence Database)

Emails can contain malicious content and malware. In order to reduce phishing, spam and improve deliverability of Felcorp emails we employ:

1. DMARC Policy

All felcorp.com.au conforms with DMARC policy and has a strict policy setting where the DKIM and SPF domain must exactly match the domain of the Header From address. This prevents impersonation attacks and email spoofing attempts,

2. SPF Policy

All felcorp.com.au emails have SPF authentication. This ensures that emails from felcorp.com.au are verified email servers of Felcorp Support personnel only,

3. DKIM Policy

All felcorp.com.au emails have DKIM evaluation successfully passed. This ensures that there is protection against emails being intercepted during transit between incoming and outgoing mail servers,

4. TLS Encryption

All felcorp.com.au emails have successful TLS encryption ensuring that outgoing and incoming mail servers must be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals.

5. Threat Intelligence database

Felcorp.com.au is not listed on any threat intelligence database such as spam, phishing or low reputation senders.

7. Anti-virus EndPoint Security

Felcorp employs on all computer devices the following BitDefender policies:

1. Secure VPN internet access

All Felcorp devices that access internet are protected through BitDefender’s built in VPN internet facility.

2. Comprehensive Audit Log

Felcorp management are altered and can remotely access Felcorp devices alerting to any suspicious activity, unauthorised software or potential cybercrime threats.

3. End-to-end encryption and protection

BitDefender secures all internal and external information ports and automatically scans new information for threats.

 4. Specific policy protocols

Felcorp management has the ability to enforce specific IT policies remotely to ensure adherence to solely our approved internet connections, website blacklisting and disable of USB ports.

8. Password Storage (LastPass)

Felcorp employs LastPass as a scale password management system to:

1. protect unauthorised sharing of passwords,
2. protect against specifically revealing password characters (ability to hide password),
3. management control to see comprehensive audit control and user access

9. Document Storage

Felcorp manages internal information on Dropbox with all client information held on the Felcorp App for transparency:

1. All client files are held in full transparency on the Felcorp app
2. No other file storage system (including desktop) holds any client information.

10. Device Security and Using Personal Devices

Logging in to any work accounts for personal devices such as mobile phones, tablets or laptops, is only allowed when in the office and during work hours. Felcorp does not recommend accessing any data from personal devices unless in certain circumstances.

Employees are required to follow these steps:

1. Keep all electronic devices' passwords secure and protected
2. Logging into accounts only be performed through verified Felcorp internet networks
3. Upgrade antivirus software when updates are available
4. Shutdown computers and screen when away from desk

12. Contact Information

For any questions or concerns regarding this Data Protection Policy, please contact us at:

Email: service@felcorp.com.au

Phone: + 61 2 9669 9375

Address: 37/453 Bourke St,  Surry Hills NSW 2010