Overview

Kytec Pty Ltd of L2/210 Albert Road, South Melbourne, VIC 3205 (Kytec, including its related entities within the meaning of the Corporations Act 2001) is committed to protecting the personal information it collects.
Kytec is required to protect personal information we collect from loss, unauthorised access and unauthorised disclosure (data breach).

Security of Data

Kytec is obliged under the Australian Privacy Principles to take such steps as are reasonable to protect personal information from:

  • Misuse, interference and loss; and
  • Unauthorised access, modification or disclosure.

All staff members must adhere to the data security requirements and procedures for customer information as outlined in this Policy. A failure to provide adequate security may lead to an interference with the privacy of an individual.

Should we suspect or believe that a data breach has occurred we will undertake the following 5 steps:

1. Identify
2. Contain
3. Assess
4. Notify
5. Review

1. Identify

Kytec will maintain systems and procedures to ensure that any suspected or actual data breach can be identified, reported and escalated to those responsible for the implementation of the Data Breach Response Plan. Any employee who suspects a data breach has occurred must ensure that the responsible line manager and Managing Director are informed.

2. Contain
Once identified, Kytec will take all reasonable steps that can be taken to contain that breach.

3. Assess

The Data Breach Response Plan provides for the proper assessment of the breach including:

  • The type of information involved;
    Whether the breach can be remedied, and the information recovered;
  • The identity and number of individuals affected or likely to be affected;
  • The possible financial, economic, social and emotional impact on any individual;
  • The nature of the breach (i.e. loss, access or disclosure of electronic or paper-based data and was it accidental or deliberate);
  • The perpetrator of the breach (i.e. internal staff, contractors, third parties whether local or overseas);
  • The risk of further breaches if remedial action is not taken (i.e. is it a systemic problem or a one-off);
  • Whether criminality evident (i.e. theft or hacking); and
  • Whether the information was encrypted, de-identified or difficult to access.

 

4. Notification

If we believe (not just suspect) on reasonable grounds that a data beach is likely to result in serious harm to any of the individuals concerned, we will:

  • Prepare the statement required by the Privacy Act (1988) including the following information:
    • Our contact details;
    • A description of the breach we believe has occurred;
    • The kind of information involved in the breach;
    • Recommendation about the steps the individuals should take in response; and
    • If the breach was caused by a third-party service provider we engage, we will include their name and contact details.
  • Provide a copy of the statement to the Office of the Australian Information Commissioner;
  • Provide a copy of the statement to each affected individual by a means determined to communicate effectively with said individual and include additional information such as:
    • Our response to contain the data breach and prevent its recurrence;
    • Any assistance we can offer to the individuals;
    • Confirmation the breach has been reported to the Office of the Australian Information Commissioner and any relevant law enforcement agencies;
    •How individuals can make a complaint to the Office of the Australian Information Commissioner

 

5. Review

To prevent future breaches of the same kind, the Data Breach Response Plan must include a requirement for us to conduct a review of our policies, systems and procedures which may include the following:

  • A post-investigation audit of physical and technical security controls
  • A review of policies and procedures
    Additional training of staff members including scenario practices
  • Identify external resources that may assist to prevent future breaches
  • Review authority levels for access to and transfer of electronic data
  • Whether the Data Response Plan was adequate