Confidentiality, Privacy and Digital Information Security

Purpose of this requirement

To ensure that all information and documentation relating to Goodstart Early Learning's (Goodstart) early education
and business activities is securely stored and treated appropriately at all times. This is primarily to ensure the privacy
of children, families and staff and the protection of their personal information, but Goodstart also has responsibility for
a significant amount of other information, which, like other important business assets, has value, and needs to be
suitably protected.
Goodstart can be exposed to significant risk (such as damage to the Goodstart brand, breach of privacy law, and so
on), through unauthorised or inappropriate use or release of information and/or through the accidental or deliberate
loss of data or damage to equipment on which the information is stored. This requirement is intended to help mitigate
that risk.

Definitions
Confidential Information:

names, details and information relating to children attending Goodstart centres and their families, caregivers
and guardians;
personal details and information relating to Goodstart staff members;
Goodstart documentation and materials, including but not limited to, information pertaining to its policies,
procedures and practices, commercial affairs, financial information, strategic and business plans and like
information relating to any Goodstart business activity;
other information which Goodstart informs the staff member is confidential or which, if disclosed, the staff
member knows or ought reasonably to know, would be detrimental to Goodstart; and
all other information which is imparted to the staff member in circumstances which the staff member knows or
ought reasonably to know means that the information is confidential to Goodstart or to any persons with whom
Goodstart is concerned, but excludes any information that is public knowledge.

Applicability of this requirement

Confidentiality and privacy
All staff:

may use confidential information solely for the purposes of performing their duties as a Goodstart staff member;
must keep confidential all information and documentation, in whatever form, deemed to be confidential; and
may only disclose confidential information to persons who are aware that the confidential information must be
kept confidential and who have a need to know that information (but only to the extent that each person has a
genuine need to know).
may only access information relating to the execution of their duties;

DOCUMENT NUMBER & TITLE

NQS7 Confidentiality, Privacy and Digital Information Security

REQUIREMENT

POLICY OWNER

Warren Bright, Chief Operating Officer

DATE PUBLISHED

31/10/2013

DOCUMENT VERSION

CONTENT OWNER
V2.0

Simon Hartfiel, ICT Manager

REVISION DUE DATE

18/11/2015

Ensure you are using the latest version of this policy. You can find it at
http://policies.goodstart.org.au/PoliciesandProcedures/NQS7%20Confidentiality,%20Privacy%20and%20Digital%20Information%20Sec
urity%20REQUIREMENT.docx
Warning uncontrolled when printed. This document is current at the time of printing and may be subject to change without notice.

must ensure that all ICT assets provided are kept physically secure and that they are returned once the need
for them has concluded;
must ensure that access to the ICT environment is not shared with other persons; and
must ensure that any information security breaches are reported to the ICT Department for action.

Staff Member's obligations of maintaining confidentiality do not extend to confidential information that the law requires
to be disclosed.
In addition, managers:

Must ensure that levels of access to information for their team/s is suitable and adequate for execution of their
duties and does not provide additional access not require not require to perform their duties;
Must ensure that access is not granted for situations whereby a segregation of duty conflict will occur.

At the end of employment, staff members must return to Goodstart all confidential information including:
any company records or information; and
all of Goodstart's property in the staff member's possession or control.
No personal information regarding Goodstart's affairs is to ever be disclosed to outside parties.
The staff member's obligation of confidentiality continues after the end of employment.
Any staff member found to be in breach of this requirement whilst still employed by the Company will be disciplined,
and in serious instances, may be dismissed.
Any former staff member found to be in breach of the confidentiality obligations set out in this requirement may be
subject to legal action being taken against them, dependent upon the circumstances of the breach.
This requirement will operate in conjunction with the staff member's employment contract obligations.
Digital information security
Authentication
To ensure information and data is protected, all devices used to access Goodstart information require a minimum level
of security features to be enabled and configured.
Any security features used will remain private and not shared with other individuals or parties.
Staff will be held accountable for the uses to which Goodstart information is put when it is accessed under their login
credentials.
As a minimum Goodstart requires the following protection be used on any device accessing Goodstart information and
data:

In the case of mobile devices (phones and tablets) a PIN 4 digit numeric

For all other devices a password which:

Is 8 characters long
Uses both alpha-numeric-symbol combinations (eg contain: A-Z, a-Z, 0-9,!,@,#,$,%,^,&,*,(,),<,>)
Is changed every 90 days
Cannot be repeated within a twelve month period
Does not consist of simple words or words followed by single digits eg Explorer1
The system enforces these criteria to the extent that passwords must contain certain elements, but it does not
enforce the combination of these elements into a password.

DOCUMENT NUMBER & TITLE

NQS7 Confidentiality, Privacy and Digital Information Security

REQUIREMENT

POLICY OWNER

Warren Bright, Chief Operating Officer

DATE PUBLISHED

31/10/2013

DOCUMENT VERSION

CONTENT OWNER
V2.0

Simon Hartfiel, ICT Manager

REVISION DUE DATE

18/11/2015

Ensure you are using the latest version of this policy. You can find it at
http://policies.goodstart.org.au/PoliciesandProcedures/NQS7%20Confidentiality,%20Privacy%20and%20Digital%20Information%20Sec
urity%20REQUIREMENT.docx
Warning uncontrolled when printed. This document is current at the time of printing and may be subject to change without notice.

It is a requirement that staff do not use simple words or children's names, as this dilutes the security of the
password.
Access to a device will be rejected after 3 consecutive failed login attempts.
Data centre facilities
Access to any data centre facilities which house Goodstart computing equipment requires the authorisation of the IT
Manager or the ICT Manager.
Auditable records of persons having physical access to Goodstarts main data storage devices and systems are
maintained through the IT Department.
Device connectivity
Only IT Department approved/authorised computing devices will be permitted to connect to the Goodstart network and
allowed access to Goodstart information. This helps ensure protection and confidentially of Goodstart information and
reduces the risk of computer viruses causing disruption to Goodstart operations.
Maintenance and disposal of equipment
Equipment used to hold and manage Goodstart information will not exceed the age limits set by the vendors for
maintenance and support. A risk assessment will be performed and documented for circumstances whereby vendor
maintenance is not renewed for hardware items, on an individual basis by the IT Department.
In accordance with Goodstart's Acquisition and disposal of ICT Requirement, all decommissioned equipment will be
wiped of all corporate information prior to disposal, using an appropriate tool. All server, desktop, and laptop devices
hard disk drives will be erased using an industry compliant tool.
Mobile equipment (eg laptops and mobile phones)
It is the responsibility of all individuals issued with mobile devices owned by Goodstart to ensure the device is stored
and kept safely and securely and, for example, not left in public places or in unattended vehicles.
A staff member issued with a mobile device is accountable for the device while it is registered to the staff member.
This includes the devices security and physical treatment of the device. Goodstart may seek reimbursement or
replacement of the device for loss or damage in the case of inappropriate handling or use.
The IT department will maintain both a register and signed mobile device agreement for mobile equipment. The
mobile device agreement will indicate the staff member's acceptance of the conditions around the use of the mobile
device/s and return of the device.
Photographs and videos
Parental or guardian consent must be given before children are photographed or videoed. This should be obtained at
enrolment. Where parents or guardians disagree over provision of consent it is deemed not to have been given.
Separate permission must be sought for photographs or videos to be used outside the centre, usually for marketing
purposes (see NQS6 Image Consent Procedure).
Photographs and videos must only be taken using cameras and other devices provided by Goodstart. No photographs
or videos of children or centres, which may only be taken for purposes associated with Goodstart's early learning and
business functions, may be taken or removed from the centre on personal equipment. Photographs and videos must
not be shared between staff members unless there is a relevant business purpose.
To help ensure secure storage of photographs and videos and to minimise the risk of them being inadvertently
removed from the centre, they must not be downloaded to personal devices. Nor should they be sent outside
Goodstart in electronic form, such as attached to an email.
DOCUMENT NUMBER & TITLE

NQS7 Confidentiality, Privacy and Digital Information Security

REQUIREMENT

POLICY OWNER

Warren Bright, Chief Operating Officer

DATE PUBLISHED

31/10/2013

DOCUMENT VERSION

CONTENT OWNER
V2.0

Simon Hartfiel, ICT Manager

REVISION DUE DATE

18/11/2015

Ensure you are using the latest version of this policy. You can find it at
http://policies.goodstart.org.au/PoliciesandProcedures/NQS7%20Confidentiality,%20Privacy%20and%20Digital%20Information%20Sec
urity%20REQUIREMENT.docx
Warning uncontrolled when printed. This document is current at the time of printing and may be subject to change without notice.

All images, except those to be used for official marketing purposes, must be archived after three months and deleted
after six months. This is to help ensure the long-term security of the images, make storage capacity available for new
images, ensure that personal data is only kept for a reasonable period consistent with the need to support early
learning and other business activities, and to ensure compliance with regulatory requirements.
Remote access
Remote access will be provided to Goodstart staff to the limit required to perform their duties. Remote access to
Goodstarts computing environment will be subject to the approval provided to the IT department.
Information security incidents
All information security incidents will be reported to the IT department for investigation, action, and resolution. Serious
incidents will be immediately reported to the Goodstart Executive Team.
Environment security
All data and information stored within the data centre will be backed up and information rotated to a separate site, in
the event of a restoration being required or Disaster Recovery Plan being activated.
The backup schedule for the data centre follows a four weekly rotation with a monthly archive rotation cycle.
The main corporate network will be protected via a firewall and no external connection to the network will occur
without passing through a firewall device.
Any publicly facing applications will be published from the corporate DMZ network segment and protected through the
corporate firewall and reverse proxy device. Firewall logs will be monitored and any breaches or attempted breaches
reported to the Goodstart IT management.
All firewall configurations will be reviewed annually by the IT department to ensure that their configurations remain
consistent with the configuration of the corporate network. Goodstarts network architecture conforms to the
standards and regulations as appropriate to the data transmitted and stored in its internal applications.

Responsibilities
This requirement is to be implemented by: All Goodstart staff.
Content owners: Stan Coulter, General Manager Governance and Risk (Confidentiality and privacy); Simon Hartfiel,
ICT Manager (Digital information security)

DOCUMENT NUMBER & TITLE

NQS7 Confidentiality, Privacy and Digital Information Security

REQUIREMENT

POLICY OWNER

Warren Bright, Chief Operating Officer

DATE PUBLISHED

31/10/2013

DOCUMENT VERSION

CONTENT OWNER
V2.0

Simon Hartfiel, ICT Manager

REVISION DUE DATE

18/11/2015

Ensure you are using the latest version of this policy. You can find it at
http://policies.goodstart.org.au/PoliciesandProcedures/NQS7%20Confidentiality,%20Privacy%20and%20Digital%20Information%20Sec
urity%20REQUIREMENT.docx
Warning uncontrolled when printed. This document is current at the time of printing and may be subject to change without notice.