IT SECURITY POLICY FOR HANDLING SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION (PII)

1. Purpose

  • This policy aims to establish guidelines for protecting sensitive Personally Identifiable Information (PII) collected, stored, emailed and processed by Naturally Balanced Chiropractic/www.natbalchiro.com.au. It aims to ensure data confidentiality, integrity, and availability while complying with applicable laws and industry standards.

2. Scope 

    • Full names, Date of Birth, Address, Email, Phone Numbers, Occupation
    • Medicare Numbers
    • Health Fund Numbers
    • Financial account numbers
    • Health information
    • Biometric data

3. Responsibilities

  • Data Owners: Ensure PII is classified and protected appropriately.
  • Employees and Contractors: Adhere to the procedures outlined in this policy and report any breaches or suspicious activity.
  • IT Team: Implement and maintain security controls and monitor systems for compliance.

4. Data Handling Requirements

  • Data Collection: Only the minimum necessary PII required to fulfil business purposes will be collected
  • Data Storage: Encryption of sensitive PII both at rest and in transit using industry-standard encryption protocols (e.g., AES-256 for storage, TLS for transmission).
  • Access Control: Access to sensitive PII is limited to authorized personnel only, based on role-based access control (RBAC).
  • Data Retention: We will retain sensitive PII only as long as necessary for the stated purpose, and securely dispose of it when no longer needed.

5. Security Measures

  • We may have to share your personal data with the parties set out below:
        • Authentication: We require multi-factor authentication (MFA) for access to systems containing PII.
        • Logging and Monitoring: We maintain audit logs of access to sensitive PII and monitor systems for unauthorized access or anomalies.
        • Regular Updates: We ensure software and systems are updated regularly to address security vulnerabilities.

6. Third-Party Management

  • We vet third-party vendors who process PII to ensure they adhere to equivalent security standards.
  • We include data protection clauses in contracts with third parties.

  7. Employee Training

  • We conduct regular training for all employees on handling sensitive PII and recognizing potential security threats.

  8. Enforcement and Consequences

  • Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract. Legal consequences may apply for wilful violations.

  9. Policy Review

  • This policy will be reviewed annually or as needed to ensure compliance with regulatory changes and emerging threats.