Skip to content

Information Security and Privacy Procedures Policy

At Elders Advantage Group, we are committed to protecting the confidentiality, integrity and availability of sensitive information, including both client data and internal business information. This Information Security and Privacy Procedures Policy outlines the measures we take to safeguard information assets against unauthorised access, disclosure, alteration or destruction. This policy applies to all persons engaged in the business.

1. Scope

This policy applies to all information collected, held and used by Elders Advantage Group including but not limited to:

  • Client information (e.g. name, address, contact details)
  • Property details
  • Financial information (e.g. banking details, payment information)
  • Records of persons engaged in the business

2. Information Security Responsibilities

2.1 Management Commitment

Senior management is committed to maintaining an effective information security program and providing the necessary resources to achieve this outcome.

2.2 Responsibilities

All persons engaged in the business are responsible for adhering to information security policies and procedures, safeguarding confidential and personal information, and reporting any security incidents.

2.3 Third-Party Responsibilities

Third-party service providers and third-party platforms must comply with relevant security and privacy requirements outlined in contractual agreements with Elders Advantage Group and adhere to our information security and privacy standards.

3. Data Privacy

3.1 Collection and Use

We collect and use personal information only for lawful purposes, with consent where required, and in compliance with applicable privacy laws, including the Australian Privacy Principles.

3.2 Data Minimisation

We only collect personal information that is necessary for the provision of real estate services and limit access to such information to authorised persons engaged in the business.

3.3 Data Retention

Personal information will be retained only for as long as is reasonably necessary to fulfil the purposes for which it was collected or as required by law.

3.4 Data Access and Sharing

Access to personal information is restricted to authorised persons engaged in the business on a need-to-know basis. Personal information will not be shared with third parties without appropriate consent or legal justification.

4. Information Security Controls

4.1 Access Control

Access to systems, applications and data is granted based on the principle of least privilege. Access rights are reviewed regularly and revoked promptly when no longer required.

4.2 Data Encryption

Sensitive information is encrypted using industry-standard encryption algorithms to prevent unauthorised access.

4.3 Network Security

Firewalls, intrusion detection and prevention systems, and other security controls are implemented to protect our network infrastructure from unauthorised access and cyber threats.

4.4 Endpoint Security

All endpoints (e.g. computers and mobile devices) are equipped with up-to-date security software, including anti-virus and endpoint detection and response tools.

4.5 Security Awareness Training

Regular training sessions are provided to persons engaged in the business to raise awareness about common cyber threats, phishing scams and best practices for safeguarding information assets.

5. Data Sharing and Transfers

5.1 Data Sharing

Personal information will not be shared with third parties unless necessary for the provision of real estate services or as required by law.

5.2 Confidentiality

When sharing personal information with third parties, appropriate contractual agreements will be in place to ensure the security and confidentiality of the information.

6. Incident Response and Reporting

6.1 Security Incident Management

An incident response plan is in place to detect, respond to and recover from security incidents promptly. All security incidents must be reported to the designated incident response teams.

6.2 Breach Notification

In the event of a data breach involving personal information, the following steps will be taken:

  • Assessment of the breach – The business will promptly assess the nature and extent of the privacy breach, including what personal information has been compromised, how it occurred and the potential consequences.
  • Containment and mitigation – Immediate steps will be taken to contain the breach, secure affected systems and prevent further unauthorised disclosures.
  • Notification to affected individuals – Where required, affected individuals will be notified as soon as practicable and provided with information about the breach, the information involved and recommended protective actions.
  • Notification to the regulator – Where applicable under the Privacy Act 1988 (Cth), consideration will be given to obligations under the Notifiable Data Breaches Scheme and reporting to the Office of the Australian Information Commissioner (OAIC).

An eligible data breach occurs when:

  • there is unauthorised access to or disclosure of personal information, or loss of personal information held by the business;
  • the breach is likely to result in serious harm to one or more individuals; and
  • the business has not been able to prevent the likely risk of serious harm through remedial action.

Serious harm may include physical, psychological, emotional, financial or reputational harm.

  • Record Keeping – The business will maintain records of the breach, actions taken and communications with affected individuals and regulators.
  • Review and Preventative Measures – Following a breach, the business will review its privacy practices and security measures to identify improvements and reduce the likelihood of future incidents.

7. Compliance

7.1 Legal and Regulatory Compliance

We are committed to complying with all applicable laws, regulations and industry standards relating to information security and data privacy.

7.2 Policy Review

This policy will be reviewed regularly to ensure its ongoing effectiveness and compliance with changing legal and regulatory requirements.

8. Conclusion

Adherence to this Information Security and Privacy Procedures Policy is essential to safeguarding the confidentiality, integrity and availability of information assets at Elders Advantage Group. By following this policy, we demonstrate our commitment to protecting the privacy of our clients and maintaining the trust they place in us.