Maintaining secure information and notifying us of information security incidents
Last published 21 Jun 2022
The obligations and requirements for service providers to maintain secure information, and notify us when an actual or suspected information security incident is detected. This policy applies to all electronic and physical data storage.
Your obligations for maintaining secure information
Your organisation holds private information about clients and families who access the services you deliver on our behalf.
You’re required to comply with the requirements of relevant Commonwealth and NSW legislation and policy, as well as the provisions of your contract with us, in relation to privacy, information management and your information and communications technology (ICT) systems.
This means being aware of the privacy obligations for your organisation and its staff in relation to the collection, storage, use, disclosure and destruction of personal information under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act).
We expect your organisation to establish, maintain, enforce and continually improve policies, procedures and safeguards to protect the personal and confidential data held in your electronic and physical files against unauthorised access, use, disclosure, destruction, loss and alteration. This includes ensuring your staff and governing body are aware of their obligations in relation to information security, and are aware of the resources available to assist you.
If your organisation detects an actual or suspected information security incident, you’re required to notify DCJ and keep us informed of progress until its resolution.
These requirements:
- are in addition to any specific provisions for privacy and information security that may be specified in your contract with us
- apply to any organisation you’ve subcontracted to fulfil part or all of the services we have contracted your organisation to deliver.