Philippine Social Security System | Updated Maternity Benefit
Why you must use a Master Password Tool
The Master password is necessary for the overall protection and secure access to your data. Using a master password also complies with the mandatory requirement set by the Australian Privacy Principles.
APP 1 requires open and transparent management of personal information, including the likelihood of personal information to be disclosed to overseas recipients (APP 1.4(f)).
As per APP 8 before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information given.
For more information about the Australian Privacy Principles please click here & it will direct you to the detailed description of each principle.
You can also refer to the “VAP Data Protection Breach Management Policy” FAQ on how we treat data privacy.
When can I expect to receive my monthly invoice?
- Invoices are sent by the 20th of each month. But for the first invoices, that is usually sent a week from onboarding call.
When is the due date?
- 25th of each month.
Do I get reminders?
- You will receive auto-reminders in Xero on the overdue days:
- 1st reminder – on the 2nd overdue day
- 2nd reminder – on the 5th overdue day
- 3rd reminder – an email/phone call from finance
Can I change my due date?
- No. As would be expected of a business like ours that specialises in using the most efficient processes and systems, we batch process all invoices so that it is the most efficient use of time and the lowest cost for clients and we can also use technology to automate the process. The more efficient we are, the lower the cost to clients.
- If we agreed to each client that asks us to alter the due date, it will increase complexity. create potential errors (mostly human) and increase the workload of the staff in the finance team, this then would increase the cost.
- If you aren’t able to budget for the invoices to be paid by the 25th and if you’re cashflow only allows for the payment to be made by the 28th, then you’ll need to be aware that our system will auto-generate a reminder on the 27th.
What is a commitment bond?
- The commitment aka recruitment bond is charged upon you joining VA Platinum to ensure that you commit and for VA Platinum to go through the recruitment process
- which includes advertising, interviewing and allocating staff. However, this is not an additional cost to you since this will be reimbursed once your staff starts.
Do you charge for late payments?
- We do not charge for late payments.
- If the invoice is still unpaid, someone from the VAP management team will call and email you on the 1st day of the next month to let you know that staff will cease working and will be available for hire by new or existing clients. Therefore, you will need to restart with a new untrained team, unless we hear back within 24 hours.
- This is the most effective penalty we can think of to ensure you treat your valued team as though they are employees in your own office whom you wouldn’t think to not pay their salaries on time.
Can I pay by credit card?
- Yes. You may just click on the Xero invoice link and choose online payment. There is a charge of 1.79% for credit card payments.
What is Sinulog Festival?
Sinulog is a dance ritual in honor of the miraculous image of the Santo Nino. The dance ritual tells the story of the Filipino people’s pagan past and their acceptance of Christianity.
The dance moves to the sound of the drums and resembles the current (Cebuano’s refer to it as “Sulog”). Thus, in Cebuano, they call it Sinulog.
Here are the top 3 things to expect during the Sinulog Festival:
1. See talented Cebuanos everywhere
-from the grand parade to local bands
2. Party with the locals!
3. Sinulog Grand Parade
Disaster Recovery and Business Continuity Plan
This document details the actions to be taken in the event of a disruption to critical IT services, damage to IT equipment or data, and/or if the offices are deemed unsafe and inaccessible. A disruption to services may occur as a result of natural disaster, technological failure or human factors such as sabotage or terrorism.
The focus of this document is post-incident recovery.
For VA Platinum (VAP) to minimise any loss and/or interruption of services; to resume normal services and business operations as soon as practicable; to provide alternative methods of service delivery where necessary; and to respond to any identified risks if the infrastructure and/or office was compromised in a disaster.
The scope of this plan is the VAP office locations, Filipino staff members, and the virtual assistance services provided to clients who are located around the world.
The Disaster Recovery and Business Continuity Plan will be reviewed annually, or sooner in the event of a new/different office location, or in response to testing or incident.
Business Name VA Platinum Pty Ltd Office Addresses 14th Floor ACC Tower, Bohol Avenue, Cebu City Philippines, 6000
8th Floor, i1 Building Jose Maria del Mar St, Cebu City, Philippines, 6000
Australian Business Number (ABN) 37 150 301 447 Australian Company Number (ACN) 150 301 447
IT Back-Up Strategy
System / Data
Type of data – email, spreadsheet, payroll systems
Daily / Weekly / Monthly
USB / extra hard drive / online – indicate where they can be located
Person responsible DropBox Quarterly 2 external hard drives stored in 2 separate locations away from VAP facility Barry Payroll, Financial and Legal data Bi weekly 1 external hard drive stored in a separate site that holds all VAP financial data Barry/Gee
- ROLES AND RESPONSIBILITIES
- Internal Contacts – VA Platinum
Name Position Phone Brian Jones Chief Executive Officer +61 438 875 828 firstname.lastname@example.org Ed Arguelles Chief Operating Officer +63 923 265 9970 email@example.com Barry Lee Office Manager +63 920 958 5113 firstname.lastname@example.org Glora Paquibot Finance Manager +63 905 279 4337 email@example.com Wholesale/white label partners Luke Mellar Wholesale +61 421 733 146 firstname.lastname@example.org Justin Mellar Wholesale +61 417 996 627 email@example.com Carolina Castillo Wholesale +61 412 740 090 firstname.lastname@example.org
- External Contacts
Company Contact person Phone Ayala building landlord Graham Cvinar
+63 915 472 6168
+63 915 950 7909
IT Park building landlord Graham Cvinar
+63 915 472 6168
+63 915 950 7909
Accountant Cherry Pingkian +63 922 390 8328 email@example.com Legal Consultant Bryan Lee +63 917 110 1533 firstname.lastname@example.org Insurance Ritche Benedicto +63 32 2668811 (ext. 5108) email@example.com
- DISASTER RECOVERY PROCEDURES
Scenario There is no power to the specific offices leased or the entire building in either or both VAP locations. Possible causes Fire, flood, accident, or system overload that has caused a city wide or building specific power outage. IT services and data at risk Staff are unable to turn on their computers, client files not saved. Recovery Objective Immediate. Each computer has 1 UPS always plugged in. Each UPS holds 20-30 minutes of power allowing staff members to save their work until generators start up. Plan of action Notify clients (Ed Arguelles for 100% owned VAP clients and the wholesale/white label partner for all others)
Contact building admin and determine ETA of power restoration.
Site relocation is not needed as our facilities can continue operations in the event of a power outage, via generators.
- Loss of access to office
Scenario Filipino staff members are unable to access the office and their individual computers. Possible causes Fire, flood, storm, gas leak, bomb threat, terrorist action. IT services and data at risk Staff members are unable to access the building or office premises. Recovery Objective 3 days. If loss of access to office is long-term on the basis of extensive damage or threat to the building, VAP will be relocated with new computers within 3 days. Plan of action Notify clients (Ed Arguelles for 100% owned VAP clients and the wholesale/white label partner for all others).
Contact our landlord for a temporary site to accommodate the staff affected.
Relocate staff to our alternative site to ensure the continuity of operations.
- Damage / outage to internet server
Scenario Staff computers are unable to connect to the internet. Possible causes Modem/router malfunction, ISP downtime/maintenance. IT services and data at risk Internet outage and staff are unable to save client files to Cloud based servers. Recovery Objective Immediate. VA Platinum has 3 Internet providers at 150 MBPS per provider.
Our ISPs are:
Plan of action In the event that one ISP is not available, secondary or tertiary back up immediately take over.
Notify on site certified IT support team for any additional technical concerns.
- Individual computer and equipment damage / outage
Scenario Computer malfunction or systems error. Possible causes Wear & tear, improper usage by staff, system failure. IT services and data at risk Data loss due to unsaved files, files were not saved properly or files were not uploaded to the Data Cloud. Recovery Objective 1 hour. Replace malfunction computer/equipment. VAP has 2 working standby computers and equipment accessories at all times which can be utilised until computer repaired or replaced. Plan of action Notify client involved on equipment failure and downtime.
Perform basic troubleshooting.
Replace malfunction computer/equipment.
Reinstall all client specific tools and systems
Gold Standard for Recruitment
This document was written by CEO Brian Jones to reflect his belief system in getting the culture as perfect as possible in VA Platinum.
Involvement in recruiting by CEO (Brian Jones) and COO (Ed Arguelles) is considered essential at VA Platinum. It ensures the first 150 staff are suitable and representative of the company values.
The culture established by the first 150 staff greatly influence the work environment.
Allowing one “culturally unfit” staff member into the company can create a poor cultural dynamic.
Let’s classify prospective staff into 3 categories, whereas:
A – Culturally Fit
B – Somehow Fit
C – Culturally Deviant
If you allow a C type person into an all A-type team, that C type person will bring the A-Team down to a B type.
If you allow more C types in you might lose most of your A types, which then results in a poor office environment.
The only way to maintain a high A-Team is to hire A-type people and ensure that they are happy. If VAP can maintain a high level of company culture, it attracts and inspires growth and opportunities.
HR Recruitment prioritises hiring prospective staff via staff referrals. In this scenario, the candidates have already been screened by their peers prior to being invited into the company.
The staff tend to be mindful of the people they recommend, as it directly reflects how sound their judgement is. Before vouching for anyone, the staff consider their previous work relationships with their referral.
Existing staff are well positioned to assess whether the recommended candidate will ‘fit’ in the company in terms of skills, behaviour and work ethics.
Building Our Culture
Developing a culture is achieved in two ways – via association and assimilation.
Association occurs when you are hiring people who already associate and resonate with the culture you are trying to promote.
Assimilation occurs when a new staff member joins the team and copies the behaviour of the existing team members.
It’s easier to build a culture with someone whom you already share values with. In our experience, it only takes us 5 referred applicants to find one awesome staff member.
Alternatively, by hiring a prospective staff member who has not been referred, their cultural fit is not known. It’s not impossible to find good people – it’s just harder in that it takes more time and effort. In this scenario it takes over one hundred resumes for us to hire one amazing staff member.
So what are we looking for exactly?
- Have the same purpose
Believing in the value of a productive work environment and great customer service.
- “We” People VS “I” People
When asking about accomplishments, we listen carefully. If a candidate answers, “I did this,” and “I did that”, we will not recruit them. We look for “We” people, not “I” people.
We ask: “Have you ever worked with a team that had accomplished an amazing feat? If yes, can you tell us all about it?”
- Willingness to work with us long term
We ask: Pretend it’s 3 years from now, and you’re leaving VA Platinum, what would be the next job you would want to take?
“I hope I’m still with VA Platinum,” is a good answer but not an answer that digs deep enough so if they answer this, we then follow-up with: ‘That’s a great answer, but what if VA Platinum no longer exists for something we can’t control, what would be the next job you would want to take?’
If they say, “I want to pursue my studies by completing a Masters,” or “I want to move to Canada to live with my mum”, it might not be a good scenario as you can predict that this person will only be with us for a span of a year or less.
- Demonstrate an explicit learning curve
We want to find people who learn fast and are adaptable to fast-paced environments.
We ask: Looking back over the past 3 years, what have you learned that you would do less or do more of?
This question helps us understand if they were observant of their own actions in the past and if they’ve learned from them.
We want to see how they have worked on improving themselves together with the business.
- Are vocal about their opinions for the greater good of the organisation
Staff may have opposing views but are able to relay these views freely with the best intention.
We ask: Can you tell us about a past situation where you were unhappy about something in your workplace and what you did about it?
By asking that question, we find out how they go resolving their problems and issues, and whether it’s done in a direct and sincere way. We want to promote a healthy discourse of varying opinions providing it is done with respect.
We tolerate healthy debates because it’s when we know how much staff care about the organisation’s growth path. We want to know if the person is open-minded to new ideas.
6 Attributes to look for in a staff
- Kind and Optimistic
They believe they can make the world a better place.
They look forward to each day to learn and not to prove what they already know.
- Work Ethic
They try to do things better every day.
They care about how other people feel and they are aware of how they make other people feel.
They are mindful of their own disposition every day. If they feel like they are less than
4 out of 10, they try to appear 7 or 8 out of 10 to not bring the others down.
They do the right thing even when no one is looking.
QUESTIONS TO ASK: COMMENTS: Have you ever worked with a team that had accomplished an amazing feat? If yes, can you tell us all about it? Pretend it’s 3 years from now, and you’re leaving VA Platinum, what would be the next job you would want to take? Looking back over the past 3 years, what have you learned that you would do less or do more of? Can you tell us about a certain past situation where you were really unhappy about something at a work place and what you did about it?
VAP Data Protection Breach Management Policy
This document sets out the processes to be followed by VAP staff in the event that VAP experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organisations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Accordingly, VAP needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.
Adherence to this procedure and response plan will ensure that VAP can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.
VA Platinum Pty Ltd is legally required under the Australian Privacy Protection Act 1988 to ensure the security and confidentiality of the information/data it processes on behalf of its clients and employees.
Information/data is one of our most important assets and each one of us has a responsibility to ensure the security of this information. Accurate, timely, relevant and properly protected information/data is essential to the successful operation of the VAP in the provision of services to our clients.
Sometimes a breach of information/data security may occur because this information/data is accidentally disclosed to unauthorised persons, or lost due to a fire or flood, or stolen as result of a targeted attack, or the theft of a computer, mobile or electronic device.
The purpose of this policy is to ensure that an international standardised management approach is implemented throughout the organisation in the event of an information/data breach.
This policy is mandatory and by accessing any of the VAP’s Information/data, users are agreeing to abide by the terms of this policy.
This policy represents the VAP national position and takes precedence over all other relevant policies which may have been developed at a local level. The policy applies to all VAP employees, service providers, contractors and third parties who access, use, store or process information on behalf of the VAP. This policy is authorised by the management of VAP.
The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
VAP has an obligation to abide by all relevant Australian legislation. The relevant acts, which apply in Australian law to Information Systems, include but are not limited to:
- Privacy Amendment (Notifiable Data Breaches) Act 2017.
- Australian Privacy Act 1988(Privacy Act) from 22 February 2018.
4.0 Definition/Types of Breach
For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.
An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and has caused or has the potential to cause damage to VAP assets and/or reputation.
An incident includes but is not restricted to, the following:
- Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record)
- Equipment theft or failure
- Unauthorised use of, access to or modification of data or information systems
- Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
- Unauthorised disclosure of sensitive / confidential data
- Website defacement
- Hacking attack
- Unforeseen circumstances such as a fire or flood
- Human error
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
In the event that an information/data breach happens, the following breach management plan is strictly adhered to.
There are five elements to any breach management plan:
- Identification and Classification
- Containment and Recovery
- Risk Assessment
- Notification of Breach
- Evaluation and Response
6.0 Breach Management Plan
6.1 Identification and Classification
Any individual who accesses, uses or manages information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer (DPO) – Brian Jones firstname.lastname@example.org and Operations Manager (OM) – Ed Arguelles email@example.com.
What does the Operations Manager do?
The Operation Manager will determine whether a data breach has or may have occurred.
The Operations Manager will complete an Assessment within five (5) business days of being notified of the breach regardless of whether it is a data breach, suspected data breach or eligible data breach.
The Assessment should include a full report of the breach or suspected breach, with recommendations to resolve the issue and ensure that it doesn’t happen in the future.
The Operations Manager should have regard to:
- whether multiple individuals were or could be affected by the breach (or suspected breach);
- whether there is a real risk of serious harm to the affected persons;
- whether the breach or suspected breach indicates a systemic problem in VAP processes or procedures; and
- whether could there be media or stakeholder attention as a result of the breach or suspected breach.
If it is a minor breach or suspected breach, the Operations Manager should make a report that
records the breach or suspected breach, notes the action they took to address it, the outcome of
the action and whether further action is required.
If the breach involves another entity, the Operations Manager should attempt to speak with
that entity’s data breach response team or representative.
If the Operations Manager decides that it is an eligible data breach, the Compliance Manager
will notify the DPO.
If the Operations Manager is uncertain as to whether or not an eligible data breach has occurred the Operations Manager should consult with the DPO.
What does the DPO do?
The director is the person to whom the Operations Manager reports definite and suspected eligible data breaches.
The Operations Manager’s Assessment, escalation to the director and the DPO’s decision as to
whether or not to obtain legal advice must be completed within 30 days of VAP first becoming
aware of the breach.
If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
The Operations Manager must put in place procedures that will allow any staff member to report any information/data security breach.
- It is important that all staff are aware to whom they should report such a breach.
- Having such a procedure in place will allow for early recognition of the breach so that it can be dealt with in the most appropriate manner.
- Details of the breach should be recorded accurately, including the date and time the breach occurred, the date and time it was detected, who/what reported the breach, description of the breach, details of any systems involved, corroborating material such as error messages, log files, etc.
- In this respect, staff need to be made fully aware as to what constitutes a breach. In respect of this policy a breach may be defined as the unintentional release of VAP or client confidential or personal information/data to unauthorized persons, either through the accidental disclosure, loss or theft of the information/data.
Criteria for determining severity:
- The type and extent of personal information involved;
- Whether multiple individuals have been affected;
- Whether the information is protected by any security measures (password protection or encryption);
- The person or kinds of people who now have access;
- Whether there is (or could there be) a real risk of serious harm to the affected individuals; and
- Whether there could be media or stakeholder attention as a result of the breach or suspect breach.
6.2 Containment and Recovery
The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
An initial assessment will be made by the DPO in liaison with relevant officers to establish the severity of the breach and who will take the lead investigating the breach.
Containment involves limiting the scope and impact of the breach of data/information.
If a breach occurs, the Operations Manager should:
- Decide on who would take the lead in investigating the breach and ensure that the appropriate resources are made available for the investigation.
- Establish who in the organisation needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. For example, this might entail isolating a compromised section of the network, finding a lost file or piece of equipment, or simply changing passwords or codes to server rooms, etc.
- Establish whether there is anything that can be done to recover losses and limit the damage the breach can cause.
6.3 Risk Assessment
An investigation will be undertaken by the Operations Manager immediately and wherever possible within 24 hours of the breach being discovered / reported.
In assessing the risk arising from the security breach, the Operations Manager should consider what would be the potential adverse consequences for individuals, i.e. how likely it is that adverse consequences will materialise and, in the event of materialising, how serious or substantial are they likely to be.
The following points should be considered:
- What type of Information/data is involved?
- How sensitive is the information/data?
- Are there any security mechanism or protection in place (e.g. password, protected, encryption)?
- What could the information/data tell a third party about the individual?
- What happened to the data? Has it been lost or stolen?
- Whether the data could be put to any illegal or inappropriate use
- How many individuals are affected by the breach?
6.4 Notification of Breaches
The OM and DPO, in consultation with an IT Security Specialist will determine who needs to be notified of the breach.
Every incident will be assessed on a case by case basis; however, the following will need to be considered:
- Whether there are any legal/contractual notification requirements
- Whether notification would assist the individual affected – could they act on the information to mitigate risks?
- Whether notification would help prevent the unauthorised or unlawful use of personal data?
All information/data breaches must be reported to the affected client or DPO immediately. Members of staff and Operations Manager must complete a Data Breach Incident Report (Appendix 2) and forward (email a scanned copy) this to their Client for breaches involving manual (paper based) information/data or their IT center or helpdesk for breaches involving electronic data.
Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.
The OM and or the DPO must consider notifying third parties such as the authorities, insurers, bank or credit card companies, and service providers, etc. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
The OM and or the DPO will consider whether the communications team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
All actions will be recorded by the DPO.
6.5 Evaluation and Response
Subsequent to any information/data security breach a thorough review of the incident should occur. The purpose of this review is to ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved. Any recommended changed to policies and/or procedures should be documented and implemented as soon as possible thereafter. The OM should identify a group of people within the organisation who will be responsible for reacting to reported breaches of security.
7.0 Review & Update
Once the initial incident is contained, VAP will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:
- Where and how personal data is held and where and how it is stored
- Where the biggest risks lie, and will identify any further potential weak points within its existing measures
- Whether methods of transmission are secure; sharing minimum amount of data necessary
- Identifying weak points within existing security measures
- Staff awareness
- Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security
If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by the DPO and OM.
VAP reserves the right to take such action as it deems appropriate against users who breach the conditions of this policy. VAP employees who breach this policy may be denied access to the organisations information technology resources, and maybe subject to disciplinary action, including suspension and dismissal as provided for in the VAP disciplinary procedure.
9.0 Storage of breach information
Records of all breaches or suspected breaches, and steps taken to resolve, should be saved for
seven (7) years, as required under law.
Records can be saved electronically, and should be encrypted.
Examples of data breaches and analysis as to whether they are “serious”
An employee leaves documents containing the personal information of a client on their desk at the end of the day on Friday. The employee only discovers that the documents have been left on their desk the following Monday morning. The employee is unsure of who has access to the office over the weekend, and is not sure if someone could have read the documents.
The employee should immediately notify the DPO and Operations Manager and complete Appendix 2. The Operations Manager considers that the documents could have been read by anyone with a key to the office, and speaks with every key holder. Each of them confirms that they have not been in the office since close of business on Friday. The DPO and Operations Manager decides that it is not an eligible data breach. Both DPO and Operations Manager has taken remedial action to establish that it the breach was not serious, and there is no risk of serious harm to the client. The DPO and Operations Manager may choose to review file handling practices with the individual employee or more broadly.
A staff member becomes aware that the company’s customer database has been publicly available on the internet due to a technical error for more than 1 month. It has been accessed a number of times and it is not possible to verify who accessed the information. The external IT provider has removed the database from the public domain once notified.
In this scenario, the breach is serious and is likely to cause harm. Remedial action was taken, but the personal information of individuals was available for some time. The Operations Manager should complete Appendix 2 and notify the DPO immediately.
The Operations Manager will complete an Assessment and review current procedures. The DPO should seek legal advice and may need to notify its insurer. The DPO should report it to Office of the Australian Information Commissioner. Affected customers should be notified via email. A notice describing the breach could be included on its websites.
Data Breach Incident Report
Please act promptly to report any data breaches. If you discover a data breach, please notify your Operations Manager immediately, complete Section 1 of this form and email it to the Data Protection firstname.lastname@example.org and email@example.com.
Section 1: Notification of Data Security Breach To be completed by Operations Manager and reporting staff member Date incident was discovered: Date(s) of incident: Place of incident: Name of person reporting incident: Contact details of person reporting incident (email address, telephone number): Brief description of incident or details of the information lost: Number of Data Subjects affected, if known: Has any personal data been placed at risk? If, so please provide details: Brief description of any action taken at the time of discovery: For use by the Data Protection Officer Received by: On (date): Forwarded for action to: On (date): Section 2: Assessment of Severity To be completed by the Lead Investigation Officer in consultation with the Head of area affected by the breach and IT where applicable Details of the IT systems, equipment, devices, records involved in the security breach: Details of information loss: What is the nature of the information lost? How much data has been lost? If laptop lost/stolen: how recently was the laptop backed up onto central IT systems? Is the information unique? Will its loss have adverse operational, research, financial legal, liability or reputational consequences for VAP or Clients? How many data subjects are affected? Is the data bound by any contractual security arrangements? What is the nature of the sensitivity of the data? Please provide details of any types of information that fall into any of the following categories: Information that could be used to commit identity fraud such as; personal bank account and other financial information; national identifiers, such as Policy Number and copies of client IDs, etc. Detailed profiles of individuals including information about work performance, salaries or personal life that would cause significant damage or distress to that person if disclosed; Security information that would compromise the safety of individuals if disclosed. Section 3: Action taken To be completed by Data Protection Officer and/or Lead Investigation Officer Incident number Report received by: On (date): Action taken by responsible officer/s: Do we need to report the incident to the authorities? Follow up action required/recommended: Reported to Data Protection Officer and Lead Officer on (date): For use of Data Protection Officer and/or Lead Officer: Notification to Client YES/NO If YES, notified on:
Notification to data subjects YES/NO If YES, notified on:
VA Platinum response to Tax Practitioners Board practice note 2/2018
Is there a minimum number of staff?
No, there is no minimum number of staff per Australian client.