• Philippine Social Security System | Updated Maternity Benefit

    The Philippine Social Security System, or commonly known as SSS, is a government agency that provides retirement and health benefits to all paid up employees in the Philippines.


    Members of the SSS can also make ‘salary’ or ‘calamity’ loans, claim sickness benefit, and for female workers, they can claim for a maternity benefit.


    Just recently, the Philippine Social Security System has mandated to increase the maternity leave days from 60 to 105 calendar days (Republic Act No. 11210). The employer is required to advance the maternity benefit payment which then gets reimbursed by SSS upon staff filing the full requirements after delivery.


    Below is a summary of the old vs new maternity law comparison:






    60 calendar days of leave from work for live childbirth, miscarriage and emergency termination of pregnancy which is subsidize by SSS. 105 calendar days of leave from work for live childbirth regardless of the mode of delivery, with SSS salary subsidy + a salary differential payment from the employer. An option to extend and granting an additional 15 days for qualified solo mothers
    An extension of up to 78 calendar days for C-section delivery or miscarriage. 60 days paid leave for miscarriage and emergency termination of pregnancy which is subsidized by SSS
    Voluntary payment of government statutory payments (SSS, Philhealth, and PagIBIG). Employers are required to continue paying for staff’s government statutory payments while the staff is on maternity leave.


    With the new maternity benefit law, employees on paid maternity leave must receive full pay for 105 days which is based on their actual daily rate.


    When the actual cash benefit received from SSS is less than the full salary of the female employee during the duration of the maternity leave, the employer must pay the salary differential which could be around $0-$450 (based on the standard VA wage of ₱25,000 at the current exchange rate of ₱33 per AUD$1 as of March 2020). This could go up to $800, depending on VA’s monthly wage and this will show as a separate line item on the invoice.

  • Why you must use a Master Password Tool

    The Master password is necessary for the overall protection and secure access to your data. Using a master password also complies with the mandatory requirement set by the Australian Privacy Principles.

    APP 1 requires open and transparent management of personal information, including the likelihood of personal information to be disclosed to overseas recipients (APP 1.4(f)).

    As per APP 8 before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure that the overseas recipient does not breach the  Australian Privacy Principles in relation to the information given.

    For more information about the Australian Privacy Principles please click here & it will direct you to the detailed description of each principle.

    You can also refer to the “VAP Data Protection Breach Management Policy” FAQ on how we treat data privacy.

  • Invoices

    When can I expect to receive my monthly invoice?

    • Invoices are sent by the 20th of each month. But for the first invoices, that is usually sent a week from onboarding call.

    When is the due date?

    • 25th of each month.

    Do I get reminders?

    • You will receive auto-reminders in Xero on the overdue days:
    • 1st reminder – on the 2nd overdue day
    • 2nd reminder – on the 5th overdue day
    • 3rd reminder – an email/phone call from finance

    Can I change my due date?

    • No. As would be expected of a business like ours that specialises in using the most efficient processes and systems, we batch process all invoices so that it is the most efficient use of time and the lowest cost for clients and we can also use technology to automate the process.  The more efficient we are, the lower the cost to clients.  
    • If we agreed to each client that asks us to alter the due date, it will increase complexity. create potential errors (mostly human) and increase the workload of the staff in the finance team, this then would increase the cost.
    • If you aren’t able to budget for the invoices to be paid by the 25th and if you’re cashflow only allows for the payment to be made by the 28th, then you’ll need to be aware that our system will auto-generate a reminder on the 27th.

    What is a commitment bond?

    • The commitment aka recruitment bond is charged upon you joining VA Platinum to ensure that you commit and for VA Platinum to go through the recruitment process
    • which includes advertising, interviewing and allocating staff. However, this is not an additional cost to you since this will be reimbursed once your staff starts.

    Do you charge for late payments?

    • We do not charge for late payments. 
    • If the invoice is still unpaid, someone from the VAP management team will call and email you on the 1st day of the next month to let you know that staff will cease working and will be available for hire by new or existing clients. Therefore, you will need to restart with a new untrained team, unless we hear back within 24 hours.
    • This is the most effective penalty we can think of to ensure you treat your valued team as though they are employees in your own office whom you wouldn’t think to not pay their salaries on time.

    Can I pay by credit card?

    • Yes. You may just click on the Xero invoice link and choose online payment. There is a charge of 1.79% for credit card payments.
  • What is Sinulog Festival?

    Sinulog is a dance ritual in honor of the miraculous image of the Santo Nino. The dance ritual tells the story of the Filipino people’s pagan past and their acceptance of Christianity.

    The dance moves to the sound of the drums and resembles the current (Cebuano’s refer to it as “Sulog”). Thus, in Cebuano, they call it Sinulog.

    Here are the top 3 things to expect during the Sinulog Festival:

    1. See talented Cebuanos everywhere
    -from the grand parade to local bands

    2. Party with the locals!

    3. Sinulog Grand Parade

  • Disaster Recovery and Business Continuity Plan



    This document details the actions to be taken in the event of a disruption to critical IT services, damage to IT equipment or data, and/or if the offices are deemed unsafe and inaccessible. A disruption to services may occur as a result of natural disaster, technological failure or human factors such as sabotage or terrorism.

    The focus of this document is post-incident recovery.


    • Plan Objective

    For VA Platinum (VAP) to minimise any loss and/or interruption of services; to resume normal services and business operations as soon as practicable; to provide alternative methods of service delivery where necessary; and to respond to any identified risks if the infrastructure and/or office was compromised in a disaster.


    • Plan Scope

    The scope of this plan is the VAP office locations, Filipino staff members, and the virtual assistance services provided to clients who are located around the world.


    • Plan Review

    The Disaster Recovery and Business Continuity Plan will be reviewed annually, or sooner in the event of a new/different office location, or in response to testing or incident.


    • Business Details


    Business Name VA Platinum Pty Ltd
    Office Addresses 14th Floor ACC Tower, Bohol Avenue, Cebu City Philippines, 6000

    8th Floor, i1 Building Jose Maria del Mar St, Cebu City, Philippines, 6000


    Australian Business Number (ABN) 37 150 301 447
    Australian Company Number (ACN) 150 301 447


    • IT Back-Up Strategy


    System / Data

    Type of data – email, spreadsheet, payroll systems

    Back-up frequency

    Daily / Weekly / Monthly

    Back-up location

    USB / extra hard drive / online – indicate where they can be located

    Person responsible
    DropBox Quarterly 2 external hard drives stored in 2 separate locations away from VAP facility Barry
    Payroll, Financial and Legal data Bi weekly 1 external hard drive stored in a separate site that holds all VAP financial data Barry/Gee




    • Internal Contacts – VA Platinum


    Name Position Phone Email
    Brian Jones Chief Executive Officer +61 438 875 828 brian@vaplatinum.com.au
    Ed Arguelles Chief Operating Officer +63 923 265 9970 ed@vaplatinum.com.au
    Barry Lee Office Manager +63 920 958 5113 barry@vaplatinum.com.au
    Glora Paquibot Finance Manager +63 905 279 4337 glora@vaplatinum.com.au
    Wholesale/white label partners
    Luke Mellar Wholesale +61 421 733 146 luke@vaplatinum.com.au
    Justin Mellar Wholesale +61 417 996 627 justin@vaplatinum.com.au
    Carolina Castillo Wholesale +61 412 740 090 carolina@vaplatinum.com.au


    • External Contacts


    Company Contact person Phone Email
    Ayala building landlord Graham Cvinar
    Amanda Aworuwa
    +63 915 472 6168
    +63 915 950 7909
    IT Park building landlord Graham Cvinar
    Amanda Aworuwa
    +63 915 472 6168
    +63 915 950 7909
    Accountant Cherry Pingkian +63 922 390 8328 cherrymp.rpm@gmail.com
    Legal Consultant Bryan Lee +63 917 110 1533  bryanvince@gmail.com
    Insurance Ritche Benedicto +63 32 2668811 (ext. 5108) rrbenedicto@mapfreinsular.com




    1. Power outage




    There is no power to the specific offices leased or the entire building in either or both VAP locations.
    Possible causes


    Fire, flood, accident, or system overload that has caused a city wide or building specific power outage.
    IT services and data at risk


    Staff are unable to turn on their computers, client files not saved.
    Recovery Objective


    Immediate. Each computer has 1 UPS always plugged in. Each UPS holds 20-30 minutes of power allowing staff members to save their work until generators start up.
    Plan of action


    Notify clients (Ed Arguelles for 100% owned VAP clients and the wholesale/white label partner for all others)


    Contact building admin and determine ETA of power restoration.


    Site relocation is not needed as our facilities can continue operations in the event of a power outage, via generators.



    1. Loss of access to office


    Scenario Filipino staff members are unable to access the office and their individual computers.
    Possible causes Fire, flood, storm, gas leak, bomb threat, terrorist action.
    IT services and data at risk Staff members are unable to access the building or office premises.
    Recovery Objective


    3 days. If loss of access to office is long-term on the basis of extensive damage or threat to the building, VAP will be relocated with new computers within 3 days.
    Plan of action


    Notify clients (Ed Arguelles for 100% owned VAP clients and the wholesale/white label partner for all others).

    Contact our landlord for a temporary site to accommodate the staff affected.

    Relocate staff to our alternative site to ensure the continuity of operations.


    1. Damage / outage to internet server
    Scenario Staff computers are unable to connect to the internet.
    Possible causes Modem/router malfunction, ISP downtime/maintenance.
    IT services and data at risk Internet outage and staff are unable to save client files to Cloud based servers.
    Recovery Objective Immediate. VA Platinum has 3 Internet providers at 150 MBPS per provider.

    Our ISPs are:

    ·         RISE

    ·         Globe

    ·         PLDT

    Plan of action


    In the event that one ISP is not available, secondary or tertiary back up immediately take over.

    Notify on site certified IT support team for any additional technical concerns.


    1. Individual computer and equipment damage / outage


    Scenario Computer malfunction or systems error.
    Possible causes Wear & tear, improper usage by staff, system failure.
    IT services and data at risk Data loss due to unsaved files, files were not saved properly or files were not uploaded to the Data Cloud.
    Recovery Objective


    1 hour. Replace malfunction computer/equipment. VAP has 2 working standby computers and equipment accessories at all times which can be utilised until computer repaired or replaced.
    Plan of action Notify client involved on equipment failure and downtime.

    Perform basic troubleshooting.

    Replace malfunction computer/equipment.

    Reinstall all client specific tools and systems



  • Gold Standard for Recruitment

    This document was written by CEO Brian Jones to reflect his belief system in getting the culture as perfect as possible in VA Platinum.


    Recruitment Overview

    Involvement in recruiting by CEO (Brian Jones) and COO (Ed Arguelles) is considered essential at VA Platinum. It ensures the first 150 staff are suitable and representative of the company values.

    The culture established by the first 150 staff greatly influence the work environment.

    Allowing one “culturally unfit” staff member into the company can create a poor cultural dynamic.


    Let’s classify prospective staff into 3 categories, whereas:

    A – Culturally Fit

    B – Somehow Fit

    C – Culturally Deviant


    If you allow a C type person into an all A-type team, that C type person will bring the A-Team down to a B type.

    If you allow more C types in you might lose most of your A types, which then results in a poor office environment.

    The only way to maintain a high A-Team is to hire A-type people and ensure that they are happy.  If VAP can maintain a high level of company culture, it attracts and inspires growth and opportunities.



    Staff Referrals

    HR Recruitment prioritises hiring prospective staff via staff referrals.  In this scenario, the candidates have already been screened by their peers prior to being invited into the company.

    The staff tend to be mindful of the people they recommend, as it directly reflects how sound their judgement is. Before vouching for anyone, the staff consider their previous work relationships with their referral.

    Existing staff are well positioned to assess whether the recommended candidate will ‘fit’ in the company in terms of skills, behaviour and work ethics.


    Building Our Culture

    Developing a culture is achieved in two ways – via association and assimilation.

    Association occurs when you are hiring people who already associate and resonate with the culture you are trying to promote.

    Assimilation occurs when a new staff member joins the team and copies the behaviour of the existing team members.

    It’s easier to build a culture with someone whom you already share values with. In our experience, it only takes us 5 referred applicants to find one awesome staff member.

    Alternatively, by hiring a prospective staff member who has not been referred, their cultural fit is not known. It’s not impossible to find good people – it’s just harder in that it takes more time and effort. In this scenario it takes over one hundred resumes for us to hire one amazing staff member.


    So what are we looking for exactly?


    1. Have the same purpose

    Believing in the value of a productive work environment and great customer service.



    1. “We” People VS “I” People

    When asking about accomplishments, we listen carefully. If a candidate answers, “I did this,” and “I did that”, we will not recruit them.  We look for “We” people, not “I” people.

    We ask: “Have you ever worked with a team that had accomplished an amazing feat? If yes, can you tell us all about it?”


    1. Willingness to work with us long term

    We ask: Pretend it’s 3 years from now, and you’re leaving VA Platinum, what would be the next job you would want to take?

    “I hope I’m still with VA Platinum,” is a good answer but not an answer that digs deep enough so if they answer this, we then follow-up with: ‘That’s a great answer, but what if VA Platinum no longer exists for something we can’t control, what would be the next job you would want to take?’

    If they say, “I want to pursue my studies by completing a Masters,” or “I want to move to Canada to live with my mum”, it might not be a good scenario as you can predict that this person will only be with us for a span of a year or less.


    1. Demonstrate an explicit learning curve

    We want to find people who learn fast and are adaptable to fast-paced environments.

    We ask: Looking back over the past 3 years, what have you learned that you would do less or do more of?

    This question helps us understand if they were observant of their own actions in the past and if they’ve learned from them.

    We want to see how they have worked on improving themselves together with the business.


    1. Are vocal about their opinions for the greater good of the organisation

    Staff may have opposing views but are able to relay these views freely with the best intention.

    We ask: Can you tell us about a past situation where you were unhappy about something in your workplace and what you did about it?

    By asking that question, we find out how they go resolving their problems and issues, and whether it’s done in a direct and sincere way. We want to promote a healthy discourse of varying opinions providing it is done with respect.

    We tolerate healthy debates because it’s when we know how much staff care about the organisation’s growth path.  We want to know if the person is open-minded to new ideas.


    6 Attributes to look for in a staff


    1. Kind and Optimistic

    They believe they can make the world a better place.

    1. Curious

    They look forward to each day to learn and not to prove what they already know.

    1. Work Ethic

    They try to do things better every day.

    1. Empathetic

    They care about how other people feel and they are aware of how they make other people feel.

    1. Self-Awareness

    They are mindful of their own disposition every day. If they feel like they are less than

    4 out of 10, they try to appear 7 or 8 out of 10 to not bring the others down.

    1. Integrity

    They do the right thing even when no one is looking.





    Have you ever worked with a team that had accomplished an amazing feat? If yes, can you tell us all about it?
    Pretend it’s 3 years from now, and you’re leaving VA Platinum, what would be the next job you would want to take?
    Looking back over the past 3 years, what have you learned that you would do less or do more of?
    Can you tell us about a certain past situation where you were really unhappy about something at a work place and what you did about it?




  • VAP Data Protection Breach Management Policy


    VA Platinum Pty Ltd (VAP) is committed to managing personal information in accordance with the Privacy Act 1988 (Cth) (the Act) and the VAP Privacy Policy.


    This document sets out the processes to be followed by VAP staff in the event that VAP experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.


    The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organisations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.


    Accordingly, VAP needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.

    Adherence to this procedure and response plan will ensure that VAP can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.


    This document should be read in conjunction with VAP’s Privacy Policy.


    1.0 Purpose

    VA Platinum Pty Ltd is legally required under the Australian Privacy Protection Act 1988 to ensure the security and confidentiality of the information/data it processes on behalf of its clients and employees.

    Information/data is one of our most important assets and each one of us has a responsibility to ensure the security of this information. Accurate, timely, relevant and properly protected information/data is essential to the successful operation of the VAP in the provision of services to our clients.

    Sometimes a breach of information/data security may occur because this information/data is accidentally disclosed to unauthorised persons, or lost due to a fire or flood, or stolen as result of a targeted attack, or the theft of a computer, mobile or electronic device.

    The purpose of this policy is to ensure that an international standardised management approach is implemented throughout the organisation in the event of an information/data breach.

    This policy is mandatory and by accessing any of the VAP’s Information/data, users are agreeing to abide by the terms of this policy.




    2.0 Scope

    This policy represents the VAP national position and takes precedence over all other relevant policies which may have been developed at a local level. The policy applies to all VAP employees, service providers, contractors and third parties who access, use, store or process information on behalf of the VAP. This policy is authorised by the management of VAP.

    The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.


    3.0 Legislation

    VAP has an obligation to abide by all relevant Australian legislation. The relevant acts, which apply in Australian law to Information Systems, include but are not limited to:

    • Privacy Amendment (Notifiable Data Breaches) Act 2017.
    • Australian Privacy Act 1988(Privacy Act) from 22 February 2018.


    4.0 Definition/Types of Breach

    For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.

    An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and has caused or has the potential to cause damage to VAP assets and/or reputation.

    An incident includes but is not restricted to, the following:

    • Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record)
    • Equipment theft or failure
    • Unauthorised use of, access to or modification of data or information systems
    • Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
    • Unauthorised disclosure of sensitive / confidential data
    • Website defacement
    • Hacking attack
    • Unforeseen circumstances such as a fire or flood
    • Human error
    • ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it



    5.0 Policy

    In the event that an information/data breach happens, the following breach management plan is strictly adhered to.

    There are five elements to any breach management plan:

    • Identification and Classification
    • Containment and Recovery
    • Risk Assessment
    • Notification of Breach
    • Evaluation and Response


    6.0 Breach Management Plan

    6.1 Identification and Classification

    Any individual who accesses, uses or manages information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer (DPO) – Brian Jones brian@vaplatinum.com.au and Operations Manager (OM) – Ed Arguelles ed@vaplatinum.com.au.

    What does the Operations Manager do?

    The Operation Manager will determine whether a data breach has or may have occurred.


    The Operations Manager will complete an Assessment within five (5) business days of being notified of the breach regardless of whether it is a data breach, suspected data breach or eligible data breach.


    The Assessment should include a full report of the breach or suspected breach, with recommendations to resolve the issue and ensure that it doesn’t happen in the future.


    The Operations Manager should have regard to:

    • whether multiple individuals were or could be affected by the breach (or suspected breach);
    • whether there is a real risk of serious harm to the affected persons;
    • whether the breach or suspected breach indicates a systemic problem in VAP processes or procedures; and
    • whether could there be media or stakeholder attention as a result of the breach or suspected breach.


    If it is a minor breach or suspected breach, the Operations Manager should make a report that

    records the breach or suspected breach, notes the action they took to address it, the outcome of

    the action and whether further action is required.


    If the breach involves another entity, the Operations Manager should attempt to speak with

    that entity’s data breach response team or representative.


    If the Operations Manager decides that it is an eligible data breach, the Compliance Manager

    will notify the DPO.


    If the Operations Manager is uncertain as to whether or not an eligible data breach has occurred the Operations Manager should consult with the DPO.

    What does the DPO do?

    The director is the person to whom the Operations Manager reports definite and suspected eligible data breaches.


    The Operations Manager’s Assessment, escalation to the director and the DPO’s decision as to

    whether or not to obtain legal advice must be completed within 30 days of VAP first becoming

    aware of the breach.


    If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.

    The Operations Manager must put in place procedures that will allow any staff member to report any information/data security breach.

    • It is important that all staff are aware to whom they should report such a breach.
    • Having such a procedure in place will allow for early recognition of the breach so that it can be dealt with in the most appropriate manner.
    • Details of the breach should be recorded accurately, including the date and time the breach occurred, the date and time it was detected, who/what reported the breach, description of the breach, details of any systems involved, corroborating material such as error messages, log files, etc.
    • In this respect, staff need to be made fully aware as to what constitutes a breach. In respect of this policy a breach may be defined as the unintentional release of VAP or client confidential or personal information/data to unauthorized persons, either through the accidental disclosure, loss or theft of the information/data.


    Criteria for determining severity:

    • The type and extent of personal information involved;
    • Whether multiple individuals have been affected;
    • Whether the information is protected by any security measures (password protection or encryption);
    • The person or kinds of people who now have access;
    • Whether there is (or could there be) a real risk of serious harm to the affected individuals; and
    • Whether there could be media or stakeholder attention as a result of the breach or suspect breach.





    6.2 Containment and Recovery

    The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.

    An initial assessment will be made by the DPO in liaison with relevant officers to establish the severity of the breach and who will take the lead investigating the breach.

    Containment involves limiting the scope and impact of the breach of data/information.

    If a breach occurs, the Operations Manager should:

    • Decide on who would take the lead in investigating the breach and ensure that the appropriate resources are made available for the investigation.
    • Establish who in the organisation needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. For example, this might entail isolating a compromised section of the network, finding a lost file or piece of equipment, or simply changing passwords or codes to server rooms, etc.
    • Establish whether there is anything that can be done to recover losses and limit the damage the breach can cause.


    6.3 Risk Assessment

    An investigation will be undertaken by the Operations Manager immediately and wherever possible within 24 hours of the breach being discovered / reported.

    In assessing the risk arising from the security breach, the Operations Manager should consider what would be the potential adverse consequences for individuals, i.e. how likely it is that adverse consequences will materialise and, in the event of materialising, how serious or substantial are they likely to be.

    The following points should be considered:

    • What type of Information/data is involved?
    • How sensitive is the information/data?
    • Are there any security mechanism or protection in place (e.g. password, protected, encryption)?
    • What could the information/data tell a third party about the individual?
    • What happened to the data? Has it been lost or stolen?
    • Whether the data could be put to any illegal or inappropriate use
    • How many individuals are affected by the breach?





    6.4 Notification of Breaches

    The OM and DPO, in consultation with an IT Security Specialist will determine who needs to be notified of the breach.

    Every incident will be assessed on a case by case basis; however, the following will need to be considered:

    • Whether there are any legal/contractual notification requirements
    • Whether notification would assist the individual affected – could they act on the information to mitigate risks?
    • Whether notification would help prevent the unauthorised or unlawful use of personal data?


    All information/data breaches must be reported to the affected client or DPO immediately. Members of staff and Operations Manager must complete a Data Breach Incident Report (Appendix 2) and forward (email a scanned copy) this to their Client for breaches involving manual (paper based) information/data or their IT center or helpdesk for breaches involving electronic data.

    Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.

    The OM and or the DPO must consider notifying third parties such as the authorities, insurers, bank or credit card companies, and service providers, etc. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.

    The OM and or the DPO will consider whether the communications team should be informed regarding a press release and to be ready to handle any incoming press enquiries.

    All actions will be recorded by the DPO.


    6.5 Evaluation and Response

    Subsequent to any information/data security breach a thorough review of the incident should occur. The purpose of this review is to ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved. Any recommended changed to policies and/or procedures should be documented and implemented as soon as possible thereafter. The OM should identify a group of people within the organisation who will be responsible for reacting to reported breaches of security.


    7.0 Review & Update

    Once the initial incident is contained, VAP will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.

    Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.

    The review will consider:

    • Where and how personal data is held and where and how it is stored
    • Where the biggest risks lie, and will identify any further potential weak points within its existing measures
    • Whether methods of transmission are secure; sharing minimum amount of data necessary
    • Identifying weak points within existing security measures
    • Staff awareness
    • Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security


    If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by the DPO and OM.


    8.0 Enforcement

    VAP reserves the right to take such action as it deems appropriate against users who breach the conditions of this policy. VAP employees who breach this policy may be denied access to the organisations information technology resources, and maybe subject to disciplinary action, including suspension and dismissal as provided for in the VAP disciplinary procedure.


    9.0 Storage of breach information


    Records of all breaches or suspected breaches, and steps taken to resolve, should be saved for

    seven (7) years, as required under law.


    Records can be saved electronically, and should be encrypted.





    Appendix 1

    Examples of data breaches and analysis as to whether they are “serious” 


    Example 1


    An employee leaves documents containing the personal information of a client on their desk at the end of the day on Friday. The employee only discovers that the documents have been left on their desk the following Monday morning. The employee is unsure of who has access to the office over the weekend, and is not sure if someone could have read the documents.

    The employee should immediately notify the DPO and Operations Manager and complete Appendix 2. The Operations Manager considers that the documents could have been read by anyone with a key to the office, and speaks with every key holder. Each of them confirms that they have not been in the office since close of business on Friday. The DPO and Operations Manager decides that it is not an eligible data breach. Both DPO and Operations Manager has taken remedial action to establish that it the breach was not serious, and there is no risk of serious harm to the client. The DPO and Operations Manager may choose to review file handling practices with the individual employee or more broadly.


    Example 2

    A staff member becomes aware that the company’s customer database has been publicly available on the internet due to a technical error for more than 1 month. It has been accessed a number of times and it is not possible to verify who accessed the information. The external IT provider has removed the database from the public domain once notified.

    In this scenario, the breach is serious and is likely to cause harm. Remedial action was taken, but the personal information of individuals was available for some time. The Operations Manager should complete Appendix 2 and notify the DPO immediately.

    The Operations Manager will complete an Assessment and review current procedures. The DPO should seek legal advice and may need to notify its insurer. The DPO should report it to Office of the Australian Information Commissioner. Affected customers should be notified via email. A notice describing the breach could be included on its websites.



    Appendix 2

    Data Breach Incident Report

    Please act promptly to report any data breaches. If you discover a data breach, please notify your Operations Manager immediately, complete Section 1 of this form and email it to the Data Protection brian@vaplatinum.com.au  and ed@vaplatinum.com.au.


    Section 1: Notification of Data Security Breach To be completed by Operations Manager and reporting staff member
    Date incident was discovered:
    Date(s) of incident:
    Place of incident:
    Name of person reporting incident:
    Contact details of person reporting incident (email address, telephone number):
    Brief description of incident or details of the information lost:
    Number of Data Subjects affected, if known:
    Has any personal data been placed at risk? If, so please provide details:
    Brief description of any action taken at the time of discovery:
    For use by the Data Protection Officer
    Received by:
    On (date):
    Forwarded for action to:
    On (date):


    Section 2: Assessment of Severity To be completed by the Lead Investigation Officer in consultation with the Head of area affected by the breach and IT where applicable
    Details of the IT systems, equipment, devices, records involved in the security breach:
    Details of information loss:
    What is the nature of the information lost?
    How much data has been lost? If laptop lost/stolen: how recently was the laptop backed up onto central IT systems?
    Is the information unique? Will its loss have adverse operational, research, financial legal, liability or reputational consequences for VAP or Clients?
    How many data subjects are affected?
    Is the data bound by any contractual security arrangements?
    What is the nature of the sensitivity of the data? Please provide details of any types of information that fall into any of the following categories:
    Information that could be used to commit identity fraud such as; personal bank account and other financial information; national identifiers, such as Policy Number and copies of client IDs, etc.
    Detailed profiles of individuals including information about work performance, salaries or personal life that would cause significant damage or distress to that person if disclosed;
    Security information that would compromise the safety of individuals if disclosed.


    Section 3: Action taken To be completed by Data Protection Officer and/or Lead Investigation Officer
    Incident number
    Report received by:
    On (date):
    Action taken by responsible officer/s:
    Do we need to report the incident to the authorities?
    Follow up action required/recommended:
    Reported to Data Protection Officer and Lead Officer on (date):
    For use of Data Protection Officer and/or Lead Officer:
    Notification to Client YES/NO If YES, notified on:
    Notification to data subjects YES/NO If YES, notified on:



  • VA Platinum response to Tax Practitioners Board practice note 2/2018
  • Is there a minimum number of staff?

    No, there is no minimum number of staff per Australian client.