Data Protection Policy

1. Introduction and Mission

Phil Labor is an Australian company committed to managing personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

Our mission is to protect all company and client data from loss, unauthorized access, or disclosure. This document outlines the mandatory processes and controls all staff must follow to ensure data is secure. Adherence to this policy will ensure we can contain, assess, and respond to any data breach swiftly and mitigate potential harm.

2. Purpose

As a provider of services to our clients, accurate, timely, and properly protected information is one of our most vital assets. This policy ensures a standardized management approach is implemented throughout the organization to secure this data against accidental loss, theft, or deliberate attack. By accessing any of Phil Labor’s information, all users agree to abide by the terms of this policy.

3. Scope

This policy applies to all Phil Labor employees, service providers, contractors, and third parties who access, use, or process information on behalf of our company and our clients.

4. Our Legal Obligations

Phil Labor is obligated to abide by all relevant legislation. As an Australian company, our primary legal framework includes, but is not limited to:

  • The Australian Privacy Act 1988 (Cth).

  • The Australian Privacy Principles (APPs).

  • The Notifiable Data Breaches (NDB) scheme.

As our operational staff are located in the Philippines, we also respect and adhere to the principles of the Philippine Data Privacy Act of 2012 (R.A. 10173).

5. What is a Data Breach?

A data breach is a security incident where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. This policy applies to breaches involving both internal Phil Labor data and our clients’ data.

Examples include, but are not limited to:

  • Loss or theft of a laptop, USB stick, or paper records.

  • Unauthorized access to an account or system.

  • Disclosing sensitive data to the wrong person by mistake.

  • A hacking attack or website defacement.

  • Human error leading to data exposure.

6. Data Protection Plan

Reporting a Breach Any individual who accesses, uses, or manages company or client information is responsible for immediately reporting any suspected data breach or security incident to:

  • The designated IT Manager.

  • The General Manager.

Our Security Measures

The following technical and procedural controls are in place to protect our data:

Workstation Security Controls

  • USB Access: All USB ports are disabled for file transfer. Only keyboards, mice, and headsets will function.

  • File & Printer Sharing: Network file and printer sharing is disabled to prevent unauthorized printing or transfer of documents.

  • Hard Drive Wipes: Computer hard drives are securely reformatted when workstations are reassigned. Periodic routines also wipe drives to ensure no client data is stored locally.

  • Auto-Lock: Workstations will automatically lock or shut down after a predetermined period of inactivity.

Network and Internet Security

  • Port Blocking: All non-essential network ports (e.g., FTP, SSH, Telnet) used for advanced file sharing are blocked.

  • Website Whitelisting: Users can only access a list of specific, pre-approved websites.

  • Firewalls: All company networks are protected by a firewall with no direct port forwarding. Software firewalls are also enabled on all individual computers.

  • Antivirus: Antivirus software is installed on all computers, configured for real-time scanning and hourly updates. Every employee must run a full virus scan weekly.

  • System Patches: Operating system and software patches are automatically downloaded and installed to protect against vulnerabilities.

  • VPN for Remote Access: Virtual Private Networks (VPNs) must be used whenever remote access to client or company servers is required, providing enhanced protection against hacking.

Remote Work (WFH) Security

  • Secure Internet: All WFH employees must secure their home internet router with WPA2-encryption and change the password from the default setting.

  • No Public Wi-Fi: Employees are prohibited from using public Wi-Fi networks to conduct company or client business.

  • Client Responsibility: As most staff work directly for clients, clients are also responsible for implementing data protection measures, such as requiring remote login to client-controlled servers and securing mobile work applications.

Employee Responsibilities and Training

  • Timeframe Access: Employees can only sign in to their workstations during their approved shift schedule.

  • Password Security: Employees must use unique, complex passwords and are encouraged to use a password manager. Passwords must never be shared.

  • Email Security: Do not open email attachments unless they are expected from a trusted sender. Be cautious of any email asking for sensitive information and do not click links unless the sender and destination are known and trusted.

  • Pop-ups: Do not click “YES” on unexpected browser pop-ups.

  • Social Media: Observe caution when posting any personal or professional information on social media.

System Monitoring

  • Phil Labor uses third-party software to monitor employee activity, keystrokes, and web activity to ensure compliance and security. These reports are available to clients.

  • Specialist AI-powered cybersecurity monitoring is available to clients at an additional cost to detect and flag any activity that deviates from normal working patterns.

7. Enforcement

Any user who breaches the conditions of this policy will be subject to disciplinary action. For employees, this may include suspension or dismissal. For contractors or third parties, this may result in termination of contracts and potential legal action.