Policies and procedures for protecting IT data and systems

Business owners have legal obligations to secure data and protect the privacy of their customers' information. Learn more about your legal obligations to protect privacy and information.

To safeguard your online customers you need policies that comply with the laws on privacy, spam and electronic transfers. Policies can cover:

  • privacy of customer data
  • code of conduct
  • business procedures.

A privacy policy should outline how your business collects and stores data, how the information can and cannot be used, and restrictions on sharing data with a third party.

Unsolicited commercial emails are illegal, so develop a policy to ensure you have permission to send messages to contacts.

Encourage staff to read and understand your business policies and code of conduct. Learn more about staff training and codes of conduct.

Electronic transaction laws

Legally there is no difference between electronic financial transactions and cash transactions, and your online security must comply with national and state laws.

Read the Queensland Electronic Transactions Act 2001 and Australian Electronic Transactions Act 1999 (Cwlth).

Procedures for using IT systems

You must have defined procedures about using and accessing IT data and systems, backing up data and data protection. Such procedures define how employees and contractors behave. For example, IT procedures could instruct staff to always delete spam without opening attachments, which can contain viruses.

IT risk management and business continuity planning

You need to identify risks to your IT data and systems and put in place measures, such as SSL certificates, firewalls, passwords and anti-virus software, to protect you and your customers. A risk management plan can help you identify and manage risks to IT data and systems.

Read more about preparing a risk management plan for your business.

A business continuity plan can minimise the damage, interruption and loss of business, and identify which critical business functions, equipment and data need to be restored first. This practical strategy:

  • identifies and prevents risks where possible
  • prepares for risks you can't control
  • includes all the information vital for a quick recovery in case of an incident or crisis.

Learn how to develop a business continuity plan.

Also consider...