Skip to content

Information Security and Privacy Procedures Policy

Maitland Real Estate Sales Pty Ltd

At Elders Advantage Group, we are committed to protecting the confidentiality, integrity and availability of sensitive information, including both client data and internal business information. This Information Security and Privacy Procedures Policy outlines the measures we take to safeguard information assets against unauthorised access, disclosure, alteration or destruction. This policy applies to all persons engaged in the business.

1. Scope

This policy applies to all information collected, held and used by Elders Advantage Group including but not limited to:

  • Client information (e.g. name, address, contact details)
  • Property details
  • Financial information (e.g. banking details, payment information)
  • Records of persons engaged in the business

2. Information Security Responsibilities

2.1 Management Commitment

Senior management is committed to maintaining an effective information security program and providing the necessary resources to achieve this outcome.

2.2 Responsibilities

All persons engaged in the business are responsible for adhering to information security policies and procedures, safeguarding confidential and personal information, and reporting any security incidents.

2.3 Third-Party Responsibilities

Third-party service providers and third-party platforms must comply with relevant security and privacy requirements outlined in contractual agreements with Elders Advantage Group and adhere to our information security and privacy standards.

3. Data Privacy

3.1 Collection and Use

We collect and use personal information only for lawful purposes, with consent where required, and in compliance with applicable privacy laws, including the Australian Privacy Principles.

3.2 Data Minimisation

We only collect personal information necessary for the provision of real estate services and limit access to authorised persons engaged in the business.

3.3 Data Retention

Personal information will be retained only for as long as reasonably necessary to fulfil the purposes for which it was collected or as required by law.

3.4 Data Access and Sharing

Access to personal information is restricted to authorised persons engaged in the business on a need-to-know basis. Personal information will not be shared with third parties (for instance, third-party platforms) without appropriate consent or legal justification.

4. Information Security Controls

4.1 Access Control

Access to systems, applications and data is granted based on the principle of least privilege. Access rights are reviewed regularly and revoked promptly when no longer required.

4.2 Data Encryption

Sensitive information is encrypted using industry-standard encryption algorithms to prevent unauthorised access.

4.3 Network Security

Firewalls, intrusion detection and prevention systems, and other security controls are implemented to protect our network infrastructure from unauthorised access and cyber threats.

4.4 Endpoint Security

All endpoints (e.g. computers, mobile devices) are equipped with up-to-date security software, including anti-virus, and endpoint detection and response tools.

4.5 Security Awareness Training

Regular training sessions are provided to persons engaged in the business to raise awareness about common cyber threats, phishing scams and best practices for safeguarding information assets.

5. Data Sharing and Transfers

5.1 Data Sharing

Personal information will not be shared with third parties unless necessary for the provision of real estate services or as required by law.

5.2 Confidentiality

When sharing personal information with third parties, appropriate contractual agreements will be in place to ensure the security and confidentiality of the information.

6. Incident Response and Reporting

6.1 Security Incident Management

An incident response plan is in place to detect, respond to and recover from security incidents promptly. All security incidents must be reported to the designated incident response teams.

6.2 Breach Notification

In the event of a data breach involving personal information, the following steps will be taken:

  • Assessment of the breach. The business will promptly assess the nature and extent of the privacy breach. This includes identifying what personal information has been compromised, how it happened and the potential consequences for individuals affected.
  • Containment and mitigation. The business will take immediate steps to contain the breach and mitigate its effects. This may involve stopping the unauthorised access, securing any affected systems or data and preventing further unauthorised disclosures.
  • Notification to affected individuals. Depending on the severity of the breach, the business may be required to notify affected individuals. Notification should be made as soon as practicable and include information about the nature of the breach, the types of personal information involved and any steps individuals can take to protect themselves.
  • Notification to the regulator. Where the business is required to comply with the Privacy Act 1988 (Cth), consideration must be given to the Notifiable Data Breaches Scheme, which requires eligible data breaches to be reported to the Office of the Australian Information Commissioner (OAIC).

An eligible data breach occurs when:

  • There is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information, that the business holds.
  • This is likely to result in serious harm to one or more individuals.
  • The business has not been able to prevent the likely risk of serious harm with remedial action.

“Serious harm” is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial or reputational harm.

  • Record Keeping. The business must maintain records of the breach, including details of the incident, actions taken in response and any communications with affected individuals or regulatory authorities.
  • Review and Preventative Measures. Following a breach, the business must conduct a thorough review of its privacy practices and security measures to identify weaknesses or areas for improvement. Steps must be taken to address these issues and prevent future breaches.

7. Compliance

7.1 Legal and Regulatory Compliance

We are committed to complying with all applicable laws, regulations and industry standards related to information security and data privacy.

7.2 Policy Review

This policy will be reviewed regularly to ensure its effectiveness and compliance with changing legal and regulatory requirements.

8. Conclusion

Adherence to this Information Security and Privacy Procedures Policy is essential to safeguarding the confidentiality, integrity and availability of information assets at Elders Advantage Group. By following this policy, we demonstrate our commitment to protecting the privacy of our clients and maintaining the trust they place in us.


Effective Date: 1 July 2024
Version: 1.0