Data Protection & Cybersecurity Policy

1. Purpose

The purpose of this policy is to ensure that Divergent Edge Strategies ("we", "our", "us") protects all information assets — including client data, company data, and personal information — against loss, damage, unauthorised access, and misuse. This policy supports our compliance obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and relevant cybersecurity best practice standards (including the ACSC Essential Eight).

2. Scope

• All employees, contractors, consultants, suppliers, and third parties with access to company systems or information.
• All devices, networks, and platforms used to store, transmit, or process information for Divergent Edge Strategies, including personal devices authorised under BYOD arrangements.

3. Definitions

• Data: Any information, regardless of format, that is created, stored, or transmitted in the course of business.
• Personal Information: Defined under the Privacy Act 1988, including identifiable personal details of clients, suppliers, or employees.
• Cybersecurity Incident: An event that compromises the confidentiality, integrity, or availability of information systems.
• Encryption: The process of converting data into a secure code to prevent unauthorised access.

4. Policy Statement

We will implement robust data protection and cybersecurity measures to safeguard the confidentiality, integrity, and availability of information; prevent unauthorised access, use, disclosure, alteration, or destruction of data; and ensure compliance with legal, contractual, and ethical obligations.

5. Security Measures

Technical Controls

• Multi-Factor Authentication (MFA) for all remote access and sensitive systems
• End-to-end encryption for data storage and transmission
• Firewalls, anti-malware software, and intrusion detection systems
• Regular patching and software updates

Administrative Controls

• Role-based access controls to limit data access to authorised personnel only
• Security awareness training for all employees
• Background checks for staff and contractors handling sensitive data

Physical Controls

• Restricted access to physical offices and data centres
• Secure disposal of printed documents and storage devices

6. Data Handling Requirements

• Store sensitive information only in approved secure systems
• Do not transmit sensitive information over unsecured networks
• Use company-approved cloud services that meet Australian privacy requirements
• Backups must be performed regularly and stored securely, both onsite and offsite

7. Incident Response

1. Notify the Director or designated Security Officer immediately
2. Contain and mitigate the incident to prevent further damage
3. Investigate the cause and document findings
4. Notify affected parties and regulators where legally required (in line with the Notifiable Data Breaches scheme)

8. Responsibilities

• Management: Ensure resources and training are in place to maintain compliance
• Employees & Contractors: Follow all security protocols and report incidents immediately
• IT Support Providers: Maintain system security and support compliance monitoring

9. Compliance & Breaches

Non-compliance with this policy may result in disciplinary action (including termination of employment or contract), legal consequences under Australian law, and termination of supplier or contractor agreements.

10. Review & Updates

This policy will be reviewed annually or after any significant change in legislation, business operations, or threat landscape.