FocusIMS ISO Certification Simple to Achieve & Easy to Maintain
FocusIMS
ISO Certification Simple to Achieve & Easy to Maintain

Privacy and Information Security Policy

1. Who We Are

FocusIMS (“we,” “our,” or “us”) provides compliance and management system software solutions through our website https://focusims.com.au and our Software as a Service (SaaS) platform (“the Services”).

We are committed to protecting the privacy, confidentiality, and security of personal, client, employee, and supplier information entrusted to us. Our practices comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Scope of This Policy

This policy applies to:

  • Visitors to our website
  • Customers, users, and administrators of our SaaS platform
  • Employees, contractors, and suppliers whose data is entered into our system by customers
  • Any personal and business information collected in the course of providing our Services

3. What Data We Collect

Website Visitors

  • Comments and Contact Forms: Information you provide (e.g., name, email, message content).
  • Cookies and Analytics: Browser type, IP address, device identifiers, and browsing activity.
  • Media Uploads: If you upload images, embedded metadata (e.g., GPS location) may be visible to others.

SaaS Users and Customers

When you or your organisation subscribe to our Services, we may collect:

  • Account Information: Name, email, role, organisation details, billing information.
  • Platform Usage Data: User activity logs, login times, audit trails.
  • Client, Employee, and Supplier Data: Information uploaded or entered into the system by your organisation, including (but not limited to) employee records, supplier details, compliance documentation, and operational records. This data remains your organisation’s property; we act as a data processor/host.

4. How We Use Your Data

We use personal, client, employee, and supplier information to:

  • Deliver and improve our Services.
  • Manage customer accounts, billing, and technical support.
  • Monitor system performance and security.
  • Comply with legal and regulatory obligations (including the Privacy Act 1988 (Cth)).
  • Communicate important updates, product information, and security notices.

We do not sell your data to third parties.

5. Information Security

We implement technical, administrative, and physical safeguards to protect your information, including:

  • Australian Data Centre: All SaaS data is stored and maintained in a secure Australian Data Centre.
  • Encryption: Data in transit is protected using TLS/SSL, and sensitive data at rest is encrypted.
  • Access Controls: Role-based access, multi-factor authentication (where available), and least-privilege principles.
  • Monitoring and Logging: Continuous monitoring for security threats and audit logging of system activity.
  • Secure Development Practices: Regular updates, vulnerability assessments, and penetration testing.

6. Data Retention

  • Website comments and form submissions may be retained indefinitely for spam detection, analytics, and record-keeping.
  • SaaS customer data (including client, employee, and supplier records) is retained for the duration of the subscription. Upon termination, data will be deleted or returned within 90 days, unless legal obligations require longer retention.

7. Data Sharing and Third Parties

We may share limited information with:

  • Service Providers (e.g., cloud hosting providers, payment processors) under confidentiality and data protection agreements.
  • Integration Partners where you have chosen to activate integrations with third-party services.
  • Regulatory or Legal Authorities if required by law.

We do not share customer data with unrelated third parties.

8. Your Rights

Under the Privacy Act 1988 (Cth) and the APPs, you may request to:

  • Access, correct, or delete your personal information.
  • Restrict or object to certain processing activities.
  • Export your data in a structured format.

Requests can be made by contacting us at privacy@focusbis.com.au.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Remember login sessions and user preferences.
  • Analyse usage trends to improve our Services.
  • Support essential platform functionality.

You may disable cookies in your browser settings, but this may affect functionality.

10. Breach Response

In the event of a data breach, we will:

  • Immediately investigate and contain the incident.
  • Notify affected customers promptly, consistent with the Notifiable Data Breaches (NDB) Scheme under the Privacy Act 1988 (Cth).
  • Report the breach to the Office of the Australian Information Commissioner (OAIC) and, where applicable, the Australian Cyber Security Centre (ACSC) via cyber.gov.au, in line with Australian Government requirements.
  • Provide recommendations and support to affected customers.
  • Take corrective measures to prevent recurrence.

11. International Data Transfers

If data is transferred outside of Australia, we ensure it is protected by appropriate safeguards, such as contractual clauses and compliance with applicable privacy frameworks.

12. Automated Decision-Making and Profiling

We do not use automated decision-making that produces legal or significant effects on individuals. Platform analytics may be used to improve performance and usability.

13. Contact Us

For privacy or security inquiries, please contact:
Email: proviacy@focusbis.com.au
Phone:1300 601 008
Mailing Address: 102 Liamena Ave, San Remo NSW 2262

Appendix A: ISO/IEC 27001:2022 Information Security Controls

1. Organisational Controls

  • Information Security Policies (5.1)
    A documented Privacy and Information Security Policy governs the protection of client, employee, and supplier data.
  • Information Security Roles & Responsibilities (5.2)
    Roles for system administration, data handling, and incident response are clearly defined.
  • Contact with Authorities & Special Interest Groups (5.5, 5.6)
    Breaches are reported in line with the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) Scheme, and to the Australian Cyber Security Centre (cyber.gov.au).
  • Project Management (5.8)
    Information security is embedded into the design, development, and rollout of new features and integrations.
  • Inventory of Information & Assets (5.9)
    Customer, employee, and supplier data is classified as Confidential.
  • Acceptable Use & Information Labelling (5.10, 5.12)
    Data is labelled and handled according to sensitivity. SaaS data is restricted to authorised users.
  • Supplier Relationships (5.19–5.23)
    Due diligence and contractual safeguards are in place for service providers and integration partners.
  • Incident Management (5.24–5.26)
    Defined breach response process, including containment, reporting, and customer notification.
  • Business Continuity & Disaster Recovery (5.29–5.30)
    Backups, redundancy, and recovery procedures are tested regularly.
  • Compliance (5.31–5.36)
    Compliance with the Privacy Act 1988 (Cth), Australian Privacy Principles (APPs), and contractual obligations.

2. People Controls

  • Screening & Onboarding (6.1–6.2)
    Background checks and confidentiality agreements are applied to staff and contractors.
  • Information Security Awareness, Training, and Education (6.3)
    Staff receive regular training on privacy, security, and acceptable use.
  • Disciplinary Process (6.4)
    Clear procedures exist for violations of information security policies.
  • Termination & Change of Employment (6.5)
    Access rights are revoked promptly when staff leave or change roles.

3. Physical Controls

  • Physical Security Perimeter & Entry Controls (7.1–7.2)
    All SaaS data is stored in a secure Australian Data Centre with access restrictions, CCTV, and monitoring.
  • Protecting Equipment & Supporting Utilities (7.3–7.5)
    Data Centre facilities provide redundant power, fire suppression, and environmental controls.
  • Secure Disposal of Media (7.10)
    Storage devices are securely wiped or destroyed before disposal.

4. Technological Controls

  • Access Control (8.1–8.5)
    Role-based access control (RBAC), least-privilege principles, and multi-factor authentication are used.
  • Identity Management & Authentication (8.6–8.7)
    User accounts are uniquely identifiable, and strong password policies are enforced.
  • Cryptography (8.10)
    Data in transit is encrypted via TLS/SSL. Sensitive data at rest is encrypted.
  • Secure Development Lifecycle (8.25–8.28)
    Secure coding practices, vulnerability scanning, and penetration testing are part of the SDLC.
  • Monitoring & Logging (8.15–8.16)
    Continuous system monitoring and centralised audit logging for security events.
  • Protection Against Malware & Technical Vulnerabilities (8.7, 8.8)
    Regular patch management, endpoint protection, and vulnerability assessments.
  • Data Leakage Prevention (8.12)
    Controls in place to prevent unauthorised extraction of data.
  • Backup (8.13)
    Regular encrypted backups stored in geographically separate Australian facilities.
  • Network Security (8.20–8.21)
    Segregation of environments, intrusion detection, and firewall protections.
  • Data Deletion & Information Erasure (8.11)
    Secure deletion processes ensure customer, employee, and supplier data is wiped at contract termination.