Drug and Alcohol Policy

Skill360 Australia is committed to ensuring systems and procedures are in place to promote and maintain a worker’s ability to perform their tasks safely and efficiently. Skill360 Australia acknowledges that the adverse effects of illicit drug use and/or alcohol can be a significant factor in workplace incidents and injuries; therefore all workers must be fit for work at all times.

The Chief Executive Officer is responsible for:

  • Improving and maintaining Skill360 Australia’s ability to meet its duty of care obligations;
  • Ensuring policies and procedures comply with legislation and best practice;
  • Ensuring that policies and systems are reviewed, communicated, relevant and appropriate to workers.

Skill360 Australia will:

  • Ensure that workers have completed an induction, are fully aware of and adhere to specific policies and procedures regarding drugs and alcohol usage applicable to Skill360 Australia and host employer sites relevant to work;
  • Promote programs that educate and support workers to make healthy lifestyle choices;
  • Provide a confidential Employee Assistance Program to help workers deal with personal or work related issues that could impair fitness for work;
  • Provide a confidential reporting process for Skill360 Australia workers to highlight abnormal peer workplace behaviour which may indicate unfitness for work;
  • Require potential workers, upon request, to undertake drug and alcohol testing and return a negative result, prior to being offered a position with Skill360 Australia; and
  • Consider refusal by a worker to undertake a Drug and/or Alcohol Assessment will be a breach of this policy.

Workers will:

  • Report to work in a fit state. Where a worker feels they are not fit for duty they should immediately notify their Manager;
  • Consent to Drug and Alcohol Assessments, where they are involved in an incident or near miss in the workplace. Where required, testing will be conducted as soon as practicable after the incident occurs;
  • Undertake drug and alcohol testing where Reasonable Cause is suspected, or as part of a random sampling program;
  • Provide a negative test result to the Human Resources Manager prior to returning to work, where a worker has tested positive to a drug and alcohol test; and
  • When conducting work on sites other than Skill360 Australia premises, workers must also comply with that site’s policies and procedures.

Skill360 Australia Definitions:

  • Abnormal Workplace Behaviour: In the context of this policy, is when other people notice that a person displays unusual workplace behaviour that is not the norm for that particular person.
  • Fatigue: Physical and/or mental exhaustion that can be triggered by stress, medication, overwork, or mental and physical illness or disease.
  • Drug and Alcohol Assessments: Various proven or legally approved test procedures to determine whether a worker has been affected by drugs and/or alcohol to a level, which may have a negative impact to themselves or others.
  • Illicit Drugs: Includes but is not limited to, heroin, cocaine, barbiturates, cannabis, Methylenedioxymethamphetamine (MDMA, Ecstasy), non-medical use of pharmaceutical drugs including painkillers, amphetamines, methadone, other opiates and steroids and the inappropriate use of volatile substances and other substances like ketamine or inhalants.
  • Negative Result: Is the result of a sample taken by an Approved Tester, which does not return a Positive Result.
  • Positive Result: Is the result of a sample taken by an Approved Tester which is positive for the presence of drugs above the limits outlined in “Table 1: Drug Testing Limits” or alcohol of 0.02 BAC or above and confirmed by a NATA accredited pathologist.
  • Pre-Employment Testing: Testing which may be requested prior to an individual being offered employment with Skill360 Australia.
  • Random Sampling: Testing conducted on an unannounced random basis, of a randomly selected group of workers.
  • Reasonable Cause: May include where abnormal workplace behaviour has been observed, or if there is other information or circumstance which indicates that an individual may not be fit for work, the worker may be required to undertake a Drug and/or Alcohol Assessment.
  • Work-Related Incident: Any incident, which occurs at the workplace, which causes a threat, near miss or actual harm, to the health and safety of workers.
  • Worker: Anyone who performs services for Skill360 Australia is a worker. If Skill360 Australia can control what will be done and how it will be done. This includes, but is not limited to, Directors, permanent/fixed term workers, casuals, contractors, apprentices, trainees and volunteers.
  • Employee Assistance Program (EAP): Work-based early intervention program aimed at the early identification and/or resolution of both work and personal issues that may adversely affect performance.
Fees, Charges and Refund Policy

Skill360 Australia will protect the best interests of students with regard to payment of tuition fees and refund of charges and will ensure sound financial and administrative systems support fair and equitable practices. This policy will apply to fees, charges and refunds for the provision of training conducted under Government Training Contracts and Fee for Service.

The Chief Executive Officer is responsible for:

  • Ensuring this policy and procedure complies with legislation, industry standards and best practice; and
  • Ensuring this policy and system is reviewed, communicated, relevant and appropriate to employees and stakeholders.

Skill360 Australia will:

  • Ensure potential students are notified of all fees and charges applicable to the delivery and assessment of a training course or qualification prior to an enrolment including payment terms, non-refundable administration fees and clearly identify which are compulsory and any incidental costs that may be applicable;
  • Ensure all promotional and marketing material clearly state all correct fees and charges to complete a course or qualification;
  • Where training is funded by a government training contract and requires a student contribution fee, the minimum specified under the funding agreement will be applied;
  • All student contribution fees will be reviewed annually to ensure compliance with contract agreements;
  • Follow the exemption, partial exemption and concessional clauses identified under funding agreements and retain evidence to support this claim;
  • Retain evidence of all fees and charges collected for training;
  • Protect all fees paid in advance by students to meet our obligations to learners and ensure compliance with industry standards;
  • Refund student contribution fees fairly to students and ensure their awareness of the refund policy and specific agreement of terms prior to enrolment;
  • Where students or employers fail to pay all fees and charges by the due date Skill360 Australia will manage the recovery of outstanding debts through debt recovery procedures.

Skill360 Australia Definitions:

  • Student –someone who is partaking in training and or assessment conducted by or on behalf of Skill360 Australia.  This includes those undertaking accredited qualifications and non-accredited courses, trainees and apprentices, corporate clients and fee for service students.
  • Student Contribution Fees – are a student’s contribution to the cost of tuition and is a charge that must be issued by the Registered Training Organisation as stipulated by the User Choice Contract. Student Contribution Fees under the User Choice program in 2014 – 2015 are set at $1.60 per nominal hour for each Unit of Competency/Module delivered.
  • Compulsory and Incidental Fees – The only compulsory cost to students is the tuition fee, incidental fees may include internet access, printing of notes or handouts not essential to delivery of the course.
  • Exemption – Can be claimed at the time of enrolment on the grounds of extreme hardship or other special circumstances as deemed appropriate by the Training Manager.
  • Partial Exemption – includes not more than 40% of the student contribution fee where the participant falls into one or more of the following categories:
    • The Participant was or will be under the age of 17 at the end of February in the year in which the Skill360 Australia provides training, and the Participant has not completed year 12;
    • The Participant holds or can obtain a health care card or pensioner card issued under Commonwealth law, or is the partner or a dependant of a person who holds a health care card or pensioner concession card, and is named on the card;
    • The Participant is an Aboriginal or Torres Strait Islander person. Acceptable evidence is as stated on the Training Contract and AVETMISS VET Enrolment Form.
Anti-discrimination, Sexual Harassment and Workplace Bullying Policy

Skill360 Australia promotes a work environment where a person in the workplace is treated fairly and with respect, and are free from unlawful discrimination, vilification and victimisation.

The Chief Executive Officer is responsible for:

  • Ensuring policies and procedures comply with legislation and best practice
  • Ensuring that policies and systems are reviewed, communicated, relevant and appropriate to workplace participants

Skill360 Australia will:

  • Commit to the principles of fair treatment and we seek to implement these principles in the conduct of our activities and relationships
  • Ensure a workplace free of any form of harassment or discrimination. This is conducive to a harmonious and productive workplace and this makes good business sense.
  • Not tolerate behaviour that is unlawful in discriminating, bullying or harassing (including sexual harassment).
  • Create a work environment where all persons in the workplace feel safe and are treated with dignity, courtesy and respect
  • Ensure that when employment decisions are made, they are based on merit, not on irrelevant attributes or characteristics that an individual may possess
  • Implement policies and awareness raising strategies to ensure that all persons know their rights and responsibilities
  • Provide an effective procedure for complaints based on the principles of procedural fairness
  • Treat all complaints in a sensitive, fair and a timely manner and in accordance with the Employee Grievance Guidelines
  • Guarantee protection from any victimisation or reprisals
  • Encourage the reporting of behaviour which breaches this policy
  • Not support unfounded or false complaints based on gossip, rumour or innuendo
  • Promote appropriate standards of professional conduct at all times
  • Ensure workers do not engage in any unlawful conduct towards other employees, customers/clients or others with whom they come into contact through work
  • Ensure workers do not aid, abet or encourage other persons to engage in unlawful conduct

Skill360 Australia Definitions:

  • Sexual harassment – Unlawful conduct of a sexual nature which has the possibility to make a person feel offended, humiliated and/or intimidated where that reaction is reasonable in the circumstances.
  • Discrimination – Less favourable treatment of a person in their employment because of a ground of discrimination. Grounds of discrimination include sex, relationship or parental status, race, age, impairment, religious or political beliefs, union activities, gender identity, sexuality, lawful sex work, pregnancy, breastfeeding, family responsibilities.
  • Bullying – A worker is bullied at work if, (i) an individual; or (ii) a group of individuals; Repeatedly behaves unreasonably towards the worker, or a group of workers of which the work is a member; and that behaviour creates a risk to health and safety.
  • Complaints – An expression of dissatisfaction made to Skill360, related to its people, processes, decisions, or the complaints handling process itself, where a response or resolution is expected.
  • Disciplinary Action – Formal process undertaken following misconduct or unsatisfactory work performance, which results in a decision being made regarding the employee. Disciplinary action follows the rules of procedural fairness and decisions range from no action to dismissal without notice.
  • Vilification – a public act which indicates hatred, severe contempt or severe ridicule of a person or group, because of race, homosexuality, transgender, transexuality or HIV/AIDS.
  • Victimisation – Where a person is retaliated against or subjected to a detriment because they have lodged a complaint, they intend to lodge a complaint or they are involved in a complaint of unlawful conduct.
  • Workplace Participant – Employee, client, customer or colleague at other organisations.
  • Worker – A person is a worker if the person carries out work in any capacity for a person conducting a business or undertaking, including work as: (a) an employee; or (b) a contractor or subcontractor; or (c) an employee of a contractor or subcontractor; or (d) an employee of a labour hire company who has been assigned to work in the person’s business or undertaking; or (e) an outworker; or (f) an apprentice or trainee; or (g) a student gaining work experience; or (h) a volunteer; or (i) a person of a prescribed class.
Conflict of Interest Policy

Skill360 Australia is committed to the highest standards of ethical conduct and accordingly places great importance on
making clear any existing or potential conflicts of interest.

As an organisation that is committed to the Child Safety Organisation National Principles, Skill360 (a part of The BUSY Group) is dedicated to creating a child safe culture – refer to our Child Safety and Well-being policy to see how we adopt broader strategies that promote and protect the safety and well-being of children and young people.

The Chief Executive Officer is responsible for:

  • Having transparent, effective policies and procedures for identifying, disclosing and managing conflicts of interest
  • Establishing a system for identifying and managing conflicts of interest in the form of detailed policies & procedures
  • Reducing the opportunities for corruption or improper conduct
  • Demonstrating a commitment to good governance
  • Demonstrating that Skill360 Australia performs its role in a fair and unbiased manner
  • Building an organizational culture that supports implementation of all relevant policies through appropriate education, training and enforcement activities
  • Receiving and investigating complaints regarding possible breaches of conflict of interest policy
  • Monitoring compliance with conflict of interest policy

Skill360 Australia will:

  • Ensure that all employees understand and comply with conflict of interest policy with respect to their own conflicts and potential conflicts of interest
  • Ensure employees are aware of their obligation to avoid conflicts of interest where possible, and manage those conflicts that cannot be avoided
  • Ensure employees assess their private and personal interests and whether they conflict, or have the potential to conflict, with their official duties
  • Ensure employees disclose conflicts of interest they may have in accordance with specified procedures
  • Ensure that employees formally review their position on conflict of interest at least annually

Skill360 Australia Definitions:

  • Actual Conflict of Interest – A situation in which an employee has personal or private interests sufficient to appear to influence the objective exercise of his or her official duties or where a conflict of interest causes an employee to experience a struggle between diverging interests, points of view, or allegiances.
  • Potential Conflict of Interest – arises where an employee has private or personal interests that could conflict with their Skill360 Australia duties.
  • Perceived Conflict of Interest – can exist where a third party could form the view that and employee’s private or personal interest could improperly influence the performance of their duties, now or in the future.
  • Private or Personal Interest -Often this is a financial interest, but could also be an interest that benefits or provides special advantage to a relative e.g. Spouse, child, etc.
  • Kickbacks, gratuities or bribes – Is money or other items of value given in secret to entice someone to provide information, influence a decision or induce a favorable outcome.
  • Accepted Business Practice – Making business decisions based on moral concepts and ethical judgments that on balance most people would accept as being reasonable.
  • Transparency – A situation in which business and financial activities are done in an open way without secrets so that people can trust that they are fair and honest.
  • Disclosure – The submission of facts or details concerning an asset, a situation or business operation
  • Employee – In general anyone who performs services for Skill360 is an employee if Skill360 can control what will be done and how it will be done. This includes, but is not limited to, Directors, permanent and fixed term employees, casuals, contractors, apprentices, trainees and volunteers.
Customer Feedback Process

Skill360 Australia, a part of The BUSY Group is committed to constant improvement and values all feedback from our customers.

View The BUSY Group’s Customer Feedback Process (PDF)

Privacy Policy

The purpose of this policy is to ensure Skill360 Australia meets its obligations under the Privacy Act 1988 (Act) and the Privacy
Amendment (Enhancing Privacy Protection) Act 2012 and the Australia Privacy Principles. Skill360 Australia respects an
individual’s right to privacy and this policy sets out how personal information is treated and collected.

The Chief Executive Officer is responsible for:

  • Establishing a system for managing the collection, storage, use and release of an individual’s personal information in the form of detailed policies and procedures;
  • Building an organisational culture that supports confidentially of information;
  • Ensuring policies and procedures comply with legislation and best practice.

Skill360 Australia will:

  • Collect personal information which may include the following types of information:
    • Name, address, contact details, date of birth, salary, bank and credit card details, medical information, criminal history, driver history, qualifications, licences and certificates, information about goods and services provided, information from enquiries made and communication between all parties;
    • Sensitive information will not be collected without permission from the individual and only where the information is necessary and relates directly to Skill360 Australia’s business functions.
  • Collect personal information in a variety of ways, including when a person or company interacts with Skill360 Australia electronically or in person; when accessing the website; and when services are provided to an individual or company;
  • Disclose to the individual where we obtained the information from;
  • Not use information or disclose information for direct marketing purposes or to overseas entities except in specified circumstances where Skill360 Australia has obtained prior consent and disclosed overseas recipients;
  • Use information for employment or training purposes and/or to provide services. Skill360 Australia may also use information to improve services and to notify of opportunities.
  • Skill360 Australia will not provide personal information to third parties, except to provide information to business partners who assist Skill360 Australia in the provision of services, after obtaining the individuals permission or where required by law;
  • Take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Skill360 Australia will destroy or de-identify personal information that is no longer required;
  • Ensure that access is provided to an employee’s personal information and updated by contacting the Human Resources Manager on telephone 13 2879 or email hr@thebusygroup.com.au;
  • Treat complaints regarding Skill360 Australia’s privacy practices seriously and will respond shortly after receiving written notice of a complaint;
  • Acknowledge that whilst some employee records are exempt under the Act, they are deserving of privacy protection and Skill360 Australia will take reasonable steps to ensure the security of information by restricting access and keeping employees personal information in a secure location;
  • Ensure staff obtain appropriate consent as necessary via the Privacy Authorisation Form prior to releasing requested personal information of a client, employee or student.

Skill360 Australia Definitions:

  • APP’s – Australian Privacy Principles as defined by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
  • Sensitive Information – As defined under section 6 of the Privacy Act 1988 and includes information relating to racial or ethnic origin, political opinions, religious beliefs, sexual preferences or criminal record etc.
  • Personal Information – Information which is identifiable as being about a specific individual.
  • Individual – means a natural person.
  • Confidential – Information that will not be disclosed unless required to do so under Australian Law or a legally binding contract Skill360 Australia has entered into.
  • Legally Binding Contract – Contract with the Australian Federal Government or Skill360 client whereby legal advice has confirmed no conflict with Australian Law exists.
Child Safety Policy

As an organisation that is committed to the Child Safety Organisation National Principles, Skill360 (a part of The BUSY Group) is dedicated to creating a child safe culture.

Please refer to our Child Safety and Well-being policy to see how we adopt broader strategies that promote and protect the safety and well-being of children and young people. 

Download Child Safety and Well-being Policy

Learner Support Strategy

Please click here to download our full learner support strategy document.

Student Handbook

Download a copy of our Student Handbook.

Refund Policy (RTO)

Skill360 Australia is committed to ensuring fair and reasonable refund practices.
Skill360 Australia will:

  • Ensure potential students are notified of all fees and charges applicable to the delivery and assessment of a training course or qualification prior to an enrolment. Including payment terms, non-refundable administration fees and clearly identify which are compulsory and any incidental costs that may be applicable
  • Ensure all promotional and marketing material clearly state all correct fees and charges to complete a course or qualification
  • All student contribution fees will be reviewed annually to ensure compliance with contract agreements
  • Follow the exemption, partial exemption and concessional clauses identified under funding agreements and retain evidence to support this claim
  • Retain evidence of all fees and charges collected for training
  • Protect all fees paid in advance by students to meet our obligations to learners and ensure compliance with industry standards
  • Refund student contribution fees fairly to students and ensure their awareness of the refund policy and specific agreement of terms prior to enrolment.

Click here for the Skill360 Australia Refund Policy

Appeals Policy (RTO)

Valid grounds for an appeal against an assessment decision (where the client feels the assessment decision is incorrect) could include the following:

a)  The judgement as to whether competency has been achieved and demonstrated was made incorrectly;

b)  The judgement was not made in accordance with the Assessment Plan;

c)  Alleged bias of the assessor;

d)  Alleged lack of competence of the assessor;

e)  Alleged wrong information from the assessor regarding the assessment process;

f)  Alleged inappropriate assessment process for the particular competency;

g)  Faulty or inappropriate equipment; and/or

h)  Inappropriate conditions.

Click here for the Skill360 Australia Appeals Policy

Customer Feedback Process

We appreciate all feedback to assist us in improving our service delivery to clients.

If you have feedback you can email info@skill360.com.au or call 1300 933 358

Download a copy of our Complaints Policy.

You can also download a copy of our Customer Feedback Process.

Information Security


The BUSY Group is committed to the confidentiality, security and availability of its information assets.

This policy and the supporting Information Security Management System (ISMS) policies, provide management direction and support for information security in accordance with operational requirements, relevant laws and regulations.

This policy is based on the principles and standards as defined in:

  • ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
  • ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security management
  • ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management


The objectives of TBG’s ISMS are:

  • Provide compliance with the Right Fit For Risk Program
  • Provide TBG with a framework that embeds good practice within the organisation as it relates to information security
  • Provide partner organisations with confidence in our systems and processes


Through the adherence of this and supporting policies the Information Security Objectives of TBG are:

  • Reduce risk and minimise potential threats that may cause damage to TBG’s information
  • Ensure TBG’s information assets are available to staff and third parties as and when they are required
  • Ensure TBG staff, and other interested parties are aware of their roles and responsibilities in relation to the security of TBG’s information assets.


This policy applies to all The BUSY Group (TBG) staff, associated third parties; including but not limited to Directors, contractors, clients and visitors, information assets and physical sites. Specifically, this policy applies to all persons in roles as system owners and all persons in roles who are custodians of systems and data. This policy also applies to any new project work that has any information technology, processing or other infrastructure requirement or equipment.


Information is an asset that, like other important operational assets, is essential to The BUSY Group operations and consequently needs to be suitably protected.

Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it must be adequately protected.

Information security is the protection of information (including systems) from a wide range of threats in order to ensure business continuity, minimise operational risk, and maximize return on investments and operational opportunities.

Information security is achieved by implementing a suitable set of controls (based on risk profile), including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and objectives of the organisation as met.

For each of the risks identified following the risk assessment, a risk treatment decision is made. Options for risk treatment include:

  • Applying appropriate controls to reduce the risks;
  • Knowingly and objectively accepting risks, providing they clearly satisfy the organisation’s policy and criteria for risk acceptance;
  • Avoiding risks by not allowing actions that would cause the risks to occur;
  • Transferring the associated risks to other parties, g. insurers or suppliers;
  • Or a combination of the above options to treat residual risk


Risk Assessment and Treatment

Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the operational harm likely to result from security failures.

The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks.

Risk assessment must be repeated as often as necessary to address any changes that might influence the risk assessment results, but at least every 12 months.

Risk assessment must be completed as part of any project or hardware/software change or implementation, to make sure that whatever is being changed/implemented will not have a negative impact on exiting risks or creating new ones.

ITS Information security team will manage this process. The asset owners will ultimately decide on how to treat (mitigate, reduce, accept, transfer) the risk. The BUSY Group ITS risk assessment and treatment plans are held in Folio.

System Hardening

For any application or operating system, standard system hardening is completed. This includes a clean operating system should be reloaded onto any new or replacement infrastructure. Many off-the shelf operating systems are not developed with security in mind. Hence, to increase the security defence of the system it must undergo a hardening process which should include:

  • Applying all the latest patches
  • Disable unnecessary peripheral devices and removable media access
  • Limit privileged user functionality
  • Review and establish configuration control and management
  • Installing anti-virus software; and
  • Applying the Company’s security policy to the system
  • Disabling any unnecessary ports
  • Physical and logical access to diagnostic and configuration ports are controlled

Organisation of Information Security

Objective: To manage information security within the organisation.

A management framework must be established by ITS to initiate and control the implementation of information security within the organisation.

Management commitment to Information Security  

  • Management must actively support security within the through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.

Allocation of information security responsibilities

  • All information security responsibilities must be clearly defined. This can be found in Roles and Responsibilities on this page.
  • Allocation of information security responsibilities must be done in accordance with this

Authorisation process for information processing facilities

  • A management authorisation process for all information processing facilities must be defined and

Independent review of information security

  • The approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) must be reviewed independently at planned intervals, or when significant changes to the security implementation occur. This is achieved via internal audit controls and external audit.

Asset Management

Objective: To achieve and maintain appropriate protection of all assets.

  • All assets classified as sensitive must be accounted for and have a nominated The nominated asset owner is responsible for delegating/approving access.

Responsibility for assets

Inventory of assets

  • All assets classified as sensitive must be clearly identified and an inventory of all-important assets drawn up and maintained.

Acceptable use of Assets

  • Rules for the acceptable use of information and assets associated with information processing facilities must be identified, documented, and implemented.

Information Classification Policy

Objective: To ensure that information receives an appropriate level of protection. Sensitive Information must be classified to indicate the need, priorities, and expected degree of protection when handling the information.

Classification guidelines:

Information must be classified in terms of its value, legal requirements, sensitivity, and criticality to the Company.

The BUSY Group Media Management and Classification Policy outlines this procedure.

Human Resources Security

During employment or engagement

Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the risk of human error.

  • Management responsibilities must be defined to ensure that security is applied throughout an individual’s employment within the Company.
  • An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities must be provided to all employees, contractors and third-party users to minimise possible security risks.
  • Policies must be in place to facilitate the investigation of alleged
  • Appropriate disciplinary action must be taken in respect of security

Termination or change of employment or engagement

Objective: To ensure that employees, contractors and third-party users exit the company or change employment in an orderly manner.

  • Procedures must be in place to ensure that when the employment or engagement of an employee or Affiliate ends, their exit from is managed, and that the return of all equipment and the removal of all access rights are completed.
  • Exit procedures should also be followed as far as appropriate where a staff member or affiliate is transferring to a new role or work location.

Physical and Environmental Security – ITS Data Centre

Objective: To prevent unauthorised physical access, damage, and interference to the organisation’s premises and information.

Physical security perimeter

  • Information processing facilities managed by the organisation must be physically separated from those managed by third parties.
  • Critical or sensitive information processing facilities must be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They must be physically protected from unauthorised access, damage, and interference.
  • A staffed reception area or other means to control physical access to the site or building must be in place; access to sites and buildings must be restricted to authorised personnel.

Physical entry controls

  • Secure areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access
  • The date and time of entry and departure of visitors must be recorded, and all visitors must be supervised unless their access has been previously approved; they must only be granted access for specific, authorised purposes and must be issued with instructions on the security requirements of the area and on emergency procedures.
  • Access to areas where sensitive information is processed or stored must be controlled and restricted to authorised persons only; authentication controls, e.g. access control card plus PIN, must be used to authorise and validate all access; an audit trail of all access must be securely maintained;
  • All employees, contractors and third-party users and all visitors must be required to wear some form of visible identification and must immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification;
  • Third party support service personnel must be granted restricted access to secure areas or sensitive information processing facilities only when required; this access must be authorised and monitored;
  • Access rights to secure areas must be regularly reviewed and updated and revoked when

Working in secure areas

  • Physical protection and guidelines for working in secure areas must be designed and
  • Staff must only be aware of the existence of, or activities within, a secure area on a need to know basis;
  • Unsupervised working in secure areas must be avoided both for safety reasons and to prevent opportunities for malicious activities
  • Vacant secure areas must be physically locked and periodically checked
  • Photographic, video, audio or other recording equipment, such as cameras in mobile devices, must not be allowed, unless authorised.

Public access, delivery, and loading areas

  • Access points such as delivery and loading areas and other points where unauthorised persons may enter the premises must be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access.
  • Access to a delivery and loading area from outside of the building must be restricted to identified and authorised personnel;
  • The delivery and loading area must be designed so that supplies can be unloaded without delivery personnel gaining access to other parts of the building;
  • The external doors of a delivery and loading area must be secured when the internal doors are opened;
  • Incoming material must be registered in accordance with asset management procedures on entry to the site;
  • Incoming and outgoing shipments must be physically segregated, where

Equipment security

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s activities.

Equipment siting and protection

  • Equipment must be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.
  • Equipment must be sited to minimise unnecessary access into work areas;
  • Items requiring special protection must be isolated to reduce the general level of protection required;
  • Controls must be adopted to minimise the risk of potential physical threats, g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism;
  • Guidelines for eating, drinking, and smoking in proximity to information processing facilities must be established;
  • Environmental conditions, such as temperature and humidity, must be monitored for conditions, which could adversely affect the operation of information processing facilities;
  • Lightning protection must be applied to all buildings and lightning protection filters must be fitted to all incoming power and communications lines;
  • Equipment processing sensitive information must be protected to minimise the risk of information leakage due to emanation (emitted or radiated).

Supporting utilities

  • Equipment must be protected from power failures and other disruptions caused by failures in supporting utilities.
  • All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and air conditioning must be adequate for the systems they are Support utilities must be regularly inspected and as appropriate tested to ensure their proper functioning and to reduce any risk from their malfunction or failure.
  • A suitable electrical supply must be provided that conforms to the equipment manufacturer’s

Secure disposal or re-use of equipment

  • All items of equipment containing storage media must be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.
  • Devices containing sensitive information must be physically destroyed or the information must be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format This information must also be protected (i.e. not lost) as a result of this control.

Communications and Operations Management

Operational procedures and responsibilities

Objective: To ensure the correct and secure operation of information processing facilities.

Documented operating procedures

  • Responsibilities and procedures for the management and operation of all information processing facilities must be established. This includes the development of appropriate operating procedures
  • Operating procedures must be documented, maintained, and made available to all users who need them.

Segregation of duties

  • Duties and areas of responsibility must be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets

Separation of development, test, and operational facilities

  • Development, test, and operational facilities must be separated, where possible, to reduce the risks of unauthorised access or changes to the operational system.

Controls against malicious code (including viruses)

Objective: To protect the integrity of software and information.

  • Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures must be implemented.
  • ITS managed equipment must be maintained with the most recent anti-virus vendor signature updates via a centrally managed console. The updates must be automatically distributed, with no manual intervention required by the end user or ITS.

Backup and Restore

Objective: To maintain the integrity and availability of information and information processing facilities.

  • Routine procedures must be established to implement back-ups processes across all ITS managed
  • The backup processes must be thoroughly tested and
  • Routine restores of data must be performed to confirm the restore

Network security management

Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.

  • Networks must be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in

Security of network services

  • Security features, service levels, and management requirements of all network services must be identified and included in any network services agreement, whether these services are provided in-house or outsourced.

Media Handling

Objective: To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to operational activities.

  • Media must be controlled and physically protected by the support
  • Appropriate operating procedures must be established to protect documents, computer media, input/output data and system documentation from unauthorised disclosure, modification, removal, and

Management of removable media

  • There must be procedures in place for the management of removable
  • Where sensitive classified information is stored on removal media, appropriate controls such as password protection and encryption must be applied at a minimum to protect the information.


Objective: To detect unauthorised information processing activities where assets are classified as sensitive.

Monitoring system use

  • Procedures for monitoring use of information processing facilities must be established and the results of the monitoring activities reviewed regularly.
  • The level of monitoring required for individual facilities must be determined by a risk
  • Must comply with all relevant legal requirements applicable to its monitoring

Protection of log information

  • Logging facilities and log information must be protected against tampering and unauthorised access
  • Controls must aim to protect against unauthorised changes and operational problems with the logging

Administrator and operations logs

  • System administrator and system operator activities must be
  • Logs must include:
    1. The time at which an event (success or failure) occurred;
    2. Information about the event (e.g. files handled) or failure (e.g. error occurred, and corrective action taken);
  1. Which account and which administrator or operator was involved;
  2. Which processes were
  • System administrator and operator logs must be reviewed on a regular Any abnormalities must be reported for further investigations.

Fault Logging

  • Faults must be logged, analysed, and appropriate action
  • Faults reported by users or by system programs related to problems with information processing or communications systems must be logged. There must be clear rules for handling reported faults including:
  • Review of fault logs to ensure that faults have been satisfactorily resolved;
  • Review of corrective measures to ensure that controls have not been compromised, and that the action taken is fully authorised.
  • It must be ensured that error logging is enabled, if this system function is

Clock synchronisation

  • The clocks of all relevant information processing systems within an organisation or security domain must be synchronised with an agreed accurate time source.
  • Where a computer or communications device has the capability to operate a real-time clock, this clock must be set to an agreed standard, e.g. Coordinated Universal Time (UTC). As some clocks are known to drift with time, there must be a procedure that checks for and corrects any significant
  • The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) must be taken into account.

Access Control

Operational requirement for access control

Objective: to control and facilitate the appropriate level of access for any user

  • To control access to
  • Access to information, information processing facilities, and operational processes must be approved on the basis of operational and security requirements by the nominated owner.
  • Anonymous access is not permitted to assets classified as
  • Access control rules and rights for each user or group of users must be clearly

User Access Management

Objective: To ensure authorised user access and to prevent unauthorised access to information systems.

  • Formal procedures must be in place to control the allocation of access rights to information systems and services.
  • The procedures must cover all stages in the life cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services.
  • Special attention must be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.
  • Access rights must be reviewed annually and bi-annually for privileged access to

User registration

  • There must be a formal user registration and de-registration procedure (user registration form) in place for granting and revoking access to all information systems and services.
  • The access control procedure for user registration and de-registration must include:
  • Using unique user IDs to enable users to be linked to and held responsible for their actions; the use of group IDs (role-based accounts) must only be permitted where they are necessary for operational reasons, and must be approved and documented;
  • Ensuring service providers do not provide access until authorization procedures have been completed;
  • Maintaining a formal record of all persons registered to use the service;
  • Immediately removing or blocking access rights of users who have changed roles or jobs or left the organisation;
  • Periodically checking for, and removing or blocking, redundant user IDs and accounts after inactivity for 90 days, deletion after 180 days;
  • Redundant user IDs are not to be issued to other

Privilege Management

  • The allocation and use of privileges must be restricted and
  • The principle of least privilege must be applied. Approved access by the asset owner must only be granted if it is deemed necessary to support a legitimate operational requirement.
  • Privileges must be assigned to a different user ID from those used for normal operational

Password Policy:

The following controls are be applied:

  • User-level passwords must be kept confidential. If your password has been compromised – change your password immediately.
  • User accounts that have system-level privileges granted through group memberships or programs such as “sudo” must have a unique password from all other accounts held by that user.
  • Passwords must not be inserted into email messages or other forms of electronic
  • Passwords must never be written down or stored
  • Passwords must never be included in
  • Initial passwords must be change on first time
  • Procedures to verify the identity of the requesting a new, replacement or temporary password must be followed by the persons performing the change.
  • Default vendor passwords must be altered following installation of systems or
  • Account must be disabled after 5 unsuccessful login attempts for account that access sensitive
  • The last 9 passwords must not be re-
  • Maintain separate passwords from internal and external system For example, do not use your online banking password within The BUSY Group.
  • A keyed hash must be used where E.g. SNMP
  • Passwords and passphrases cannot be changed more than once a day
  • Passwords must be changed every 90-days or less

All user-level and system-level strong passwords must conform to the following minimum of three of the following criteria, where possible:

  • Contain both upper- and lower-case characters (e.g., a-z, A-Z);
  • Have digits and punctuation characters as well as letters g., $%^&;
  • Is at least 14 characters long;
  • Is not a word in any language, slang, dialect, jargon,
  • Is not based on personal information, names of family,

Create a strong password that is easy to remember. Think of a phrase that you can easily remember.

E.g. “This May Be One Way To Remember” and the password could be: “RememberStruthIamTheONE!!”.

User Responsibilities

Objective: To prevent unauthorised user access, and compromise or theft of information and information processing facilities.

  • A clear desk and clear screen policy must be implemented to reduce the risk of unauthorised access or damage to papers, media, and information processing facilities for information classified as

Network Access Control

Objective: To prevent unauthorised access to networked services.

  • Access to both internal and external networked services must be

Policy on use of network services

  • Users will only be provided with access to the services that they have been specifically authorised to

User authentication for external connections

  • Appropriate authentication methods are required to control access for remote

Equipment identification in networks

  • Automatic equipment identification must be considered as a means to authenticate connections from specific locations and equipment.

Remote diagnostic and configuration port protection

  • Physical and logical access to diagnostic and configuration ports must be

Segregation in networks

Groups of information services, users, and information systems must be segregated on networks as per the Network Strategy.

Network connection control

  • For shared networks, especially those extending across the organisation’s boundaries, the capability of users to connect to the network must be restricted, in line with the access control policy and requirements of the business applications.

Network routing control

  • Routing controls are essential to ensure that computer connections and information flows do not breach the access control policy of the business applications.

Information Systems Acquisition, Development and Maintenance

Correct processing in applications

Objective: To prevent errors, loss, unauthorised modification or misuse of information in applications.

Input data validation

Data input to applications must be validated to ensure that this data is correct and appropriate.

Message integrity

Requirements for ensuring authenticity and protecting message integrity in applications must be identified, and appropriate controls identified and implemented where classified as sensitive.

Cryptographic controls

Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.

Key management

  • Key management is in place to support the organisation’s use of cryptographic
  • All cryptographic keys must be protected against modification, loss, and In addition, secret and private keys need protection against unauthorised disclosure. Equipment used to generate, store and archive keys must be physically protected.
  • A key management system is based on the agreed set of standards, procedures, and secure methods for:
  • Generating keys for different cryptographic systems and different applications;
    • Generating and obtaining public key certificates; distributing keys to intended users, including how keys must be activated when received;
    • Storing keys, including how authorised users obtain access to keys;
    • Changing or updating keys including rules on when keys must be changed and how this will be done;
    • Dealing with compromised keys;
    • Revoking keys including how keys must be withdrawn or deactivated, e.g. when keys have been compromised or when a user leaves an organisation (in which case keys must also be archived);
    • Recovering keys that are lost or corrupted as part of operational continuity management, g. for recovery of encrypted information;
    • Archiving keys, g. for information archived or backed up;
    • Destroying keys;
    • Logging and auditing of key management related activities;
    • Proactive renewal of expired keys, prior to expiration

The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to The BUSY Group ITS Team as per the Cyber Breach and Incident Response plan.

ITS personnel will direct the end user in any actions that will be required regarding revocation of certificates or public-private key pairs.

Security of system files

Objective: To ensure the security of system files.

Control of operational software

There must be procedures in place to control the installation of software on operational systems.

Access control to program source code

Access to program source code must be restricted.

Security in development and support processes

Objective: To maintain the security of application system software and information.

Change control procedures

The implementation of changes must be controlled by the use of ITS change control procedures.

Technical review of applications after operating system changes

  • When operating systems are changed, critical applications must be reviewed and tested to ensure there is no adverse impact on organisational operations or security as part of ITS change control

Restrictions on changes to software packages

  • Modifications to software packages must be discouraged, limited to necessary changes, and all changes must be strictly controlled as part of the ITS change control process.

Outsourced software development

Outsourced software development must be supervised and monitored by the organisation.

Technical vulnerability management

Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management must be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Control of technical vulnerabilities

  • A centralised vulnerability management process must be
  • All information about technical vulnerabilities of information systems being used must be obtained from external authorities such as AUSCERT to a central point of control – The ITS Security team.
  • Vendor ratings will be
  • The organisation’s exposure to such vulnerabilities will be
  • An agreed timeline must be defined to react to notifications of potentially relevant technical
  • The appropriate measures in conjunction with the asset owner must be taken to address the associated risk.
  • A patch management process must be established, implemented and monitored for all systems, maintaining a minimum patch level of n-1. This process will be managed by the ITS change management process.
  • This will include an agreed (with ITS Relationship Managers) patch schedule for all ITS managed

Information Security Incident Management

Reporting information security events and weaknesses

Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

  • All employees, contractors and third-party users must be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organisational assets. They must report any information security events and weaknesses as quickly as possible to the designated point of contact.

Reporting and management of information security events

  • A formal information security event reporting procedure must be established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event.
  • Responsibilities and procedures must be in place to handle information security events and weaknesses effectively once they have been reported, (as per the ITS Incident Response process).
  • The first point of contact will be the ITS Helpdesk for all Information Security related events. Tickets will be generated for the ITS Security team.
  • The ITS security team will evaluate the information and determine the appropriate course of
  • Any non-authorised investigation outside the approval of the ITS Security team will be managed by disciplinary processes as per The Code of Conduct.
  • The existing ITS incident management process will be
  • A process of continual improvement will be applied to the response to, monitoring, evaluating, and overall management of information security incidents.

Where evidence is required, it must be collected to ensure compliance with legal requirements.

Business Continuity Management

Information Security Aspects of business continuity management

Objective: To counteract interruptions to operational activities and to protect critical processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

  • A business continuity management process must be implemented to minimize the impact on the organisation and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls.
  • This process must identify the critical processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities.
  • The consequences of disasters, security failures, loss of service, and service availability must be subject to a business impact Business continuity plans must be developed and implemented to ensure timely resumption of essential operations. Information security must be an integral part of the overall business continuity process, and other management processes within the organisation.
  • Business continuity management must include controls to identify and reduce risks, in addition to the general risk assessment process, limit the consequences of damaging incidents, and ensure that information required for operational processes is readily available.


Information systems audit considerations

Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.

  • There must be controls to safeguard operational systems and audit tools during information systems
  • Protection is also required to safeguard the integrity and prevent misuse of audit
  • Protection of information systems audit
  • Access to information systems audit tools must be protected to prevent any possible misuse or
  • Access to such applications must be via an authentication
  • Use of such tools must be authorised by the ITS Security Manager prior to installation/use.


For any exemptions to this policy, please complete the Security Exemption form for subsequent review/approval by the CISO.


Affiliate means a clinical title holder, an adjunct, conjoint or honorary appointee, a consultant or contractor to the Company, an office holder in a Company entity, a member of any Company Committee and any other person appointed or engaged by the Company to perform duties or functions on its behalf.

Asset means anything that has value to The BUSY Group.

Availability means continuity of operational processes and recoverability in the event of a disruption.

Confidentiality means ensuring that information is accessible only to those authorised to have access.

Control means a mechanism for managing risk. (E.g., Policy)

Data means both raw and processed data, including electronic data files, regardless of their storage media as well as information derived from processed data, regardless of the storage or presentation media.

Information asset is defined as any representation of knowledge concerning objects such as facts, events, things, processes, ideas or opinions that has a particular meaning within a certain context.

Information processing facilities means any information processing system, service or infrastructure, including the physical location housing them.

Information Security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction. It includes the preservation of confidentiality, integrity and availability of information.

Integrity means the context of completeness, accuracy and resistance to unauthorised modification or destruction,

ISMS means Information Security Management System as defined by ISO 27001.

Removable media means tapes, disks, flash disks, removable hard drives, CDs, DVDs, and printed media.

Risk is the chance of an event occurring that could have a negative or positive impact on the Company achieving its objectives.

Risk Assessment means the process which considers information assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection.

Secure areas is where access is limited to authorised personnel only.

Sensitive data includes information assets classified at Internal or X-In-Confidence as per the Information Classification Policy



Client Information Security Officer (CISO) – the CISO is responsible for the governance and dissemination of this document within The BUSY Group.

Information Technology Security Manager (ITSM) – The ITSM is tasked with maintaining and updating this document on annual basis

Information Technology Administration Officer (ITSAO) – the ITSAO is responsible for the implementation, ongoing upkeep and delivery of the stipulations of this document.

Managers – Managers are responsible for the authorisation/registration and deregistration of access to BUSY Group data and/or systems. Managers are to ensure that staff members are aware of the contents and the location of this policy, and that the policy is readily available for staff to view. It is each Manager’s responsibility to ensure that any security affecting their area meets their business needs, and if it doesn’t, to raise the matter with the Security Manager as a matter of urgency.

Staff – All other personnel are responsible for reading and understanding their obligations in relation to this document in the context of their relevant area of expertise. Staff members are responsible for ensuring they undertake appropriate security measures to protect BUSY Group assets.

Operational responsibilities – All BUSY Group information assets must be kept secure and all its personnel are responsible and accountable for its protection. Non-compliance with these responsibilities will be dealt with by appropriate measures ranging from disciplinary to legal action.


This policy will be reviewed annually or when legislated updates are enforced by TBG, whichever is sooner.

Accessibility Action Plan

Download a copy of The BUSY Group Accessibility-Action-Plan-2020-1 (PDF)

Important information you need to be aware of

This page contains information regarding how Skill360 Australia conducts business and sets out important details. Please take the time to read through our policies.

If you have any questions regarding information contained in these policies please contact us on 1300 933 358 or email: quality-compliance@skill360.com.au.

Printed copies of these policies are available on request.

Skip to content