< Back

Information Technology and Data Policy

Purpose

To establish clear standards for the use, access, and protection of information technology resources and data belonging to Dragonfly Dance.

Scope

Applies to all employees, contractors, and volunteers of Dragonfly Dance (Move Through Life Pty Ltd) who access or handle company systems, devices, or data.

Rationale

Dragonfly Dance relies on digital systems to manage its business operations, client information, and communication.

Protecting data and IT systems is essential to maintaining client trust, complying with privacy legislation, and preventing disruptions to operations.

This policy ensures that all staff understand their responsibilities in safeguarding company systems, digital files, and confidential information.

Definitions

Data

Any information, digital or physical, relating to clients, staff, finances or operations.

Confidential information

Non-public information including client details, staff records, financial data and internal documentation.

IT resources

All hardware, software, systems and digital tools provided or authorised by Dragonfly Dance (eg Mindbody, Connect Team, email accounts, shared drives).

Personal devices

Employee-owned devices (laptops, phones, tablets) used to access work systems.

Data breach

Any incident that results in unauthorised access, disclosure, or loss of company data.

Policy

Dragonfly Dance will protect all company and client data through secure systems, authorised access, and responsible digital practices. Access to company systems is provided based on role requirements.
Staff must not request or share access with others unless authorised by the Business Services Manager or Studio Owner.
All employees are responsible for safeguarding login details, devices, and confidential data.
Personal devices used for work must have strong passwords, up-to-date software, and screen locks enabled.
Using a personal device requires approval by the Business Services Manager or Studio Owner prior to using.
The Business Services and Marketing Teams are responsible for ensuring all data entry and communication comply with privacy and confidentiality standards.
Breaches or suspected breaches must be reported immediately to the Business Services Manager.

Password and access control

Passwords must be at least 8 characters and include a mix of letters, numbers, and symbols.
Passwords must not be reused across systems.
Shared logins should be avoided wherever possible; individual accounts must be used.
Access will be reviewed regularly and revoked when staff leave or change roles.

Data storage and transmission

All client and business data must be stored in approved systems (eg Mindbody, Connect Team, OneDrive).
Confidential files should not be sent through personal email or messaging apps.
Sensitive attachments must be password-protected or shared via secure links.
Backups should be completed regularly and stored securely.
Soft copy of personal information should be shredded when obsolete (new form completed, no longer used, employee/contractor or client leaves the business).

Personal device use

Use of personal devices for work purposes requires prior approval.
Devices must be password-protected, with antivirus software installed and auto-updates enabled.
Company data must be deleted from personal devices upon termination of employment or at management’s request.
Company documents and information are only to be accessed from the approved location and no copies to be held on personal drives.

Paperwork and physical data

Hard copy documents containing personal or sensitive information must be stored securely in locked cabinets or restricted-access areas.
Paperwork should not be left unattended on desks or in public areas.
When no longer required, physical documents must be securely destroyed using shredding or confidential disposal bins.
Printed copies of digital files should only be made when necessary and should follow the same security and storage standards.

Data retention and disposal

Company data (digital or physical) must be retained only for as long as necessary to meet legal, operational, or contractual requirements.
Outdated or redundant data must be deleted or destroyed in a secure and irreversible manner.

Incident reporting and breaches

Any suspected data loss, breach, or unauthorised access must be reported immediately to the Business Services Manager or the Studio Owner.
The Manager or Studio Owner will assess the severity, notify affected parties if necessary, and take corrective action.
Serious incidents may be escalated to the Studio Owner or relevant external authorities.

Breaches

Non-compliance with this policy may result in disciplinary action, termination of employment, or legal consequences depending on the severity of the breach.

Responsibilities

Studio Owner:

Ensure sufficient resources and systems are in place to maintain data security and compliance with privacy laws.

Business Services Manager:

Oversee IT access permissions and data protection compliance.
Ensure staff are trained in safe digital practices.
Monitor system security and coordinate responses to breaches.
Maintain records of authorised users and access levels.
Ensure regular backups of key business data.

Employees:

Use only approved devices and applications for Dragonfly Dance business.
Protect passwords and never share them with others.
Lock screens when leaving devices unattended.
Report lost or stolen devices immediately.
Store documents only in approved locations (eg company shared drives or Mindbody).
Avoid clicking suspicious links or downloading unauthorised software.
Dispose of physical documents securely (shredding or confidential waste bin).