Purpose
Client Management Systems Ltd. (CMS) is committed to upholding the confidentiality, integrity, and availability of all information assets. The information below defines CMS's information security principles, which are aligned with ISO/IEC 27001:2022, the international standard for information security management, and establishes the foundational framework for its Information Security Management System (ISMS).
CMS follows ISO/IEC 27001:2022 requirements which includes maintaining secure systems, implementing access control measures, regularly conducting risk assessments, and ensuring continuous compliance with data protection and information security standards.
Scope
This policy applies to all CMS employees, contractors, and third parties involved in the development, operation, or support of CMS systems and information assets. It covers all data managed by CMS, including customer and contract data associated with Accident Compensation Corporation (ACC) contracts.
Information Security Commitments
CMS is committed to:
- Protection of Sensitive Data: Safeguarding client, contract, and company information from unauthorized access, use, or disclosure.
- Maintenance of Availability: Ensuring system uptime and resilience, with defined recovery objectives to support business continuity.
- Compliance: Adhering to the New Zealand Privacy Act 2020, ISO/IEC 27001:2022, and all relevant contracts with suppliers and clients.
- Continuous Improvement: Regularly reviewing and updating controls to address evolving security risks and industry best practices.
Data Protection
CMS enforces a comprehensive approach to data protection, ensuring that all personal and sensitive information is managed in accordance with applicable laws and best practices. Key data protection measures include:
- Lawful Collection and Processing: Personal information is collected and processed only for legitimate business purposes, as defined by the New Zealand Privacy Act 2020, and in accordance with data minimization and purpose limitation principles.
- Access Control: Access to personal and sensitive data is strictly limited to authorized personnel based on role and business need, following the principle of least privilege.
- Encryption: CMS applies AES-256 encryption for data at rest and Transport Layer Security (TLS) protocols for data in transit, ensuring robust protection against unauthorized access or interception.
- Third-Party Management: All third parties and contractors handling CMS data are contractually required to comply with CMS’s Data Protection and Information Security Policies.
- Incident Response: CMS maintains procedures for prompt detection, reporting, and response to any data breaches or unauthorized disclosures. Affected individuals and regulatory authorities are notified in accordance with legal requirements.
- Ongoing Review: Data protection practices are regularly reviewed and updated to reflect changes in technology, regulation, and risk landscape. Compliance is monitored through internal audits and risk assessments.
Privacy, Collection, and Use of Personal Information
CMS is committed to respecting and protecting the privacy of all individuals whose personal information we collect and process. Our practices are governed by the New Zealand Privacy Act 2020 and are aligned with international best practices for information security and privacy.
- Collection of Personal Information: CMS collects personal information only for legitimate business purposes, such as responding to inquiries, providing services, fulfilling contractual obligations, and complying with legal and regulatory requirements. Information collected may include, but is not limited to:
- Name and contact information (e.g., email address, telephone number).
- Job title or professional affiliation (if voluntarily disclosed).
- Technical information (e.g., IP address, browser type, cookies, referring URLs)
- Use and Processing: Personal information is processed lawfully, fairly, and transparently. CMS ensures that data is used solely for the purposes for which it was collected, in accordance with the principles of data minimization and purpose limitation. We do not use personal information for unrelated or unauthorized purposes.
- Individual Rights: In accordance with the New Zealand Privacy Act 2020, individuals are entitled to the following rights:
- The right to access their personal information maintained by CMS.
- The right to request corrections for any inaccuracies or incomplete data.
- To be informed regarding the usage, storage, and disclosure of their data.
- The right to withdraw consent when applicable.
- Disclosure to Third Parties: CMS does not engage in the sale of personal information.
Information may be disclosed under the following conditions:- When mandated by law or legal processes.
- When necessary to fulfill a requested service, such as through authorized service providers operating under contractual agreements.
- When the individual has granted explicit consent for disclosure.
- When necessary to satisfy obligations stipulated in CMS’s ACC contracts.
- Security and Safeguards: CMS enforces the following security measures to safeguard personal information:
- Encryption: AES-256 is used for data at rest, and Transport Layer Security (TLS) protocols are utilized for data in transit.
- Access Control: Role-based access control and the principle of least privilege.
- Incident Detection and Response: Continuous monitoring of systems to identify unauthorized activities.
- Ongoing Risk Assessment: Periodic evaluations of controls and data flows.
- Compliance Audits: Regular internal reviews, with oversight provided by the Chief Operations Officer.
- Cookies and Analytics: CMS may use cookies and analytics tools to enhance website functionality and user experience. Users can manage their cookie preferences via browser settings.
- Breach Notification: In the event of a data breach likely to result in significant harm, CMS will notify affected individuals and the Office of the Privacy Commissioner as soon as practicable, in accordance with our Incident Management Policy.
Roles and Responsibilities
- Directors: Provide strategic direction and oversight of information security.
- Chief Operations Officer: Manages the ISMS and ensures implementation of this policy.
- Employees and Contractors: Must comply with all security policies and procedures.
- Third Parties: Required to adhere to CMS’s security expectations throughout their engagement.
Security Awareness
All personnel receive information security awareness training appropriate to their roles. Employees and contractors are made aware of their responsibilities to mitigate risks and protect data.
Monitoring and Compliance
CMS monitors compliance through audits, analytical reporting, and management reviews. Any breaches or exceptions are managed according to established internal procedures.
Risk Management
CMS employs a structured, proactive approach to identifying and managing risks that may affect its information systems and services. This includes:
- Proactive risk identification and assessment.
- Implementation of risk treatment options (mitigation, avoidance, or transfer).
- Maintenance of a formal risk register and regular reviews.
- Continuous monitoring and adaptation to emerging threats.
Cryptographic Controls
CMS enforces strong encryption for data at rest and in transit:
- Data at Rest: Advanced encryption standards (e.g., AES-256) for databases, file storage, and backups.
- Data in Transit: Use of TLS for securing communications, including email and file transfers.
- Cloud and SaaS: Use of providers that implement internationally recognized encryption standards.
- Regular review of cryptographic processes to ensure compliance and effectiveness.
Policy Oversight
CMS regularly reviews and updates this policy to reflect changes in risks, regulatory requirements, and best practices. Compliance is monitored systematically, and failure to comply may result in corrective measures or access termination.
Disclaimer
The information above outlines CMS’s commitments to information security and data protection. The internal procedures, assessments, and implementation details are governed by CMS's ISO/IEC 27001:2022 ISMS and can be made accessible to clients or partners upon request, subject to a non-disclosure agreement (NDA).
Requests can be submitted via our website or directed to our Privacy Officer (Chief Operations Officer):
Privacy Officer
17B Farnham Street
Parnell
Auckland 1052
New Zealand
Last Updated: 24 May 2025