Publication date: January 2020

A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. For good privacy practice purposes, this response plan also covers any instances of unauthorised use, modification or interference with personal information held by McKee Creative. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals and entities.

This response plan is intended to enable McKee Creative to contain, assess and respond to data breaches quickly. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.

The plan sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist McKee Creative to respond to a data breach.

Data breach response team

The McKee Creative Executive is Michael Schwarzel, Director, SkyM8 Pty Ltd (T/A McKee Creative)
The Chief Privacy Officer is Joanne McKee
The Systems Administrator is Mihai Mapetrei

When should a data breach be escalated to McKee Creative’s data breach response team?

Directors to use discretion in deciding whether to escalate to the response team
‍Some data breaches may be comparatively minor, and able to be dealt with easily without action from the data breach response team (response team).

For example, a McKee Creative officer may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled (only relates to internal emails), or if the officer can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue to the response team.

Directors should use their discretion in determining whether a data breach or suspected data breach requires escalation to the response team. In making that determination, Directors should consider the following questions:

Are multiple individuals affected by the breach or suspected breach?
Is there (or may there be) a real risk of serious harm to any of the affected individual(s)?
Does the breach or suspected breach indicate a systemic problem in OAIC processes or procedures?
Could there be media or stakeholder attention as a result of the breach or suspected breach?

If the answer to any of these questions is ‘yes’, then the Director should attempt immediate verbal contact with the Chief Privacy Officer, or if this is not possible, another primary response team member.

The checklist below sets out the steps that the response team will take in the event of a serious data breach.

Directors should inform the Chief Privacy Officer of minor breaches

If a Director decides not to escalate a minor data breach or suspected data breach to the response team for further action, the Director should:

Send a brief email to the Chief Privacy Officer that contains the following information:
- description of the breach or suspected breach
- action taken by the Director or McKee Creative officer to address the breach or suspected breach
- the outcome of that action, and
- the Director’s reasons for their view that no further action is required
Save of copy of that email in the following container: Data Breach Response – reports and investigation of data breaches within McKee Creative

McKee Creative data breach response process

There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, the response team may need to include additional staff or external experts, for example an IT specialist/data forensics expert or a human resources adviser.

There are four key steps to consider when responding to a breach or suspected breach.

Step 1: Contain the breach
Step 2: Assess the risks associated with the breach
Step 3: Consider breach notification
Step 4: Review the incident and take action to prevent future breaches

The response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession. At all times, the response team should consider whether remedial action can be taken to reduce any potential harm to individuals.

The response team should refer to the checklist below which provides further detail on each step.

Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.

Following serious data breaches, the response team should conduct a post-breach review to assess McKee Creative’s response to the breach and the effectiveness of this plan and report the results of the review to the McKee Creative Executive. The post-breach review report should identify any weaknesses in this response plan and include recommendations for revisions or staff training as needed.

Testing this plan

Members of the response team should test this plan with a hypothetical data breach annually to ensure that it is effective. As with the post-breach review following an actual data breach, the response team must report to the McKee Creative Executive on the outcome of the test and make any recommendations for improving the plan.

Records management

Documents created by the response team, including post-breach and testing reviews, should be saved in the following container:

Data Breach Response – reports and investigation of data breaches within McKee Creative

Reporting

The internal handling of personal information will be an agenda item on the Executive group meetings at least once each quarter and include a report of any privacy complaints against McKee Creative and internal data breaches.

The Chief Privacy Officer is responsible for the preparation of reports on internal data breaches.

McKee Creative’s Data Breach Response Checklist

Step 1: Contain the breach

Notify the Chief Privacy Officer, who may convene the data breach response team.
Immediately contain breach:
- Consider whether the systems administrator needs to be advised.
Consider whether team needs other expertise
Inform the McKee Creative Executive as soon as possible; provide ongoing updates on key developments.
Ensure evidence is preserved that may be valuable in determining the cause of the breach, or allowing McKee Creative to take appropriate corrective action.
Consider a communications or media strategy to manage public expectations and media interest.

Step 2: Assess the risks for individuals associated with the breach

Conduct initial investigation, and collect information about the breach promptly, including:
- the date, time, duration, and location of the breach
- the type of personal information involved in the breach
- how the breach was discovered and by whom
- the cause and extent of the breach
- a list of the affected individuals, or possible affected individuals
- the risk of serious harm to the affected individuals
- the risk of other harms
Determine whether the context of the information is important.
Establish the cause and extent of the breach.
Assess priorities and risks based on what is known.
Keep appropriate records of the suspected breach and actions of the response team, including the steps taken to rectify the situation and the decisions made.

Step 3: Consider breach notification

Determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.
Determine whether and how to notify affected individuals – is the breach likely to result in serious harm to any of the individuals to whom the information relates and McKee Creative has not been able to prevent the likely risk of serious harm through remedial action. In some cases, it may be appropriate to notify the affected individuals immediately; e.g., where there is a high-level of risk of serious harm to affected individuals.
Consider whether others should be notified, including police/law enforcement, or other agencies or organisations affected by the breach or can assist in containing the breach or assisting individuals affected by breach, or where McKee Creative is contractually required or required under the terms of an MOU or similar obligation to notify specific parties.

Step 4: Review the incident and take action to prevent future breaches

Fully investigate the cause of the breach.
Implement a strategy to identify and address any weaknesses in data handling that contributed to the breach
Conduct a post-breach review and report to the McKee Creative Executive on outcomes and recommendations:
- Update security and response plan if necessary.
- Make appropriate changes to policies and procedures if necessary.
- Revise staff training practices if necessary.
- Consider the option of an audit to ensure necessary outcomes are effected

Publication date: January 2020

McKee Creative recognises its talented and diverse workforce as a key competitive advantage.

Our business success is a reflection of the quality and skill of our people. McKee Creative is committed to seeking out and retaining the finest human talent to ensure top business growth and performance. Diversity management benefits individuals, teams, our company as a whole, and our customers. We recognise that each employee brings their own unique capabilities, experiences and characteristics to their work. We value such diversity at all levels of the company in all that we do.

McKee Creative believes in treating all people with respect and dignity. We strive to create and foster a supportive and understanding environment in which all individuals realise their maximum potential within the company, regardless of their differences. We are committed to employing the best people to do the best job possible. We recognise the importance of reflecting the diversity of our customers and markets in our workforce. The diverse capabilities that reside within our talented workforce, positions McKee Creative to anticipate and fulfil the needs of our diverse customers, both domestically and internationally, providing high quality products/services.

McKee Creative is diverse along many dimensions. Our diversity encompasses differences in ethnicity, gender, language, age, sexual orientation, religion, socio-economic status, physical and mental ability, thinking styles, experience, and education. We believe that the wide array of perspectives that results from such diversity promotes innovation and business success.

Managing diversity makes us more creative, flexible, productive and competitive.

Recruitment

As a global player, McKee Creative recruits people from all around the globe. We believe that our employees from many different cultural, linguistic and national backgrounds provide us with valuable knowledge for understanding complex international markets. We have established outreach programmes to identify talented individuals from under-represented backgrounds for recruitment.

Career development and promotion

McKee Creative rewards excellence and all employees are promoted on the basis of their performance. All managers are trained in managing diversity to ensure that employees are treated fairly and evaluated objectively.

Community programmes

McKee Creative recognises that there are distinct demographic groups that have long been disadvantaged. We recognise that racism, ageism, sexism and other forms of discrimination are problems both for our organisation and society as a whole. McKee Creative is committed to tackling cultural stereotypes both within and outside our organisation.

Diversity practices

McKee Creative provides a safe and pleasant environment for our employees.

We offer:

Flexible working time arrangements
Employee education assistance
Employee network and support groups
Open communications
Childcare assistance
Mentor programmes

Updated March 18, 2021

Background

McKee Creative considers that all forms of violence are a violation of fundamental human rights. Violence threatens the victim’s physical health, housing security and mental wellbeing. People exposed to violence are at greater risk of developing a range of health problems, and are more likely to report poorer physical health overall and engage in practices that are harmful to their health. And while family and domestic violence cuts across socio-economic groups, it is reported at higher rates among disadvantaged Queenslanders.

McKee Creative recognises that employees may face domestic and family violence that affects their attendance or performance at work. McKee Creative is committed to providing leave and other support to staff that experience domestic and family violence.

Domestic and Family violence for the purpose of this policy includes physical, sexual, financial, verbal, psychological, spiritual, or emotional abuse of a person by an immediate family member, or who has been or is in a continuing social relationship of a romantic or intimate nature with the victim, or who is or has continually or at regular intervals lived in the same household as the victim.

Special Leave for employees experiencing domestic and family violence

Full time, part time or fixed term employees personally experiencing domestic and family violence may access 10 days paid Special Leave for medical appointments, legal proceedings, attending to accommodation matters, childcare and education matters and other activities, which are related to domestic and family violence. This may be taken in units of one hour. Employees may also access any or all of their accrued Personal Leave, Family and Community Leave, TOIL, Flex, or Recreation Leave for medical appointments, legal proceedings, attending to accommodation matters, addressing childcare and education matters and other activities, related to domestic and family violence.

Leave for employees supporting a person experiencing domestic and family violence

Employees supporting a person experiencing domestic and family violence may take Personal Leave or any other form of accrued leave to accompany them to court, to hospital, or to assist with childcare, accommodation, or other matters.

An employee including a casual employee who provides support to a person experiencing family and domestic violence is entitled to access family and domestic violence leave for the purpose of:

Accompanying that person to legal proceedings, counselling, appointments with a medical or legal practitioner;
Assisting with relocations or other safety arrangements; or
Other activities associated with the family and domestic violence including caring for children.

This leave will be in addition to existing leave entitlements, may be taken as consecutive or single days or as a fraction of a day, and can be taken without prior approval.

Notice and notification

While notice is not strictly required prior to taking the leave, an employee should notify their manager as soon as reasonably practicable of their intention to take or remain on Special or other leave for this purpose. Proof of domestic and family violence may be required and can be a document issued by the Police Service, a Court, a Doctor, a Domestic and Family Violence Support Service or Lawyer, or a statutory declaration.

Individual Support

In order to provide support to an employee experiencing domestic and family violence and to provide a safe work environment, McKee Creative will approve any reasonable request from an employee for changes to their span of hours or pattern or hours and/or shift patterns; job redesign or changes to duties; changes to their telephone number or email address to avoid harassing contact; or any other appropriate measure including those available under existing family friendly or flexible work arrangements.

Confidentiality

An employee experiencing domestic and family violence may raise the issue with their supervisor or the relevant manager responsible for human resource management. The supervisor may seek advice from the human resource manager. All personal information concerning domestic and family violence will be kept confidential and only shared with employees who have a genuine need to know. No information will be kept on an employee’s personnel file without their express written permission.

McKee Creative will work collaboratively with the employee who is experiencing domestic violence to develop protocols to restrict access to the employee’s personal information and contact details.

Adverse action

No adverse action will be taken against an employee if their attendance or performance at work suffers as a result of experiencing domestic and family violence provided they make a confidential disclosure of the violence to their supervisor or the human resource manager.

McKee Creative may require evidence of domestic and family violence as per sub clause Notification and Notification.

Contact person

McKee Creative will identify a contact who will be trained in domestic violence, discretion, and privacy issues. The contact will be in possession of appropriate resources and referral information.

McKee Creative will advertise the name of the contact within the workplace and provide the details at induction for new staff. McKee Creative will nominate a contact person to provide support for employees experiencing family and domestic violence and notify employees of the name of the nominated contact person. The nominated contact person must be trained in relation to family and domestic violence and privacy issues such as family violence risk assessment and risk management and receive paid time off work to attend such training. The contact person may be a union delegate, OHS Representative or HR Representative.

An employee experiencing family and domestic violence may raise the issue with the nominated contact person, their immediate supervisor, or their union delegate.

Where requested by an employee, the contact person will liaise with the employee’s supervisor on the employee’s behalf, and will make a recommendation on the most appropriate form of support.

McKee Creative will develop guidelines to supplement this clause which detail the appropriate action to be taken in the event that an employee reports family and domestic violence.

Workplace safety planning trategies

McKee Creative will develop and implement workplace safety planning strategies to ensure the protection of all employees. McKee Creative will ensure all employees are aware of and trained in the safety planning strategies. If an employer becomes aware, or ought reasonably to be aware, that domestic violence that would likely expose a worker to physical injury may occur in the workplace, McKee Creative will endeavour to take every precaution reasonable in the circumstances for the protection of the worker.

‍Safety planning can include:

Identifying and assessing the risks of domestic and family violence occurring in the workplaceImplementing strategies to keep workers safer can include:

Accompanying employees to the car park or transport when leaving work.
Notifying relevant staff not to disclose private information about employees’ locations or movements
Ensuring employees do not work alone at locations with public access
Providing a photo of the abusive person to front desk staff, so that they can identify them and call the police if necessary.
Developing a policy on workplace violence.
Practical technological updates to protect employees from abusive phone calls and emails.
Monitoring and reviewing effectiveness and uptake of safety strategies

This policy is to be reviewed every 12 months. Next review date is March 18, 2022.

Publication date: October 2021

Our commitment

McKee Creative is committed to fostering, cultivating and preserving a culture of diversity, equity and inclusion.
‍
Our human capital is the most valuable asset we have. The collective sum of the individual differences, life experiences, knowledge, inventiveness, innovation, self-expression, unique capabilities and talent that our employees invest in their work represents a significant part of not only our culture, but our reputation and company’s achievement as well.
‍
We embrace and encourage our employees’ differences in age, colour, disability, ethnicity, family or marital status, gender identity or expression, language, national origin, physical and mental ability, political affiliation, race, religion, sexual orientation, socio-economic status, veteran status, and other characteristics that make our employees unique.
‍
We have a strong grasp of unconscious bias, cross-cultural communications, and the presence of sexual harassment/violence in workplaces (which we, specifically, have a zero-tolerance policy on), so we do absolutely everything we can to ensure the support, comfort, and safety of our employees and associates at all times so no issues come into play.
‍
McKee Creative’s diversity initiatives are applicable—but not limited—to our practices and policies on recruitment and selection; compensation and benefits; professional development and training; promotions; transfers; social and recreational programs; layoffs; terminations; and the ongoing development of a work environment built on the premise of gender and diversity equity that encourages and enforces:

Respectful communication and cooperation between all employees.
Teamwork and employee participation, permitting the representation of all groups and employee perspectives.
Work/life balance through flexible work schedules to accommodate employees’ varying needs.
Employer and employee contributions to the communities we serve to promote a greater understanding and respect for diversity.

Our responsibility

All employees of McKee Creative have a responsibility to treat others with dignity and respect at all times. All employees are expected to exhibit conduct that reflects inclusion during work, at work functions on or off the work site, and at all other company-sponsored and participative events. All employees are also required to attend and complete annual diversity awareness training to enhance their knowledge to fulfill this responsibility. As well as this, we have identified non-training activities that will support lessons learned which include posters, staff-meetings, informational brochures and videos that can act as a resource library for employees.
‍
Any employee found to have exhibited any inappropriate conduct or behavior against others may be subject to disciplinary action, up to and including full termination.
‍
Employees who believe they have been subjected to any kind of discrimination that conflicts with the company’s diversity policy and initiatives should seek assistance from a supervisor or an HR representative.

Publication date: October 2021

Our hopes

Our Corporate Social Responsibility (CSR) company policy refers to our responsibility toward our environment. Our company’s existence is not lonely - it’s part of a bigger system of people, values, other organisations, and nature, too. The social responsibility of a business is to give back to the world just as it gives to us.
‍
Our Corporate Social Responsibility company policy outlines our efforts to give back wherever and whenever we can.

Scope

This policy applies to our company and its subsidiaries. It may also refer to suppliers and partners.

Policy Elements

We want to be a responsible business that meets the highest standards of ethics and professionalism.
‍
Our company’s social responsibility falls under two categories: compliance and proactiveness. Compliance refers to our company’s commitment to legality and willingness to observe community values. Proactiveness is every initiative to promote human rights, help communities and protect our natural environment.

Compliance

Legality

Our company will:

Respect the law
Honour its internal policies
Ensure that all its business operations are legitimate
Keep every partnership and collaboration open and transparent

Business ethics

We’ll always conduct business with integrity and respect to human rights. We promote:

Safety and fair dealing
Respect toward the consumer
Anti-bribery and anti-corruption practices

Examples of Corporate Social Responsibility

Protecting the environment

Our company recognises the need to protect the natural environment. Keeping our environment clean and unpolluted is a benefit to all. We always follow the best practices when disposing of garbage (whether technical or otherwise).

Protecting people

We’ll ensure that we:

Don’t risk the health and safety of our employees and community
Avoid harming the lives of the local and indigenous people
Support diversity and inclusion

Human rights

Our company is dedicated to protecting human rights. We are a committed equal opportunity employer and abide by all fair labour practices. We ensure that our activities do not directly or indirectly violate human rights in any country, that we instead comply with the best standard of treatment.

Proactiveness

Donations and aid

Our company may preserve a budget to make monetary donations. These donations will aim to:

Advance the arts, education and community events
Alleviate those in need

Volunteering

Our company will encourage its employees to volunteer. They can volunteer through programs organised internally or externally. Our company may sponsor volunteering events from other organisations.

Preserving the environment

Apart from legal obligations, our company will proactively protect the environment. Examples of relevant activities include (but are not limited to):

Recycling
Conserving energy
Using environmentally-friendly technologies and locations

Supporting the community

Our company may initiate and support community investment and educational programs. For example, it may begin partnerships with vendors for constructing public buildings. It can provide support to nonprofit organisations or movements to promote cultural and economic development of global and local communities.

Learning

We will actively invest in R&D. We will be open to suggestions and listen carefully to all ideas. Our company will try to continuously improve the way it operates.
‍
Our company is committed to the United Nations Global Compact. We’ll readily act to promote our identity as a socially aware and responsible business. Management must communicate this policy on all levels. Managers are also responsible for resolving any CSR issues.

Publication date: October 2021

Audits

A Cyber Security Audit is vital to comply with standards. It is one of the best practice policies that provides an annual external security review process along with assurance to the investors, clients, and board. It helps in building customer relationships and confidence… So here at McKee Creative, we take Cyber Security Audits very seriously.
‍
The purpose of this policy is to advise users of security scanning procedures and precautions used by McKee Creative to audit our network and systems.
‍
Audits may be conducted to:

Ensure integrity, confidentiality, and availability of information and resources
Investigate possible security incidents to ensure conformance to policies
Monitor user or system activity where appropriate

Scope

This policy applies to all of McKee Creative’s remote workers, permanent, and part-time employees, contractors, volunteers, suppliers, interns, and/or any individuals with access to the company’s electronic systems, information, software, and/or hardware.

Policy

McKee Creative shall utilise auditing software to perform electronic scans of their networks, servers, switches/routers, firewalls, and/or any other systems. This also includes scans of any electronic communication and e-mails regardless of by or to whom the communications are sent.

These tests may include:

User and/or system level access to any computing or communications device
Access to information that may be produced, transmitted or stored on equipment or premises
Access to work areas (labs, offices, cubicles, storage areas, etc.)
Access to interactively monitor and log traffic on McKee Creative networks
Penetration testing
Password Auditing
Scanning for Personally Identifiable Information

And in general, our team at McKee Creative has some strong policies on cyber security:

Device Security

To ensure the security of all company-issued devices and information, employees are required to; keep all company issued passwords protected, secure all relevant devices before leaving their desks, and regularly update devices with the latest security software.

Email Security

Protecting email systems is high priority as emails can easily lead to data theft and more, therefore we require all employees to; verify the legitimacy of each email including the address and sender name, avoid opening suspicious links or emails, and to contact the IT department regarding any suspicious emails.

Transferring Data

McKee Creative recognises the security risk of transferring confidential data internally and/or externally. To minimize changes of theft, we instruct all employees to; refrain from transferring classified information to outside parties, only transfer confidential data over McKee Creative networks, obtain the necessary authorisation from senior management, verify the recipient of the information and ensure they have the appropriate security measures in place, adhere to McKee Creatie’s data protect law and confidentiality agreement, and immediately alert the IT department regarding any breaches, malicious software, and/or scams.
‍
We also have a strong Incident Response Plan in play if you’d like to check it out.

Enforcement

Anyone found to have violated policy may be subject to disciplinary action, up to and including suspension of access to technology resources or termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with McKee Creative.

Publication date: October 2021

Purpose & Context

McKee Creative recognises the changing context of work has created new challenges and opportunities for employers and employees that require workplaces to embrace greater flexibility.
‍
McKee Creative also understands that certain personal circumstances create additional challenges for staff in balancing their work objectives and personal priorities. This includes employees:

With family or carer responsibilities
With a disability themselves
Who are experiencing, or supporting a family member experiencing domestic violence, or
Who are transitioning to retirement

This policy outlines our commitment to providing flexible work for staff in recognition of the benefits a flexible environment can provide to the whole community, our staff and our clients.
‍
In promoting flexible work options which enable staff to balance their work requirements with personal and family priorities, this policy seeks to:

Improve gender equality outcomes in the workplace
Maintain positive staff wellbeing and engagement
Enhance the overall capacity of our organisation, and our staff, to maintain and even improve productivity by increasing staff morale and reducing absenteeism
Facilitate increased staff retention, and subsequently maintain organisation knowledge

This policy outlines the Fair Work Act 2009 provisions that allow employees the right to request flexible working arrangements and incorporates the flexible working arrangements as outlined in the Employee Agreement.
‍
This policy works in conjunction with existing entitlements, policies, and practices that support employees to apply for flexible work arrangements.

Definitions

For the purpose of this policy:

Act means the Fair Work Act 2009.
Family responsibilities (within the meaning of the Anti-Discrimination Act 1991 (QLD)) refers to responsibility for the care of a child, and/or any other immediate family member in need of care or support.
Carer (within the meaning of the Carer (Recognition) Act (2008) (QLD)) is a person who provides personal care, support and assistance to another person because of their disability and aged-related needs This excludes care, support or assistance provided as part of paid or unpaid work, a service provision contract, and/or education or training program. A person is not inherently considered a carer solely on the basis of their family and/or domestic relationship to the person in need of care.
Disability (within the meaning the Disability Discrimination Act 1992 (Cth)) is any temporary or permanent physical, sensory, neurological, intellectual, psychiatric or learning disability, and includes physical disfigurement, the presence in the body of disease-causing organisms and total or partial loss of part of the body or a bodily function.
Immediate family member includes the following biological, adoptive, foster and step relationships - a married, de facto opposite sex or same sex partner, an ex-partner, a parent or partner's or ex-partner's parent, a brother or partner's or ex-partner's brother, a sister or partner's or ex-partner's sister, a grandchild or partner's or ex-partner's grandchild and a grandparent or partner's or ex-partner's grandparent.
Inherent requirements of a job are determined by the circumstances of each job and include the ability to perform the tasks or functions which are a required function of the job, productivity and quality requirements, the ability to work effectively in a team and the ability to work safely. These are often referenced in the selection criteria or position description.
Reasonable business grounds are determined by the requirements of the organisation or individual unit and can include, but are not limited to:
- the new working arrangements would be too costly
- there is no capacity to change the working arrangements of other employees to accommodate the new working arrangement request
- it would be impractical to change the working arrangements of other employees or to recruit new employees to accommodate new working arrangement request
- the new working arrangements would be likely to result in significant loss of efficiency or productivity
- the new working arrangements would likely have a significant impact on customer service.
Unjustifiable Hardship refers to significant difficulties or expense to an employer that renders the workplace adjustment requested unwarranted.

Policy Statement

McKee Creative recognises the increasing need for employees to balance work and personal and family priorities. The longstanding provision of our policies demonstrate our commitment to the implementation of working arrangements that find the best possible match between the requirements of employers and employees.

At McKee Creative the working arrangements should be inherently flexible wherever reasonably possible. The application of flexibility and reasonableness when considering working arrangements should enable all employees to request access to conditions of employment which allow a balance between work and personal or family priorities.
‍
Under the Act employees in certain circumstances have a right to request flexible working arrangements. McKee Creative will undertake all reasonable efforts to accommodate and support the needs of employees in fulfilling the inherent requirements of a position if they:

Are the parent, or have the responsibility for the care, of a child of school age or under
Are a carer
Have a disability
Are 55 years or older
Are a victim of domestic violence, or
Are caring for or supporting a member of their family or household because the other person is a victim of domestic violence

Where Mckee Creative is unable to accomodate the needs of an employee in their request for flexible work arrangement in the above circumstances, this will only be based upon the relevant test of unjustifiable hardship or reasonable business grounds.
‍
Taking into account a person’s training, qualifications, experience, performance and all other relevant factors, it is not unlawful discrimination by McKee Creative against an employee requesting a flexible working arrangement, if the person:

Would be unable to carry out the inherent requirements of the particular job, or
Would require arrangements which would impose an unjustifiable hardship on McKee Creative.

In determining what constitutes unjustifiable hardship, all relevant circumstances of the particular case are to be taken into account, including:

The nature of the benefit likely to be accrued or detriment to be suffered by the persons affected, and
The effect of the employees personal or family priorities, and
The financial circumstances of and the estimated amount of expenditure required to be made by McKee Creative when claiming unjustifiable hardship

Email Security

Transferring Data

Enforcement

Publication date: January 2020

Data breach response team

The McKee Creative Executive is Michael Schwarzel, Director, SkyM8 Pty Ltd (T/A McKee Creative)
The Chief Privacy Officer is Joanne McKee
The Systems Administrator is Mihai Mapetrei

When should a data breach be escalated to McKee Creative’s data breach response team?

Are multiple individuals affected by the breach or suspected breach?
Is there (or may there be) a real risk of serious harm to any of the affected individual(s)?
Does the breach or suspected breach indicate a systemic problem in OAIC processes or procedures?
Could there be media or stakeholder attention as a result of the breach or suspected breach?

Directors should inform the Chief Privacy Officer of minor breaches

If a Director decides not to escalate a minor data breach or suspected data breach to the response team for further action, the Director should:

Send a brief email to the Chief Privacy Officer that contains the following information:
- description of the breach or suspected breach
- action taken by the Director or McKee Creative officer to address the breach or suspected breach
- the outcome of that action, and
- the Director’s reasons for their view that no further action is required
Save of copy of that email in the following container: Data Breach Response – reports and investigation of data breaches within McKee Creative

McKee Creative data breach response process

Step 1: Contain the breach
Step 2: Assess the risks associated with the breach
Step 3: Consider breach notification
Step 4: Review the incident and take action to prevent future breaches

Testing this plan

Records management

Documents created by the response team, including post-breach and testing reviews, should be saved in the following container:

Data Breach Response – reports and investigation of data breaches within McKee Creative

Reporting

McKee Creative’s Data Breach Response Checklist

Step 1: Contain the breach

Notify the Chief Privacy Officer, who may convene the data breach response team.
Immediately contain breach:
- Consider whether the systems administrator needs to be advised.
Consider whether team needs other expertise
Inform the McKee Creative Executive as soon as possible; provide ongoing updates on key developments.
Ensure evidence is preserved that may be valuable in determining the cause of the breach, or allowing McKee Creative to take appropriate corrective action.
Consider a communications or media strategy to manage public expectations and media interest.

Step 2: Assess the risks for individuals associated with the breach

Conduct initial investigation, and collect information about the breach promptly, including:
- the date, time, duration, and location of the breach
- the type of personal information involved in the breach
- how the breach was discovered and by whom
- the cause and extent of the breach
- a list of the affected individuals, or possible affected individuals
- the risk of serious harm to the affected individuals
- the risk of other harms
Determine whether the context of the information is important.
Establish the cause and extent of the breach.
Assess priorities and risks based on what is known.
Keep appropriate records of the suspected breach and actions of the response team, including the steps taken to rectify the situation and the decisions made.

Step 3: Consider breach notification

Determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.
Determine whether and how to notify affected individuals – is the breach likely to result in serious harm to any of the individuals to whom the information relates and McKee Creative has not been able to prevent the likely risk of serious harm through remedial action. In some cases, it may be appropriate to notify the affected individuals immediately; e.g., where there is a high-level of risk of serious harm to affected individuals.
Consider whether others should be notified, including police/law enforcement, or other agencies or organisations affected by the breach or can assist in containing the breach or assisting individuals affected by breach, or where McKee Creative is contractually required or required under the terms of an MOU or similar obligation to notify specific parties.

Step 4: Review the incident and take action to prevent future breaches

Fully investigate the cause of the breach.
Implement a strategy to identify and address any weaknesses in data handling that contributed to the breach
Conduct a post-breach review and report to the McKee Creative Executive on outcomes and recommendations:
- Update security and response plan if necessary.
- Make appropriate changes to policies and procedures if necessary.
- Revise staff training practices if necessary.
- Consider the option of an audit to ensure necessary outcomes are effected

Publication date: January 2020

Recruitment

Career development and promotion

Community programmes

Diversity practices

McKee Creative provides a safe and pleasant environment for our employees.

We offer:

Flexible working time arrangements
Employee education assistance
Employee network and support groups
Open communications
Childcare assistance
Mentor programmes

Updated March 18, 2021

Background

Special Leave for employees experiencing domestic and family violence

Leave for employees supporting a person experiencing domestic and family violence

Accompanying that person to legal proceedings, counselling, appointments with a medical or legal practitioner;
Assisting with relocations or other safety arrangements; or
Other activities associated with the family and domestic violence including caring for children.

This leave will be in addition to existing leave entitlements, may be taken as consecutive or single days or as a fraction of a day, and can be taken without prior approval.

Notice and notification

Individual Support

Confidentiality

Adverse action

Contact person

Workplace safety planning trategies

Accompanying employees to the car park or transport when leaving work.
Notifying relevant staff not to disclose private information about employees’ locations or movements
Ensuring employees do not work alone at locations with public access
Providing a photo of the abusive person to front desk staff, so that they can identify them and call the police if necessary.
Developing a policy on workplace violence.
Practical technological updates to protect employees from abusive phone calls and emails.
Monitoring and reviewing effectiveness and uptake of safety strategies

This policy is to be reviewed every 12 months. Next review date is March 18, 2022.

Publication date: October 2021

Our commitment

Respectful communication and cooperation between all employees.
Teamwork and employee participation, permitting the representation of all groups and employee perspectives.
Work/life balance through flexible work schedules to accommodate employees’ varying needs.
Employer and employee contributions to the communities we serve to promote a greater understanding and respect for diversity.

Our responsibility

Publication date: October 2021

Our hopes

Scope

This policy applies to our company and its subsidiaries. It may also refer to suppliers and partners.

Policy Elements

Compliance

Legality

Our company will:

Respect the law
Honour its internal policies
Ensure that all its business operations are legitimate
Keep every partnership and collaboration open and transparent

Business ethics

We’ll always conduct business with integrity and respect to human rights. We promote:

Safety and fair dealing
Respect toward the consumer
Anti-bribery and anti-corruption practices

Examples of Corporate Social Responsibility

Protecting the environment

Protecting people

We’ll ensure that we:

Don’t risk the health and safety of our employees and community
Avoid harming the lives of the local and indigenous people
Support diversity and inclusion

Human rights

Proactiveness

Donations and aid

Our company may preserve a budget to make monetary donations. These donations will aim to:

Advance the arts, education and community events
Alleviate those in need

Volunteering

Our company will encourage its employees to volunteer. They can volunteer through programs organised internally or externally. Our company may sponsor volunteering events from other organisations.

Preserving the environment

Apart from legal obligations, our company will proactively protect the environment. Examples of relevant activities include (but are not limited to):

Recycling
Conserving energy
Using environmentally-friendly technologies and locations

Supporting the community

Learning

Publication date: October 2021

Audits

Ensure integrity, confidentiality, and availability of information and resources
Investigate possible security incidents to ensure conformance to policies
Monitor user or system activity where appropriate

Scope

Policy

User and/or system level access to any computing or communications device
Access to information that may be produced, transmitted or stored on equipment or premises
Access to work areas (labs, offices, cubicles, storage areas, etc.)
Access to interactively monitor and log traffic on McKee Creative networks
Penetration testing
Password Auditing
Scanning for Personally Identifiable Information

And in general, our team at McKee Creative has some strong policies on cyber security:

Device Security

Email Security

Transferring Data

Enforcement

Publication date: October 2021

Purpose & Context

With family or carer responsibilities
With a disability themselves
Who are experiencing, or supporting a family member experiencing domestic violence, or
Who are transitioning to retirement

Improve gender equality outcomes in the workplace
Maintain positive staff wellbeing and engagement
Enhance the overall capacity of our organisation, and our staff, to maintain and even improve productivity by increasing staff morale and reducing absenteeism
Facilitate increased staff retention, and subsequently maintain organisation knowledge

Definitions

For the purpose of this policy:

Act means the Fair Work Act 2009.
Family responsibilities (within the meaning of the Anti-Discrimination Act 1991 (QLD)) refers to responsibility for the care of a child, and/or any other immediate family member in need of care or support.
Carer (within the meaning of the Carer (Recognition) Act (2008) (QLD)) is a person who provides personal care, support and assistance to another person because of their disability and aged-related needs This excludes care, support or assistance provided as part of paid or unpaid work, a service provision contract, and/or education or training program. A person is not inherently considered a carer solely on the basis of their family and/or domestic relationship to the person in need of care.
Disability (within the meaning the Disability Discrimination Act 1992 (Cth)) is any temporary or permanent physical, sensory, neurological, intellectual, psychiatric or learning disability, and includes physical disfigurement, the presence in the body of disease-causing organisms and total or partial loss of part of the body or a bodily function.
Immediate family member includes the following biological, adoptive, foster and step relationships - a married, de facto opposite sex or same sex partner, an ex-partner, a parent or partner's or ex-partner's parent, a brother or partner's or ex-partner's brother, a sister or partner's or ex-partner's sister, a grandchild or partner's or ex-partner's grandchild and a grandparent or partner's or ex-partner's grandparent.
Inherent requirements of a job are determined by the circumstances of each job and include the ability to perform the tasks or functions which are a required function of the job, productivity and quality requirements, the ability to work effectively in a team and the ability to work safely. These are often referenced in the selection criteria or position description.
Reasonable business grounds are determined by the requirements of the organisation or individual unit and can include, but are not limited to:
- the new working arrangements would be too costly
- there is no capacity to change the working arrangements of other employees to accommodate the new working arrangement request
- it would be impractical to change the working arrangements of other employees or to recruit new employees to accommodate new working arrangement request
- the new working arrangements would be likely to result in significant loss of efficiency or productivity
- the new working arrangements would likely have a significant impact on customer service.
Unjustifiable Hardship refers to significant difficulties or expense to an employer that renders the workplace adjustment requested unwarranted.

Policy Statement

Are the parent, or have the responsibility for the care, of a child of school age or under
Are a carer
Have a disability
Are 55 years or older
Are a victim of domestic violence, or
Are caring for or supporting a member of their family or household because the other person is a victim of domestic violence

Would be unable to carry out the inherent requirements of the particular job, or
Would require arrangements which would impose an unjustifiable hardship on McKee Creative.

In determining what constitutes unjustifiable hardship, all relevant circumstances of the particular case are to be taken into account, including:

The nature of the benefit likely to be accrued or detriment to be suffered by the persons affected, and
The effect of the employees personal or family priorities, and
The financial circumstances of and the estimated amount of expenditure required to be made by McKee Creative when claiming unjustifiable hardship

A decision of unjustifiable hardship must be based on the established facts of the situation, and not assumptions, and there must be consideration of alternative arrangements which could assist the employee in balancing their personal or family priorities and perform the inherent requirements of their position.
‍
McKee Creative will provide targeted staff development training on flexible working arrangements as relates to this policy, available to managers/supervisors and all clients and administrative staff. We will undertake strategies to raise awareness of flexible work options available for all staff.
‍
McKee Creative will consider flexible working arrangements for all employees under the applicable provisions and other employment policies and practices which enable flexible working arrangements.
‍
McKee’s Staff Agreements contain a number of flexibility measures that employees can access.
‍
An employee, who is unable to access the flexible working arrangements under our Staff Agreement or other McKee Creative employment policies and practices, may request flexible working arrangements from their manager under this policy.
‍
Employees with family responsibilities may also have access to parental leave options, including flexible return to work options. If they are a primary or secondary carer of a child after birth. Parental leave options and conditions are outlined in the relevant agreements.
‍
Employees with a disability or who are carers of children or immediate family members with a disability are entitled to make requests for flexible working arrangements under this and other policies.
‍
The types of flexible working arrangements available for staff may include (subject to relevant policy and Enterprise Agreement provisions) but are not limited to:

Options for part-time work
Job-sharing
Variations in starting and finishing times, roster arrangements or break times
Working hours over fewer calendar days
Flexibility in when paid and unpaid leave can be taken and the option to purchase additional leave
Working remotely, where appropriate
Adequate notice being provided to an employee when there is a request to vary their usual hours or location of work
Workplace child care arrangements as part of an employees salary package, and
Time for breastfeeding and breast milk extraction at work

Requests for Flexible Working Arrangements under the Fair Work Act 2009

The Act allows for employees in certain circumstances the right to request flexible work arrangements.
‍
Employees are entitled to make the request under the Act when they have completed at least 12 months of continuous service before making the request.
‍
Casual employees are entitled to make a request under the Act if:

They have been employed by McKee Creative on a regular and systematic basis for a sequence of periods of employment of at least 12 months immediately before making the request, and
There is a reasonable expectation of continuing employment on a regular and systematic basis

Procedures

Part A - Requesting Flexible Working Arrangements

An employee seeking to request a flexible working arrangement under the Act should submit a request in writing to their manager/supervisor outlining:

The reasons for the request
The nature of the arrangements required, and
The period of time proposed to utilise the arrangements

The manager must give genuine consideration to the request for flexible working arrangements and the proposals put forward by the employee.
‍
The employee and the manager/supervisor must meet in person to discuss the request within 14 calendar days of a written submission being made, or if feasible, earlier where the circumstances require it. Direct and personal communication is required.

Reach an agreement where possible that balances the needs of McKee Creative and the employee’s requirements
Clarify the flexible working arrangements required by the employee and for the manager/supervisor to raise any concerns they may have with the request
Address any reasonable concerns from the manager/supervisor about the proposed flexible working arrangement, and consider and discuss alternative arrangements

In considering an application for a flexible working arrangement a manager/supervisor must also consider:

Any work, health and safety issues which may impact on the request as per the Workplace Health & Safety standards
Their delegation capacity
Provisions under the Staff Agreements

Within 21 calendar days of meeting with their manager/supervisor an employee must be provided with the written response to their request, stating whether their request has been granted or refused, and providing reasons for this decision.
‍
A refusal of a request for flexible working arrangements must only be made in terms of either unjustifiable hardship or reasonable business grounds.

A refusal of a request for flexible working arrangement should, where possible, also include consideration of alternative arrangements to that requested by the employee.
‍
Employees have a responsibility to immediately inform their manager/supervisor when their circumstances, as related to flexible work arrangements, cease or significantly change.
‍
Where approved, there should be at least an annual review of the agreement to ensure that the employee and McKee Creative’s needs are being comfortably met.
‍
It is appropriate for an employee and a manager/supervisor to make an informal flexible working arrangement if there are no Work Health and Safety issues to be considered, and:

The employee requesting the arrangement is requesting under a circumstance not covered by the Fair Work Act as outlined above, or
The flexible work arrangement is for a short term period, or
Both the employee and manager/supervisor have reached mutual agreement on the terms of a flexible work arrangement

In the insistence of an informal agreement, correspondence detailing the agreed terms of the arrangement should still be entered into to ensure both parties are fully informed of their responsibilities. Advice can also be sought in these instances.

Part B - Dealing with Breaches of Policy

Where practicable a dispute as to the application of this policy should be resolved informally through discussion with the appropriate manager/supervisor. If the matter cannot be resolved the issue should be escalated to the relevant HR Partner.
‍
If a manager/supervisor does not follow the procedures or refuses a request for flexible work arrangements as outlined in this policy, an employee can contact the appropriate support for dispute.

Part C - Responsibilities

Managers/Supervisors & Executives will:

Will ensure that all policies and procedures do not discriminate on the grounds of an employees personal circumstances as they relate to the Act
Should inform employees of this policy and other policies as related to flexible working arrangements, and should adhere to McKee Creative’s commitment to equal opportunity for all employees
Staff training will be provided on flexible work arrangements
Must document a decision not to approve the request for flexible working arrangements from any employee regardless of whether the employee was requesting under the Fair Work Act or to balance personal priorities. The documentation of decision, including reasons qualified under unjustifiable hardship or reasonable business grounds, must be made available to the employee for review
Must review the flexible work arrangements at regular intervals, at least annually, the arrangements made with employee to ensure that McKee Creative’s and the employees needs continue to be met
Maintain appropriate confidentiality of personal matters
Provide assistance to an employee seeking information and advice in relation to requests for flexible working arrangements

Employees will:

May inform their manager/supervisor of personal circumstances relevant to their request for flexible working arrangements
May make a written request for flexible work practices
Must, when requested, provide documentation of their responsibilities, such as a doctors certificate or social work report
May request a third-party to assist in the discussion of special arrangements with their supervisor
Should seek independent advice in relation to their superannuation if they change their hours of work.

Publication date: October 2021

Plan

Here at McKee Creative, we take safety and security seriously. To maintain the trust of our employees, customers and partners, and meet regulatory requirements, it is essential that we do everything we can to protect confidential information and systems.
‍
We understand that the better prepared we are to respond to virtual (cyber-security, theft) or physical (power failures, natural disasters) threats, the faster we can eradicate this threat and reduce the impact on our business.
‍
We have taken the time to formulate an Incident Response Plan that explains how to detect and react to incidents, determine their scope of risk, respond appropriately (and quickly) and communicate the results and risks to all stakeholders.
‍
Effective incident response involves every part of our organisation, including IT teams, technical support, corporate communications, and business operations. We understand it is important that each member of our team reads and understands their role.

Testing and Updates

Testing of the Incident Response Plan ensures that all team members are aware of their obligations (unless real incidents occur which test the full functionality of the process). By testing our response to potential incidents, we can identify process gaps and improvement areas, and record these observations for further improvement. By doing so, we can further update our Incident Response Plan to perfectly suit the team and process at McKee Creative, every time.

Incident Response Overview

Below is the structured 6-step process followed in this document as defined by the SANS Institute in their Incident Handler’s Handbook that the team at McKee Creative will follow in response to an incident or threat. The 6 steps outlined are:

Preparation - review and codify an organisation security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT).
Identification - monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.
Containment - perform short-term containment, for example isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems.
Eradication - remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in future.
Recovery - bring affected production systems back online carefully, to prevent additional attacks. Test, verify, and monitor affected systems to ensure they are back to normal activity.
Lessons learned - no later than 2 weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the Incident Response process could be improved.

Workforce Continuity

To keep everything running smoothly, regardless of physical or virtual threats, the team at McKee Creative will do everything in our power to keep things as accessible and reliable as possible. Our data is stored in a secure location and our team works remotely in general, as we aim for the best in workplace continuity. We understand that by providing a safe and secure environment for our data and employees, we establish a strong business network.

Roles, Responsibilities and Contact Information

Our Incident Recovery Team is generally made up of the hard-working members of IT, who collect, preserve and analyse data in-tandem with Jo McKee herself. With their experience and understanding, they can ensure the Incident Response Plan is carried out as effectively and efficiently as possible.
‍
However, we understand avoiding incidents is done best when everyone is involved. Our entire team at McKee Creative will be well-versed in safety and security protocols, as well as the Incident Response Plan in general… just to keep everyone on the same page.
‍
If you do need to get in contact with any of our staff in regards to our Incident Response Plan, please contact the team directly at grow@mckeecreative.store.
‍
Or, if any major problems occur, we suggest you keep these names in mind:

Michael Schwarzel
Technical Partners/Third Party Incident Response
Contact details:
Phone: 0488 068719
Email: michael@grandprixyachting.com.au

Policies & Procedures

Profitable Marketing

Join 900+ subscribers to the Weekly Wrap.