Privacy Policy

Privacy & Data Security Policy

About this Document
This Privacy & Data Security Policy has been adopted by Krishan Nominees (Vic) Pty Ltd (ACN 600 038 926) ATF Nanayakkara Family Trust, trading as D.S Audit Services (ABN 35 536 445 038) (“we”, “us”, “our”), including any controlled corporate entities.

All employees, contractors, consultants, partners and authorised third parties who have access to personal or sensitive information under our direction are bound by, and must adhere to, this Policy.

By providing personal information to us, you consent to our collection, use, storage and disclosure of your information in accordance with this Policy. We may update this Policy from time to time, with changes communicated to stakeholders via our website and/or direct notice.

1. Commitment to Privacy, Quality & Security

We are committed to safeguarding personal information in line with:

  • Australian Privacy Principles under the Privacy Act 1988
  • ASQM1 quality objectives for information, communication and resources
  • ISO 9001 requirements for documented information and continual improvement
  • Australian Cyber Security Centre (ACSC) guidance, including the Essential Eight

Our approach ensures that privacy, security, and data integrity are embedded into our operational culture, aligning with our Quality Management System (QMS) and audit obligations.

2. Information We Collect

We may collect the following categories of information:

  • Personal identification – name, date of birth, contact details
  • Government identifiers – tax file number, driver’s licence, passport
  • Employment records – current and historical
  • Financial details – bank accounts, shareholdings, loans, assets, liabilities, superannuation, insurance, credit reports
  • Client-provided documents – for SMSF, tax, or audit purposes
  • Digital interactions – website forms, client portal usage, cookies, IP addresses
  • Survey or feedback responses

Sensitive information will only be collected with consent or as otherwise permitted by law.

3. Collection & Use of Information

We collect information via:

  • In-person or virtual meetings and telephone discussions
  • Client questionnaires and onboarding forms
  • Secure client portals and encrypted email exchanges
  • Liaison with authorised third parties such as the ATO or ASIC
  • Publicly available sources relevant to our engagement
  • Website tracking tools (cookies) to enhance user experience and security

Information is used strictly for:

  • Providing SMSF audit and related professional services
  • Meeting compliance obligations with regulatory bodies
  • Managing client relationships and service improvements
  • Internal quality reviews, in line with ASQM1 and ISO 9001

4. Disclosure of Information

We may disclose personal information to:

  • Australian Government agencies (ATO, ASIC, OAIC) for compliance or audit purposes
  • Professional associations (e.g. SMSF Association) when required
  • Trusted third-party service providers under binding confidentiality and security agreements
  • Parties authorised by you in writing
  • Courts, tribunals, or regulators in accordance with legal requirements

Sensitive information will only be disclosed for the primary purpose it was collected or where otherwise permitted by law.

5. Data Security & Cyber Protection

We implement layered security measures in line with Australian Cyber Security Centre best practice and Essential Eight mitigation strategies, including:

  • Multi-factor authentication for all critical systems
  • Encryption of sensitive data in transit and at rest
  • Access controls and role-based permissions under ASQM1 resource management principles
  • Secure offsite backups and disaster recovery planning
  • Continuous monitoring for unauthorised access attempts
  • Employee training on cyber risk awareness and phishing prevention

In accordance with ISO 9001 Clause 7.5 and ASQM1, all documented information is stored in secure systems with version control, retention policies, and regular integrity checks.

6. Notifiable Data Breaches

If a data breach is likely to cause serious harm, we will:

  1. Immediately activate our Data Breach Response Plan
  2. Contain and assess the breach within 30 days
  3. Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals, as required under the Privacy Act
  4. Document remedial actions for QMS continuous improvement

7. Access, Updates & Corrections

You may request access to, or correction of, personal information by contacting us in writing. We will respond within a reasonable period, usually within four weeks. Proof of identity will be required prior to release of information.

8. Complaints & Inquiries

Complaints regarding privacy or data security can be made in writing to:

Security & Privacy Officer
Dinesh Nanayakkara – Director of Strategic Partnerships
Email: office@dsauditservices.com
Phone: 1300 372 669
Mail: PO BOX 173, Endeavour Hills, VIC 3802
In Person: Suite 212, 148 Logis Boulevard, Dandenong South, VIC 3175

If you are not satisfied with our response, you may contact the OAIC via www.oaic.gov.au.

9. Policy Review

This Policy will be reviewed annually in line with:

  • ISO 9001 Clause 9.3 Management Review
  • ASQM1 monitoring and remediation requirements
  • Changes to Australian privacy and cyber security legislation

Effective Date: 1 July 2025