February 10, 2026:

A site-wide update is in progress and certain product information may misalign. For our latest deals, grab a copy of our latest catalogue.

The researched choice for solar, battery & EV charging – Western Australia

Cybersecurity and Personal Data Management Policy

Version: 5.12.1
Approved by: Executive Management
Effective date: 22 December 2025
Next review: 12 months from effective date or sooner if required by law or incident

Purpose

PSW Energy is committed to protecting customer privacy and securing customer data across its lifecycle. This policy establishes the principles, roles, technical and organizational controls, and procedures PSW Energy follows to protect customer information, build customer trust, and meet applicable regulatory and contractual requirements.

Scope

This policy applies to all employees, contractors, vendors and third parties who collect, access, process, store, transmit or destroy PSW Energy customer data. It covers all systems, applications, devices, networks, cloud services, and physical locations where customer data is stored or processed.

Principals

  1. Lawful & transparent processing — Personal data shall be collected and processed lawfully, fairly, and transparently.

  2. Purpose limitation — Data is collected only for specific, explicit and legitimate business purposes.

  3. Data minimisation — Only the minimum data necessary to perform a function is collected and retained.

  4. Accuracy — Reasonable steps will be taken to keep customer data accurate and up to date.

  5. Storage limitation — Data is retained only as long as necessary and securely disposed when no longer needed.

  6. Integrity & confidentiality — Appropriate technical and organisational measures are used to protect data.

  7. Accountability — PSW Energy documents decisions, processes and controls and is responsible for compliance.

1. Data Classification

Classification levels

Restricted (High) — Highest level of protection required. Access only on a strict need-to-know basis.

  • Payment information (card data, bank account details)
  • Billing details combined with account numbers (where they could be used for fraud)
  • Account numbers, when linked with identity or payment instruments
  • Smart meter raw/near-real-time consumption data that could identify occupancy patterns

Confidential (Medium) — Sensitive business and personal data; requires strong protection.

  • Customer contact information (email, phone)
  • Service addresses and site identifiers
  • Aggregated energy consumption data used for billing or analytics (when not individually identifying)

Internal (Low) — Internal business data, limited sensitivity.

  • Aggregated statistical reports with no individual identifiers
  • Internal operational notes not containing personal identifiers

Public — Information expressly approved for public release (marketing materials, redacted privacy statements).

Handling rules

Restricted data MUST be stored only in approved, encrypted repositories and accessed only via authenticated, authorised channels. Confidential data MUST have role-based access, logging, and encryption in transit and at rest. Internal data can be handled using standard corporate security controls.

All data classification decisions and re-classifications must be documented.

2. Roles and responsibilities

  • Board / Executive Management — Approve policy, ensure resources, and maintain risk appetite.

  • Chief Security Officer (CSO) / Head of Security — Overall responsibility for cybersecurity program and policy enforcement.

  • Data Protection Officer (DPO) or Privacy Lead — Oversee personal data processing, customer rights requests, regulatory notifications, and DPIAs.

  • IT/Infrastructure Manager — Implement technical controls (networks, encryption, backups, logging).

  • Application Owners/Product Managers — Ensure secure design and data minimisation for applications that handle customer data.

  • Business Unit Managers — Ensure staff comply with policy, and that access is requested correctly and revoked as necessary.

  • Employees & Contractors — Follow security policies, report incidents, and complete training.

  • Third-party Vendor Managers — Oversee vendor security due diligence and ensure contractual security requirements are met.

3. Access control & authentication

Principles:

  • Least privilege and role-based access control (RBAC): Employees and contractors receive the minimum access necessary to perform their duties effectively.
  • Separation of duties: where practical, sensitive tasks are split to reduce risk.
  • Just-in-time elevated access and time-bound access where appropriate.

Controls:

  • All access requests must be approved by the data owner and logged. Change requests documented.
  • Use strong authentication: Multi-factor authentication (MFA) required for all remote access, privileged accounts, admin consoles, and systems storing Restricted or Confidential data. Password policies: minimum complexity, minimum length, no reuse of previous 12 passwords (or use passphrases + 2FA).
  • Privileged Access Management (PAM) for administrative accounts: session recording, credential vaulting, and rotation.
  • Quarterly access reviews: managers and IT conduct formal reviews to certify access lists.
  • Immediate revocation of access upon role change, termination, or contract end.
  • Logging and monitoring of access to systems containing Restricted or Confidential data; retain logs for a minimum period aligned with legal/regulatory requirements (suggest 1 year or as required).

4. Data encryption & key management

Encryption standards:

  • Data in transit: Use TLS 1.2 (with strong cipher suites) or TLS 1.3 for network communications that carry customer data (web, APIs, VPNs, IoT telemetry). Disable deprecated ciphers and protocols (SSLv3, TLS 1.0/1.1). Use HSTS for web endpoints.

  • Data at rest: Use AES-256 (or equivalent) for databases, file stores, backups, and smart meter telemetry archive. Full-disk encryption on laptops and removable media.

  • Payment information: Comply with PCI DSS where applicable (tokenization, truncated PANs where possible). Store cardholder data only where necessary; use tokenization or third-party payment processors to avoid storing raw PANs.

  • Smart meter data: Store raw telemetry in encrypted stores, separate from personal identifiers where possible (pseudonymize or aggregate for analytics).

Key management:

  • Keys must be generated, stored, and rotated using an enterprise key management system (HSM preferred or cloud KMS).

  • Keys must be changed at defined intervals and after suspected compromise.

  • Access to key material is limited to authorized roles; keys never stored in plaintext on application servers.

  • Cryptographic algorithms and key lengths reviewed annually against best practice.

5. Secure configuration & network controls

  • Harden servers, workstations, network devices using CIS benchmarks or similar.

  • Disable unnecessary services and default accounts.

  • Use network segmentation: isolate customer databases, billing systems, and meter ingestion pipelines from general office networks.

  • Deploy firewalls, IDS/IPS, web application firewalls (WAF), and centralized logging.

  • Use endpoint protection (EDR), anti-malware, and regular patch management (critical patches applied within defined SLAs).

  • Use VPN for remote access with MFA, and restrict access to management interfaces to corporate IPs or jump hosts.

6. Implemented energy system data protection

Collection & transmission:

  • Smart meter telemetry must be collected via authenticated, encrypted channels (MQTT over TLS, HTTPS, or equivalent).

  • Mutual authentication where possible (device certificates).

  • Minimal collection principle: limit sampling or granularity unless higher granularity is justified and consented.

Storage & processing:

  • Store smart meter raw data in encrypted, access-controlled stores.

  • Pseudonymize meter IDs where possible for analytics and research. Link meter IDs to personally identifiable information (PII) only when necessary for billing or service. Maintain a secure mapping table with Restricted classification.

  • Apply retention schedules (see Data Retention section) and aggregate data for long-term analytics to reduce privacy risk.

Privacy protections:

  • Assess privacy risks for high-granularity consumption data (DPIA for new meter programs).

  • Provide customers with clear notices about what smart meter data is collected, how it’s used, and their rights.

  • Limit sharing of smart meter patterns externally; require contractual safeguards and purpose limitation for any third parties.

7. Incident response & breach notification

PSW Energy maintains an Incident Response Plan (IRP) that is aligned with NIST and ISO best practices. Key steps:

  1. Detect & Report: Employees must report suspected incidents immediately via [incident reporting channel]. Automated systems forward alerts to Security Operations Center (SOC).
  2. Triage & Classify: Incident Response Team (IRT) classifies severity and affected systems/data.
  3. Contain: Short-term containment (isolate systems), followed by eradication (remove malware, close access vectors).
  4. Recover: Restore systems from secure backups, validate integrity, and return to production with controls in place.
  5. Notify & Communicate: Execute communication plans for internal stakeholders, regulators, and customers.
  6. Post-incident review: Conduct a root cause analysis and implement remedial measures.

Notification timelines & procedures:

  • For incidents involving personal data, PSW Energy will follow legal obligations for breach notification. As a guiding standard, where a breach is likely to result in a risk to individuals’ rights or freedoms, PSW Energy will notify supervisory authorities without undue delay and, where feasible, within 72 hours of becoming aware (as per the GDPR standard), and notify affected customers promptly with clear guidance. If local laws require different timelines, those will govern.
  • Notifications to customers will include: description of breach, data types involved, potential risks, mitigation steps PSW Energy has taken, recommended actions for customers, and contact details for further assistance.
  • Internal notification: Executive Management, CSO, DPO, Legal, Communications, and relevant business owners.
  • Preserve forensic evidence and engage legal/cyber insurance/forensics providers as required.

8. Third-party & vendor management

Third parties handling customer data must meet PSW Energy’s security expectations. Requirements:

  • Due diligence: Security assessments before engagement (questionnaires, evidence of certifications—e.g., ISO 27001—where appropriate).
  • Contractual obligations: Written agreements requiring data processing only for specified purposes, confidentiality, security measures, breach notification obligations, audit rights, deletion/return of data on termination, subcontractor approvals, and indemnities as appropriate.
  • Minimum technical controls: Encryption, access control, logging, secure software development practices, vulnerability management.
  • Ongoing monitoring: Periodic reassessments, risk profiling, security questionnaires, and, for high-risk vendors, on-site or remote audits.
  • Data location & transfers: Compliance with legal requirements for cross-border transfers; use of standard contractual clauses or equivalent when necessary.

9. Employee training & awareness

  • All staff receive mandatory cybersecurity and privacy training upon hire and annually thereafter. Topics include password hygiene & MFA, phishing & social engineering, handling restricted and confidential data, secure remote working, incident reporting, and role-specific modules for those handling payment or smart meter data.
  • Additional role-based training for developers (secure coding, OWASP), admins (secure configuration, PAM), and customer service agents (privacy & data subject access procedures).
  • Training completion tracked; non-compliance escalated. Quarterly phishing simulations and awareness campaigns. New threats and lessons learned from incidents are communicated in regular security bulletins.

10. Data retention & secure disposal

Retention principles: Retain data only as long as necessary for operational, legal, regulatory, or contractual purposes. Retention periods must be documented and periodically reviewed.

Retention schedule:

  • Billing details & account records: Retain for the duration of the customer relationship and 7 years for accounting/compliance purposes, or as required by local law.
  • Account numbers & identifiers: Same as billing records; restrict access.
  • Energy consumption data: Raw high-frequency energy system data: retain for a business-justified period (e.g., 1–5 years) depending on analytics needs and privacy risk; aggregate for long-term analysis. Billing aggregation (monthly/yearly): retain as per financial records retention rules, e.g., 7 years.
  • Contact information & service addresses: Retain while the account is active and for a reasonable period after account closure (e.g., 2–7 years) to handle disputes and fulfil legal obligations.
  • Payment information: Store only as necessary; where stored, retain in accordance with PCI DSS and applicable legal requirements. Tokenised payment references may be retained longer for recurring billing if permitted.

Secure disposal:

  • Use secure deletion for electronic media (cryptographic wipe or DOD/ISO standard methods, as required) and physical destruction for offline media (shredding or degaussing).
  • Maintain records of disposal. For cloud services, ensure the vendor provides confirmed secure deletion.
  • When decommissioning systems, all stored customer data must be securely erased and verified to ensure complete data deletion.

11. Customer rights & transparency

PSW Energy recognises and facilitates customer rights (subject to verification and legal limits):

Rights include:

  • Access: Customers may request access to personal data we hold about them.
  • Correction: Right to request rectification of inaccurate or incomplete data.
  • Deletion: Right to request deletion when processing is no longer necessary, and there is no overriding legal reason to retain data. Exceptions may apply (billing, safety, regulatory).
  • Portability: Right to receive data in a structured, commonly used, machine-readable format (where applicable).
  • Restriction of processing: Request limited processing where disputes exist.
  • Objection: Customers may object to specific processing (direct marketing, profiling) where applicable.
  • Withdraw consent: Where processing is consent-based, customers can withdraw consent; this will not affect processing done before withdrawal.

Procedures:

  • Customer rights requests must be submitted via [customer privacy portal/email/phone] and verified for identity. PSW Energy will respond within statutory timeframes (e.g., within 1 month, extendable where necessary).
  • Fees: PSW Energy will follow applicable law concerning fees for repetitive or manifestly unfounded requests.
  • Requests are logged, handled by the DPO or Privacy Team, and tracked to completion.

Transparency: PSW Energy will publish a clear privacy notice that describes the types of data collected, its purposes, retention periods, sharing practices, security measures, and contact information for privacy queries/complaints.

12. Physical security

  • Control physical access to facilities that store or process customer data: visitor logs, photo ID checks, access badges, CCTV in sensitive areas, and locked server rooms.
  • Secure storage for backups and removable media.
  • Environmental protections for server rooms (fire suppression, climate control, UPS).
  • Clean desk policy: limit paper records and ensure secure storage/shredding.
  • On-site contractors supervised and access limited per job.

13. Secure development & change management

  • Security-by-design practices for systems handling customer data, including threat modelling and security reviews for new features.
  • Developers follow secure coding standards and run static/dynamic code analysis.
  • Pre-production testing in isolated environments with anonymised or synthetic data whenever possible.
  • Formal change control for production changes, including security review, rollback plan, and post-deployment verification.

14. Vulnerability management & regular audits

  • Maintain a vulnerability management program: conduct regular scans, prioritise patching, and track remediation. Security patches for critical vulnerabilities are applied within defined SLAs (e.g., 48–72 hours for critical).
  • Conduct annual external penetration tests and periodic internal assessments; more frequent scanning for critical systems.
  • Conduct regular privacy impact assessments (DPIAs) for high-risk processing (e.g., high-granularity smart meter projects).
  • Annual policy review and tabletop incident exercises. Maintain records of audits, findings, and remediation.
  • Keep an audit trail for changes, access, and data operations.

15. Monitoring, logging & forensics

  • Centralised logging for systems storing Restricted/Confidential data. Logs are retained as required by law and used for security monitoring purposes.
  • Security Information and Event Management (SIEM) to correlate, alert, and support forensic investigations.
  • Logs are protected against tampering, and access is limited to authorised personnel.
  • Forensic acquisition processes are defined and available to IRT for post-incident investigations.

16. Business continuity & backups

  • Maintain business continuity plans for critical services and recoverability objectives (RTOs/RPOs) that are documented and regularly tested.
  • Regular backups of customer data with encryption at rest; backups stored securely and periodically tested for restore integrity.
  • Backup retention is consistent with retention policy and legal obligations.

17. Enforcement & non-compliance

  • Policy violations will result in disciplinary action up to termination and legal action where appropriate.
  • Suspected misuse of customer data must be reported immediately through designated channels.
  • PSW Energy reserves the right to monitor compliance; employees consent to security monitoring as required by law.

18. Policy review & updates

  • This policy will be reviewed at least annually, or sooner if a material change in business, technology, law, a serious security incident, or an external audit recommendation occurs.
  • Policy changes require Executive Management approval.

19. Appendices

A. Minimum technical standards

  • TLS 1.2+ (prefer TLS 1.3), AES-256 for storage, RSA/ECDSA for key exchange where needed.
  • Passwords: minimum 12 characters or passphrase; account lockout after a defined failed attempts.
  • Logging: Retain security logs for 12 months, unless required by law or regulation to do otherwise.
  • MFA for all administrative and remote access to systems with customer data.

B. Incident contact list

  • CSO: Ben Colewell, privacy@pswenergy.com.au
  • IT Manager: Sujan Bhuiyan, sujan@mckerchercorporation.com
  • Legal Counsel: Ryan Ashoorian, ryan@averyashoorian.com, (08) 9317 6156   

C. Data Retention Table

Data Type Retention Period Retention Justification
Payment information (tokenised)
As required for recurring billing; otherwise delete after payment completion
recurring billing; otherwise delete after payment completionPCI & operational needs
Billing records
Customer lifecycle + 7 years
Financial & regulatory
Energy system raw data
1–5 years (business justified)
Operational analytics; subject to DPIA
Contact info
Account lifecycle + 2–7 years
Customer service & dispute resolution

Customer-facing summary

PSW Energy takes your privacy and data security seriously. We protect your billing details, account numbers, payment information, contact details, service address, and smart meter data using industry best practices, including encryption, strict access controls, and routine security testing. We limit data collection to what is needed, retain data only as long as necessary, and require our partners to meet rigorous security standards. If a security incident affects your personal data, we will promptly investigate, contain the issue, and notify you and regulators as required. You have the right to access, correct, port, and request deletion of your personal information. For more information, please contact our Privacy Team at privacy@pswenergy.com.au.

Final notes & adaptability

This policy provides a structured, practical framework for PSW Energy’s data security and privacy program. It aligns with ISO 27001 and the NIST Cybersecurity Framework in spirit and practice—focusing on Identify, Protect, Detect, Respond, and Recover—and is drafted to be adapted to GDPR, CCPA, and local requirements. Operational procedures, templates, the incident response playbook, DPIA templates, vendor assessment forms, and a privacy notice should be prepared as supporting documents and linked to this policy.

×
powered by google

What's your cost? It's free to ask

Your quote for a hassle-free EV charger installation begins here.