Comments

Policy Feedback

Step 1 of 4: Enter your comments on individual clauses

In step 1  provide your comments on specific content.  Select  Protected Document (comment icon ) to open a comment box  to type your feedback  then click "save comment" to close the comment box.  In step 2 you will provide general comments.


Important tips to avoid losing your comments or corrupting your entries:

  • AVOID jump between web pages or applications while commenting – open a new browser window if you need to to switch
  • ONLY log comments for one policy at a time. 
  • DON'T leave your submission half way through. If you need to take a break, submit your current set of comments. You can go back in and start a new comments , just jump to where you left off.

Data Breach Policy

Section 1 - Purpose and scope

(1) This Data Breach Policy is made as required by s 59ZD of the Privacy and Personal Information Protection Act 1998 and pursuant to the Privacy Management Rule

(2) This policy documents UNE’s plan for responding to a data breach. It establishes the roles and responsibilities of UNE Representatives 

(3)  This policy should be read with:

  1. Information Security Rule;
  2. Emergency Management Plan; and
  3. IT Service Continuity and Disaster Recovery Plan.

(4) A summary of the process for responding to a data breach can be found in the Data Breach Management Process and the Data Breach Incident Escalation Process and Team Structures documents.

(5) Within this policy:

  1. Part A defines a data breach and some other terms used; 
  2. Part B sets out the steps for responding to a data breach;
  3. Part C deals with containment and analysis;
  4. Part D outlines the University’s response;
  5. Part E outlines the University’s notification obligations;
  6. Part F outlines review and remediation;
  7. Part G outlines prevention steps; and
  8. Part H provides a summary of roles and responsibilities.

Part A -  What is a data breach?

(6) A data breach occurs when any information (whether digital or hard copy) held by UNE is lost or subject to unauthorised access (both internal and external to the University), disclosure, or other unauthorised access, modification or misuse. This includes verbal disclosures of information.

(7) Where a data breach involving personal information or health information occurs, and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, such a data breach constitutes an ‘eligible data breach’. Eligible data breaches are subject to mandatory data breach notification obligations prescribed by the Privacy and Personal Information Protection Act 1998 (and in certain circumstances other privacy laws).

(8) Whatever the cause of the data breach, harm can result to students or UNE Representatives. Harm includes financial, social, reputational, psychological or physical impacts to an individual and reputational or financial damage to UNE, and need only impact one person.

(9) Examples of data breaches include:

  1. unauthorised access to, or unauthorised collection, use or disclosure of UNE information;
  2. accidental loss, unauthorised access, or theft of classified material, data or equipment on which such data is stored (eg loss of paper record, laptop, iPad, USB stick);
  3. unauthorised use of, access to, or modification of data or information systems (eg sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems;
  4. unauthorised disclosure of classified material information (eg an email sent to an incorrect recipient or document posted to an incorrect address or addressee) or personal information posted onto the website without consent;
  5. a compromised user account (eg accidental disclosure of user login details through phishing);
  6. failed or successful attempts to gain unauthorised access to UNE information or systems;
  7. equipment failure, malware infection or disruption to or denial of IT services resulting in data breach;
  8. the loss or theft of a device containing personal information or health information;
  9. a UNE database or information repository containing personal information or health information being subject to cyber attack;
  10. a device, database or information repository containing personal information or health information being accessed without authorisation; and/or
  11. UNE inadvertently providing personal information or health information to an unauthorised person or entity.

(10) ‘Eligible data breach’ is a term defined in the Privacy and Personal Information Protection Act 1998 as follows:

(1) For the purposes of this Part, an eligible data breach means:
a. there is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, or
b. personal information held by a public sector agency is lost in circumstances where –
i. unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and ii. if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.
(2) An individual specified in subsection (1)(a) or (1)(b)(ii) is an affected individual.
(3) To avoid doubt, an eligible data breach may include the following-
a. a data breach that occurs within a public sector agency,
b. a data breach that occurs between public sector agencies,
c. a data breach that occurs by an external person or entity accessing data held by a public sector agency without authorisation.

(11) Personal information is a term defined in the PPIP Act as:

“information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”  

Part B - Preliminary response to a data breach

Immediate report

(12) All suspected data breaches must be immediately reported to the UNE Senior Privacy and GIPA Officer via privacy@une.edu.au. UNE Representatives should report as much information as possible, including:

  1. date and time when the suspected data breach was discovered and/or disclosed, and the name of the individual/s who discovered or made the report (eg staff, student, community member, external security providers, third party vendors);
  2. details of the suspected breach (eg system involved, email message responded to, staff member accessing unauthorised files, loss of hardware – laptop, portable storage device, loss or disclosure of paper files, verbal disclosure);
  3. number of people believed to be affected;
  4. the types of information involved (eg student details, emails, staff details, business analytics, health information, audiovisual materials).

(13) All UNE Representatives must cooperate with data breach investigations.

Assess and contain

(14) The UNE Senior Privacy and GIPA Officer will immediately:

  1. conduct a review of the information provided using the Harm Identification and Action Tables and Personal Information Risk Categories
  2. complete the Data Breach Investigation Checklist; and
  3. inform the Director Governance and University Secretary.

(15) The Senior Privacy and GIPA Officer will identify whether the suspected data breach is:

  1. non-technology related breach (e.g. hard copy files, verbal disclosure); or
  2. technology related (e.g. loss of laptop, compromised user account, social engineering, ransomware, information and email disclosure to an unintended recipient, hacking).

(16) If a suspected data breach is non-technology related, the Senior Privacy and GIPA Officer will necessary steps to contain the breach.

(17) If a suspected data breach is technology related the Senior Privacy and GIPA Officer will escalate to the IT Security Operations Team who will implement necessary containment measures in accordance with the Cyber Security Incident Response Plan, minimising harm to individuals and UNE. 

(18) If a suspected data breach is technology related and it is a minor breaches the Senior Privacy and GIPA Officer may have mitigated all harm during the preliminary investigation and will report all details to the IT Security Operations Team including a description of the breach, action taken, outcome and reasons escalation is not required.

(19) Once notified, the IT Security Operations Team will make a preliminary assessment of the severity based on the Harm Identification and Action tables and Personal Information Risk Categories. IT Security Operation Team and the Senior Privacy and GIPA Officer will take reasonable steps to obtain/preserve evidence of any actual or suspected data breach.

(20) If a suspected data breach affects intellectual property, copyright or commercially sensitive information, concerns will be escalated to the appropriate UNE Representatives. 

(21) The containment measures adopted by the Senior Privacy and GIPA Officer or IT Security Operations Team (in collaboration with system owners or administrators and third party vendors) could include:

  1. For a technology related breach:
    1. isolating the causes of the data breach in the relevant system, software or database;
    2. shutting down the compromised system, software or database;
    3. resetting log-in details and passwords(of staff, students or administrators) for compromised devices, systems or databases;
    4. quarantining compromised devices;
    5. recording evidence by taking screenshots of popups or messages, retaining emails sent and received, and collating system logs; 
    6. activating the Cyber Security Incident Response Plan; and
    7. remotely disabling  or deleting information on the lost device wherever technology permits.
  2. For a non-technology related breach:
    1. arranging a search of the site where the loss occurred by contacting any relevant authorities (e.g. the relevant bus company if left on a public bus or an airline if left on a plane).
  3. For any type of breach involving personal information:
    1. by email – recall the email from the recipient and/or ask the recipient not to read and to delete the email;
    2. by post – contact the recipient and ask them not to open or read the posted materials, and arrange for collection/return of the posted materials;
    3. by publication online – deactivate the link to the publication; and
    4. verbal disclosure – meeting with the recipients of the information and witnesses of the incident to discuss the importance of confidentiality, and request information not be disclosed further.

Part C - Subsequent actions

Data Breach Management Team (DBMT)

(22) After initial assessment of harm by the IT Security Operations Team or the Privacy Officer, subject experts will be utilised as necessary. If the extent and likelihood of harm are categorised as extreme risk on the Harm Identification Table and Personal Information Risk Categories, the Data Breach Management Team (DBMT) will be activated in consultation with the Emergency Control Organisation (see the Data Breach Escalation and Team Structures). The team will consist of the following members as required:

  1. Data Breach Coordinator  – Senior Privacy and GIPA Officer;
  2. Risk Coordinator – Manager (Compliance) or nominee;
  3. TDS Coordinator  – Chief Information Officer or nominee;
  4. P&C Coordinator –  Director People and Culture or nominee (required if the breach occurred as a result of the actions of, or impacts a staff member);
  5. Communications Coordinator – Director Corporate Communications and Events or nominee ( required for advice and approval of large scale communications to staff, students and/or the wider community);
  6. Specialist support –
    1. Chief Financial Officer or nominee (required when financial or insurance advise or financial approval for remediation measures is required);
    2. Director Legal Services or nominee; and
    3. Specialist (Records and Governance) or nominee.

(23) The Senior Privacy and GIPA Officer will record the membership of the formed DBMT for each breach in UNE’s Records Management System (RMS) and review the membership regularly to maintain currency.

Investigation

(24) The associated Data Breach Management Process explains the process of identification, investigation and the escalation points.

(25) Consistent documentation of the decision, escalation, and risk assessment is required for the management of external notification and investigation, assisted by the Data Breach Investigation Checklist. The Senior Privacy and GIPA Officer and the IT Security Operations Team will ensure necessary records are stored in the Records Management System (RMS) in accordance with the Records Management Rule.

(26) Any data breach will be dealt with on a case-by-case basis utilising the Data Breach Investigation Checklist. The assessment of harm and associated risk using the Harm Identification Table and Personal Information Risk Categories, will inform the appropriate course of action, which may include:

  1. containment measures;
  2. retrieving the personal information if possible;
  3. documentation of all evidence;
  4. consultation with the IT Security Operations Team and DBMT;
  5. conducting initial investigation and collecting information  about the breach, including:
    1. date, time, duration and location of breach;
    2. type of personal information involved in the breach;
    3. how the breach was discovered and by whom;
    4. cause and extent of the breach;
    5. list of the affected individuals, or possibly affected individuals; and
    6. the risk of  harm to the affected individuals ( based on the Harm Identification and Action Tables and Information Risk Categories).
  6. consultation with the Information and Privacy Commission NSW (IPC) or Office of the Australian Information Commissioner (OAIC) where appropriate;
  7. engaging cyber security or forensic experts where appropriate;
  8. conducting risk/harm assessment; and
  9. liaison with or escalation to the ECO.

(27) The documentation compiled during the investigation, assessment and notification phases (with reference to the Data Breach Investigation Checklist) including the mandatory notification report, will inform reporting by the DBMT to the Director Governance and University Secretary, Chief Information Officer, Senior Executive Team and Council as informed by the assigned category in the Harm Action Table.

(28) The DBMT must prepare a report on its activities for the purposes or review and remediation.

(29) The DBMT must provide support to the Senior Privacy and GIPA Officer in relation to UNE’s mandatory notification obligations.

Part D - Mandatory notification

NSW Mandatory Notification of Data Breach (MNDB) Scheme

(30) UNE is subject to the NSW Mandatory Notification of Data Breach (MNDB) Scheme, under Part 6A of the Privacy and Personal Information Protection Act 1998 which establishes a mandatory notification for NSW public sector agencies to notify the Privacy Commissioner and affected individuals of the eligible data breaches.  

(31) In accordance with s59ZJ of the PPIP Act, the functions of the Vice-Chancellor and Chief Executive Officer, as the head of the University for the purposes of Part 6A of the PPIP Act, are delegated to the Director Governance and University Secretary. The Senior Privacy and GIPA Officer will advise the Director Governance and University Secretary who will decide when an elgible data breach has occured.

(32) If the Director Governance and University Secretary decides that an eligible data breach has occured, the notification process under Part 6A of the PPIP Act is triggered.  The Senior Privacy and GIPA Officer is responsible for all communications issued under the MNDB Scheme.  There are four elements of the notification process:

  1. Notify the NSW Privacy Commissioner immediately after an eligible data breach is identified using the approved Data Breach Notification to the Privacy Commissioner Form.
  2. Determine whether an exemption applies: if one of the six exemptions set out in Division 4 of the MNDB Scheme applies in relation to an eligible data breach, the IPC may not be required to notify affected individuals. The IPC has produced guidance to agencies on exemptions from notifications.
  3. Notify individuals: Unless an exemption applies, the Senior Privacy and GIPA Officer notifies affected individuals or their authorised representative as soon a reasonably practicable.
  4. Provide further information to the Privacy Commissioner.

When to notify

(33) Individuals/organisations affected by a data breach will be notified as soon as practicable.  Where all individuals affected by an eligible data breach cannot be notified, UNE will consider issuing a public notification on its website.

How to notify 

(34) Affected individuals/organisations should be notified directly – by telephone, letter, email or in person.  Indirect notification, such as information posted on UNE’s website, a public notice in a newspaper, or a medial release should generally only occur where the contact information of affected individuals/organisations is unknown, or where direct notification is prohibitively expensive or could cause further harm, for example by alerting a person who stole a laptop as to the value of the information contained.  A record of any public notification of a data breach will be published on UNE’s website and recorded on the Public Data Breach Register for a period of twelve months.

What to say 

(35) Section 59O of the Privacy and Personal Information Protection Act 1998 sets out specific information that must, if reasonably practicable, be included in a notification:

  1. the date the breach occurred;
  2. a description of the breach;
  3. how the breach occurred;
  4. the type of breach that occurred;
  5. the personal information included in the breach;
  6. the amount of time the personal information was disclosed for;
  7. actions that have been taken or are planned to secure the information, or to control and mitigate the harm;
  8. recommendations about the steps an individual should take in response to the breach;
  9. information about complaints and reviews of agency conduct;
  10. the name of agencies that were subject to the breach; and 
  11. contact details for the agency subject to the breach of the nominated person to contact about the breach.

(36) In the event of a data breach affecting personal information that is jointly held between UNE and another agency, each agency is required to assess the breach and if the breach is determined to be an eligible breach, each agency must notify the Privacy Commissioner.  However, only one of the affected agencies is required to notify affected individuals or make a public notification (if required).

(37) The Senior Privacy and GIPA Officer will liaise with the privacy representative of the other agency to determine which agency had most direct relationship with the affected individuals as they will be best placed to notify and provide direct support as required.

Commonwealth Notifiable Data Breaches (NDB) Scheme

(38) UNE is subject to the national Notifiable Data Breaches (NDB) Scheme under Part IIIC of the Privacy Act 1988 which establishes a mandatory notification for federal agencies and any agency collecting TFNs, for eligible data breaches.  In circumstances of unauthorised access to or disclosure of a TFN, UNE must make a mandatory report within 30 days to the OAIC, if the breach is likely to result in serious harm to any individual which could not be adequately prevented.

(39) The Senior Privacy and GIPA Officer will prepare mandatory notifications for the IPC and OAIC as appropriate.

(40) The DBMT, with input from relevant business areas or system owners or administrators, is responsible for managing any other mandatory or voluntary notifications to the following parties as appropriate (text must be reviewed by the Senior Privacy and GIPA Officer, who will liaise with the Communications team and Legal Services as appropriate, prior to sending):

  1. affected individuals;
  2. OAIC – a formal notification through the OAIC’s NDB form should be completed;
  3. IPC;
  4. internal staff;
  5. financial services provider;
  6. police or law enforcement bodies;
  7. the Australian Securities and Investment Commission (ASIC);
  8. the Australian Taxation Office (ATO);
  9. the Australian Transaction and Reports and Analysis Centre;
  10. the Australian Cyber Security Centre;
  11. the Australian Digital Health Agency;
  12. the NSW Department of Health;
  13. professional associations and regulatory bodies;
  14. insurance providers;
  15. NSW Department of Finance, Services and Innovation; and
  16. The NSW Chief Cyber Security Officer.

Part E - Review and remediation

(41) After notifications and reports have been finalised, the incident will be reviewed and changes to current procedures recommended to ensure future breaches are prevented or better managed. Items for review and remediation include:

  1. root cause analysis of the breach (including a full investigation if required) and report to Data Breach Coordinator, Risk Coordinator, TDS Coordinator and P&C Coordinator as appropriate;
  2. implementation of a strategy to address any identified weaknesses in data handling that contributed to the breach;
  3. involvement of external partners (where necessary);
  4. policy and procedure (including updates to the security and response plans);
  5. internal processes;
  6. staff training practices; and
  7. the option of an audit to ensure necessary outcomes are enacted.

Part F - Prevention

(42) To prevent data breaches and mitigate the extent of harm to individuals and UNE, all UNE Representatives must ensure:

  1. they report suspected data breach incidents to the Senior Privacy and GIPA Officer;
  2. they participate in data breach investigations as required;
  3. they assist in the prevention of data breaches through compliance with this policy;
  4. appropriate review of all systems, applications, or services incorporating personal information has occurred prior to implementation;
  5. wherever possible that contracts or service agreements incorporate clauses specifying notification time frames and investigation support related to data breaches;
  6. notification of data breaches from third party vendors should occur within 48 hours from discovery of the potential breach;
    1. notification from third party vendors is reported immediately (within 24 hours) to privacy@une.edu.au;
  7. changes to privacy policies, data processing arrangements, data storage locations, service agreements or other vendor documents impacting personal information, which are communicated to system owners or administrators are also communicated to the Senior Privacy and GIPA Officer and Cyber Security Team;
  8. appropriate assignment of funds to sufficiently manage risks and implement appropriate remediation measures when considering implementation of a new application or system or renewal of an existing one;
  9. they remain vigilant and sceptical of unusual circumstances or behaviours and report any concerns to immediate supervisors or privacy@une.edu.au; and
  10. ensure currency of knowledge of all privacy and security policies and complete all available cyber security and privacy training. 

Part G - Summary of roles and responsibilities

Role Responsibilities
UNE Representatives
Report suspected data breach incidents to the Senior Privacy and GIPA Officer.
Participate in data breach investigations as required.
Maintain awareness and complete all required cyber security and privacy training.
Assist in the prevention of data breaches through compliance with this Policy.
System owners or administrators
Report notifications of breaches received from third party vendors to privacy@une.edu.au including all relevant documentation.
Assist as required with all investigations managed by the Senior Privacy and GIPA Officer, IT Security Operations Team, or DBMT.
Ensure appropriate mechanisms for breach management response is included in all service agreements/contracts related to systems, applications or services that incorporate personal information. 
Ensure appropriate assignment of funds to sufficiently manage risks and implement appropriate remediation measures when considering implementation of a new application or system or renewal of an existing one.
Ensure any communications with impacted parties or external bodies are first communicated to the Privacy Officer for review.
Senior Privacy and GIPA Officer
Receive reports of suspected data breaches and conduct preliminary investigation utilising the Data Breach Investigation Checklist and the Harm Identification and Action Tables and Personal Information Risk Categories.
Escalate technology based data breaches to the IT Security Operations Team.
Escalate data breaches involving fraud or misconduct to Internal Audit as required.
Assess whether an eligible data breach has occurred.  
Assess containment and remediation actions of a non-technological data breach.
Remediate harm and preserve evidence.
Assess notification requirements.
Participate in security incident response as an integral member of the Security Incident Management Team.
Submit the notification report as required with the IPC and/or the OAIC.
Internal Audit
Receive data breach reports from the Privacy Officer
Provide risk-based advice on the data breach and the potential responses required.
Provide information and reporting to the Independent Commission Against Corruption (ICAC), the Audit Office of New South Wales (AONSW) and the New South Wales Police Force (NSW Police) as required.
Chief Financial Officer (CFO)
Liaise with the insurer as required.
Provide budget authorisation for remedial actions.
Chief Information Officer (CIO)
With assistance from the Information Technology and Digital Services Command Team, oversee the activities of the Security Incident Management Team.
Participate in the Data Breach Response Team.
Liaise with the Cyber Security insurance provider as required and secure cyber security forensic capabilities where necessary. 
Inform Australian Signals Directorate (ASD) as required.
Director Governance and University Secretary (DGUS)
Lead the Data Breach Management Team.
Act as an escalation point for the Senior Privacy and GIPA Officer – assess notification requirements and prepare reports where required.
IT Security Operations Team
 
Receive information technology related data breach reports from the Senior Privacy and GIPA Officer.
Analyse, contain and investigate information technology based data breaches (breaches involving personal information stored on or in computers or digital systems within the context of UNE business operations) in alignment with the Cyber Security Incident Response Plan.
Document all actions taken during the containment of a data breach in alignment with the Data Breach Investigation Checklist.
Liaise with the system owner and third party vendor as required.
Keep the Chief Information Officer informed.
Participate in data breach investigations as required.
Conduct post incident review and provide reports to the Chief Information Officer.
Data Breach Management Team (DBMT)
Assess the impact, harm and legal implications of escalated data breaches.
Assess containment and remediation actions of data breaches.
Remediate harm and preserve evidence.
Manage and implement appropriate communications with the UNE community as required.
Keep the Emergency Control Organisation informed of the status of the data breach.
Escalate significant data breaches to the Emergency Control Organisation (categorised as Extreme on the Harm Action Table). 
 Emergency Control Organisation (ECO)
Receive assessment information (impact, harm and legal implications) on data breaches.
Lead and manage the data breach response in alignment with the Cyber Security Incident Response Plan.
Approve external technological support where required.
Top of Page

Section 2 - Authority and Compliance

Authority 

(43) The Vice-Chancellor and Chief Executive Officer pursuant to 29 of the University of New England Act 1993 (NSW) makes this University policy.

(44)  All UNE Representatives must observe this policy in relation to University matters.  Records Policy & Governance can provide guidance to UNE Representatives on matters covered by this policy.

(45) The Director Governance and University Secretary is authorised to make procedures and processes for the effective implementation and operation of this policy, and to publish as associated documents any tool that will assist with compliance.  

Compliance

(46) This policy is consistent with the Privacy and Personal Information Protection Act 1998 and Privacy Act 1988.

(47) This policy operates as and from the Effective Date.  Previous policy on data breach management are replaced and have no further operation from the Effective Date.  

(48) Notwithstanding other provisions of this policy, the Vice-Chancellor and Chief Executive Officer may approve an exception to this policy where the Vice-Chancellor and Chief Executive Officer determines the application of this policy would otherwise lead to an unfair, unreasonable or absurd outcome.  Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must:

  1. be documented in writing;
  2. state the reason for the exception; and
  3. be registered in the approved UNE electronic Records Management System (RMS) in accordance with the Records Management Rule.
Top of Page

Section 3 - Quality Assurance

(49) The implementation for this Policy will be supported through:

  1. quarterly reporting to the Director Governance and University Secretary regarding any breach notifications and investigations; and
  2. reporting of data breach notifications and post investigation recommendations to the ITD Management Team and Information System owners.

(50) This Data Breach Policy shall be reviewed and tested annually to ensure its compliance and effectiveness. 

Top of Page

Section 4 - Definitions

(51) Data breach:

  1. A data breach occurs when a failure or potential failure causes unauthorised access to UNE’s data. When this access involves the unauthorised access to, disclosure of or loss of personal information of UNE staff, student’s or community members it can cause serious harm to individuals.
  2. Whilst external attacks are of great concern, many breaches are a result of human error, carelessness or technical faults rather than malicious intent.
  3. A minor data breach may be considered where unauthorised access, disclosure or loss of personal information occurs, but the impact is minimal and poses little to no risk of serious harm to individuals. This should be determined by the Senior Privacy and GIPA Officer, in consultation with the IT Security Operations Team, where necessary.

(52) Eligible Data Breach: 

  1. there is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, or 
  2. personal information held by a public sector agency is lost in circumstances where – 
    1. unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and
    2. if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates. 

(53) Emergency Control Organisation - The entity responsible for UNE’s Incident and Emergency activities during the Prevention, Preparedness, Response and Recovery (PPRR) phases (the four stages of the Emergency Management Cycle).

(54) Personal Information - As defined in the Privacy and Personal Information Protection Act 1998 (section 4) and the Privacy Act 1988 (Section 6(1)) personal information, is any information or an opinion about an identified individual or information about an individual whose identity can be readily ascertained. Whether information is considered identifiable depends on a number of factors including context, access, and number of data points. It includes but is not limited to:

  1. personal details such as name, address, and other contact information about an individual;
  2. photographs, images, video or audio footage;
  3. fingerprints, blood or DNA;
  4. employee details;
  5. credit information;
  6. banking and financial information; and
  7. unique government identifiers such as Medicare numbers or National Unique Student identifiers.

(55) Sensitive Information - In accordance with the Privacy and Personal Information Protection Act 1998 (NSW) sensitive information includes:

  1. ethnic or racial origin;
  2. political opinions;
  3. religious or philosophical beliefs;
  4. trade union membership; or
  5. sexual activities.

(56) Health information - The collection and use of health information is outlined in the Health Records and Information Privacy Act 2002 which aims to promote the fair and responsible handling of health information. Health information includes:

  1. any information or an opinion pertaining to the physical or mental health or disability of an individual, their express wishes about the future provision of health care and details of any health services provided or to be provided to them;
  2. other personal information collected to provide, or when providing, a health service; or
  3. personal information about an individual collected in connection with the donation or intended donation of an individual’s body parts, organs or body substances;
  4. any genetic information about an individual arising from a health service provided to that individual, that is, or could be, predictive of the health (at any time) of that individual or a genetic relative; or
  5. healthcare identifiers.

(57) The Security Incident Management Team (SIMT) - will incorporate the Security Operations Team, the Senior Privacy and GIPA Officer, and TDS team leaders/managers as appropriate, as overseen by the Chief Information Officer and TDS at UNE.

 

All comments provided are made available the Policy Owner and must comply with the UNE Code of Conduct.