(1) This Policy supports the UNE Governance Framework’s Information Governance functions and assist the University of New England in preparing for and responding to (2) The objective of this Policy is to describe UNE’s approach to reducing the risks associated with data breaches. The approach includes the immediate containment and mitigation of harm, evidentiary and reporting requirements, and future strategies to improve the management of personal information reducing the likelihood of breach reoccurrence. (3) Within this Policy: (4) The Data Breach Policy applies to: (5) A data breach occurs when there is a failure that has caused or has the potential to cause, unauthorised access to, disclosure of, or loss of, UNE physical or digital data containing personal information. (6) Data breaches are serious and can potentially harm individuals and organisations. (7) Protect (8) Provide access to (9) Report data breaches immediately. (10) Respond to data breaches within the required legislative and UNE timeframes. (11) Comply with voluntary and compulsory reporting schemes. (12) UNE keeps an up-to-date Data Breach Response Plan that defines: (13) The Data Breach Response Plan outlines the processes and roles and responsibilities for managing data breaches at UNE and should be read in conjunction with the Information Security Policy, Emergency Management Plan, Privacy Management Rule, and the IT Service Continuity and Disaster Recovery Plan. (14) A suspected data breach is any event that may have involved unauthorised access to, unauthorised disclosure of, or loss of data involving (15) All (16) Assessment of all reported suspected data breaches is completed by the UNE Privacy Officer. (17) Data breach are assessed for harm, impact and risk defined in the UNE Data Breach Response Plan. (18) Roles and responsibilities for responding to data breaches and escalation points are defined in the Data Breach Response Plan. (19) This Data Breach Policy is made by the Vice-Chancellor and Chief Executive Officer consistent with section 29 of the University of New England Act 1993 (NSW). (20) The Custodian of this Policy and Rule, the Director Governance and University Secretary, is authorised to make minor administrative updates to this Policy, and to publish as associated documents any tool that will assist with compliance. (21) The Data Breach Response Plan is the responsibility of the Director Governance and University Secretary and approved by Information Technology Governance Committee (VC Approved). (22) (23) This Policy is consistent with the: (24) This Policy operates as and from the (25) Previous policies relating to Data Breach Policies are replaced and have no further operation from the (26) This Policy should be read in conjunction with the Privacy Management Rule. (27) Quality Assurance regarding the effective implementation of the Data Breach Policy will be supported by: (28) Data breach - is the unauthorised access to, unauthorised disclosure of, or loss or personal information. (29) Unauthorised access – is access of personal information occurs when personal information that UNE holds is accessed by someone who is not permitted to have access. (30) Unauthorised disclosure – is making personal information accessible or visible to others outside UNE, or in specific circumstances to unauthorised parties within UNE in a way that is not permitted by the Privacy and Personal Information Protection Act 1998 and/or Health Records and Information Privacy Act 2002. This may be done intentionally or unintentionally. (31) Data loss – is the accidental or inadvertent loss of personal information held by UNE and is likely to result in unauthorised access or unauthorised disclosure.Privacy Management Rule - Annexure 1 - Data Breach Policy
Section 1 - Overview and Scope
Part A - What is a Data Breach
UNE and University Representatives responsibilities
UNE Data Breach Response Plan
Part B - Suspected data breach
Reporting a suspected data breach
Part C - UNE’s approach to responding to a data breach
Table 1 – Suspected data breach
Table 2 – Responding to a data breach
Section 2 - Authority and Compliance
Section 3 - Quality Assurance
Top of PageSection 4 - Definitions (specific to this Policy)
View Current
This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.
Example Data Breach: A criminal group access the university network using login credentials stolen in a phishing email. They download student data from the past 20 years, including names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, bank account details, passport details and student academic records. The students suffer from the financial and emotional impact of managing the ongoing threat of identity theft.
Example Data Breach: A lecturer, using their class contact list, accidently emails all the students in a unit with the Special Assessment application of one of the students, Stevie. This contains health information and contact details. Some of the student make comment on social media about Stevie and one emails it to Stevie’s family. Because of Stevie’s family cultural beliefs, they fear for both their physical harm and mental health. The information becoming public means there is a risk to Stevie’s future employment and social wellbeing.
Example Data Breach: A researcher accidently leaves a folder of 50 consent forms for participants in a medical research project in café. She rushes back to the café; however, the file is gone. Each form contained the persons contact details, health status and signatures. Once informed many of the participants withdraw consent reducing the viability of any findings. The relationship between the researcher and their funding body is irreversibly damaged. The University’s reputation is damaged because of exposing the individuals to potential identity theft and other harm.
1. Triage
2. Assess
Identify the suspected data breach
Take necessary steps to immediately limit the impact of the data beach
Notify the UNE Privacy Officer within 24 hours
Gather information on the suspected data breach
Evaluate the evidence and assess level of harm, impact, and risk
Document assessment
Decide reporting requirements
1. Analyse
2. Notify
3. Remediate
Undertake steps to reduce potential harm
Initiate detailed investigation engage specialist response team(s):
o Security Incident Management Team (SIMT)
o Data Breach Management Team (DBMT)
Enact the Data Breach Response Plan
Prepare and submit voluntary and/or mandatory notifications
Notify other relevant bodies
Notify affected individuals if not already completed as part of mitigation steps
Identify changes to prevent future breaches
Implement changes
Evaluate effectiveness of implemented changes