(1) This Data Breach Policy is made as required by s 59ZD of the Privacy and Personal Information Protection Act 1998 and pursuant to the Privacy Management Rule. (2) This policy documents UNE’s plan for responding to a data breach. It establishes the roles and responsibilities of UNE Representatives (3) This policy should be read with: (4) A summary of the process for responding to a data breach can be found in the Data Breach Management Process and the Data Breach Incident Escalation Process and Team Structures documents. (5) Within this policy: (6) A data breach occurs when any information (whether digital or hard copy) held by UNE is lost or subject to unauthorised access (both internal and external to the University), disclosure, or other unauthorised access, modification or misuse. This includes verbal disclosures of information. (7) Where a data breach involving personal information or health information occurs, and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, such a data breach constitutes an ‘eligible data breach’. Eligible data breaches are subject to mandatory data breach notification obligations prescribed by the Privacy and Personal Information Protection Act 1998 (and in certain circumstances other privacy laws). (8) Whatever the cause of the data breach, harm can result to students or UNE Representatives. Harm includes financial, social, reputational, psychological or physical impacts to an individual and reputational or financial damage to UNE, and need only impact one person. (9) Examples of data breaches include: (10) ‘Eligible data breach’ is a term defined in the Privacy and Personal Information Protection Act 1998 as follows: (11) Personal information is a term defined in the PPIP Act as: (12) All suspected data breaches must be immediately reported to the UNE Senior Privacy and GIPA Officer via privacy@une.edu.au. (13) All (14) The UNE Senior Privacy and GIPA Officer will immediately: (15) The Senior Privacy and GIPA Officer will identify whether the suspected data breach is: (16) If a suspected data breach is non-technology related, the Senior Privacy and GIPA Officer will necessary steps to contain the breach. (17) If a suspected data breach is technology related the Senior Privacy and GIPA Officer will escalate to the IT Security Operations Team who will implement necessary containment measures in accordance with the Cyber Security Incident Response Plan, minimising harm to individuals and UNE. (18) If a suspected data breach is technology related and it is a minor breaches the Senior Privacy and GIPA Officer may have mitigated all harm during the preliminary investigation and will report all details to the IT Security Operations Team including a description of the breach, action taken, outcome and reasons escalation is not required. (19) Once notified, the IT Security Operations Team will make a preliminary assessment of the severity based on the Harm Identification and Action tables and Personal Information Risk Categories. IT Security Operation Team and the Senior Privacy and GIPA Officer will take reasonable steps to obtain/preserve evidence of any actual or suspected data breach. (20) If a suspected data breach affects intellectual property, copyright or commercially sensitive information, concerns will be escalated to the appropriate UNE Representatives. (21) The containment measures adopted by the Senior Privacy and GIPA Officer or IT Security Operations Team (in collaboration with system owners or administrators and third party vendors) could include: (22) After initial assessment of harm by the IT Security Operations Team or the Privacy Officer, subject experts will be utilised as necessary. If the extent and likelihood of harm are categorised as extreme risk on the Harm Identification Table and Personal Information Risk Categories, the Data Breach Management Team (DBMT) will be activated in consultation with the Emergency Control Organisation (see the Data Breach Escalation and Team Structures). The team will consist of the following members as required: (23) The Senior Privacy and GIPA Officer will record the membership of the formed DBMT for each breach in UNE’s (24) The associated Data Breach Management Process explains the process of identification, investigation and the escalation points. (25) Consistent documentation of the decision, escalation, and risk assessment is required for the management of external notification and investigation, assisted by the Data Breach Investigation Checklist. The Senior Privacy and GIPA Officer and the IT Security Operations Team will ensure necessary records are stored in the (26) Any data breach will be dealt with on a case-by-case basis utilising the Data Breach Investigation Checklist. The assessment of harm and associated risk using the Harm Identification Table and Personal Information Risk Categories, will inform the appropriate course of action, which may include: (27) The documentation compiled during the investigation, assessment and notification phases (with reference to the Data Breach Investigation Checklist) including the mandatory notification report, will inform reporting by the DBMT to the Director Governance and University Secretary, Chief Information Officer, Senior Executive Team and Council as informed by the assigned category in the Harm Action Table. (28) The DBMT must prepare a report on its activities for the purposes or review and remediation. (29) The DBMT must provide support to the Senior Privacy and GIPA Officer in relation to UNE’s mandatory notification obligations. (30) UNE is subject to the NSW Mandatory Notification of Data Breach (MNDB) Scheme, under Part 6A of the Privacy and Personal Information Protection Act 1998 which establishes a mandatory notification for NSW public sector agencies to notify the Privacy Commissioner and affected individuals of the eligible data breaches. (31) In accordance with s59ZJ of the PPIP Act, the functions of the Vice-Chancellor and Chief Executive Officer, as the head of the University for the purposes of Part 6A of the PPIP Act, are delegated to the Director Governance and University Secretary. The Senior Privacy and GIPA Officer will advise the Director Governance and University Secretary who will decide when an elgible data breach has occured. (32) If the Director Governance and University Secretary decides that an eligible data breach has occured, the notification process under Part 6A of the PPIP Act is triggered. The Senior Privacy and GIPA Officer is responsible for all communications issued under the MNDB Scheme. There are four elements of the notification process: (33) Individuals/organisations affected by a data breach will be notified as soon as practicable. Where all individuals affected by an eligible data breach cannot be notified, UNE will consider issuing a public notification on its website. (34) Affected individuals/organisations should be notified directly – by telephone, letter, email or in person. Indirect notification, such as information posted on UNE’s website, a public notice in a newspaper, or a medial release should generally only occur where the contact information of affected individuals/organisations is unknown, or where direct notification is prohibitively expensive or could cause further harm, for example by alerting a person who stole a laptop as to the value of the information contained. A record of any public notification of a data breach will be published on UNE’s website and recorded on the Public Data Breach Register for a period of twelve months. (35) Section 59O of the Privacy and Personal Information Protection Act 1998 sets out specific information that must, if reasonably practicable, be included in a notification: (36) In the event of a data breach affecting personal information that is jointly held between UNE and another agency, each agency is required to assess the breach and if the breach is determined to be an eligible breach, each agency must notify the Privacy Commissioner. However, only one of the affected agencies is required to notify affected individuals or make a public notification (if required). (37) The Senior Privacy and GIPA Officer will liaise with the privacy representative of the other agency to determine which agency had most direct relationship with the affected individuals as they will be best placed to notify and provide direct support as required. (38) UNE is subject to the national Notifiable Data Breaches (NDB) Scheme under Part IIIC of the Privacy Act 1988 which establishes a mandatory notification for federal agencies and any agency collecting TFNs, for eligible data breaches. In circumstances of unauthorised access to or disclosure of a TFN, UNE must make a mandatory report within 30 days to the OAIC, if the breach is likely to result in serious harm to any individual which could not be adequately prevented. (39) The Senior Privacy and GIPA Officer will prepare mandatory notifications for the IPC and OAIC as appropriate. (40) The DBMT, with input from relevant business areas or system owners or administrators, is responsible for managing any other mandatory or voluntary notifications to the following parties as appropriate (text must be reviewed by the Senior Privacy and GIPA Officer, who will liaise with the Communications team and Legal Services as appropriate, prior to sending): (41) After notifications and reports have been finalised, the incident will be reviewed and changes to current procedures recommended to ensure future breaches are prevented or better managed. Items for review and remediation include: (42) To prevent data breaches and mitigate the extent of harm to individuals and UNE, all (43) The Vice-Chancellor and Chief Executive Officer pursuant to 29 of the University of New England Act 1993 (NSW) makes this University policy. (44) All (45) The Director Governance and University Secretary is authorised to make procedures and processes for the effective implementation and operation of this policy, and to publish as associated documents any tool that will assist with compliance. (46) This policy is consistent with the Privacy and Personal Information Protection Act 1998 and Privacy Act 1988. (47) This policy operates as and from the (48) Notwithstanding other provisions of this policy, the Vice-Chancellor and Chief Executive Officer may approve an exception to this policy where the Vice-Chancellor and Chief Executive Officer determines the application of this policy would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must: (49) The implementation for this Policy will be supported through: (50) This Data Breach Policy shall be reviewed and tested annually to ensure its compliance and effectiveness. (51) Data breach: (52) Eligible Data Breach: (53) Emergency Control Organisation - The entity responsible for UNE’s Incident and Emergency activities during the Prevention, Preparedness, Response and Recovery (PPRR) phases (the four stages of the Emergency Management Cycle). (54) Personal Information - As defined in the Privacy and Personal Information Protection Act 1998 (section 4) and the Privacy Act 1988 (Section 6(1)) personal information, is any information or an opinion about an identified individual or information about an individual whose identity can be readily ascertained. Whether information is considered identifiable depends on a number of factors including context, access, and number of data points. It includes but is not limited to: (55) Sensitive Information - In accordance with the Privacy and Personal Information Protection Act 1998 (NSW) sensitive information includes: (56) Health information - The collection and use of health information is outlined in the Health Records and Information Privacy Act 2002 which aims to promote the fair and responsible handling of health information. Health information includes: (57) The Security Incident Management Team (SIMT) - will incorporate the Security Operations Team, the Senior Privacy and GIPA Officer, and TDS team leaders/managers as appropriate, as overseen by the Chief Information Officer and TDS at UNE.Data Breach Policy
Section 1 - Purpose and scope
Part A - What is a data breach?
“information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”
Part B - Preliminary response to a data breach
Immediate report
Assess and contain
Part C - Subsequent actions
Data Breach Management Team (DBMT)
Investigation
Part D - Mandatory notification
NSW Mandatory Notification of Data Breach (MNDB) Scheme
When to notify
How to notify
What to say
Commonwealth Notifiable Data Breaches (NDB) Scheme
Part E - Review and remediation
Part F - Prevention
Part G - Summary of roles and responsibilities
Top of Page
Role
Responsibilities
System owners or administrators
Senior Privacy and GIPA Officer
Internal Audit
Chief Financial Officer (CFO)
Chief Information Officer (CIO)
Director Governance and University Secretary (DGUS)
IT Security Operations Team
Data Breach Management Team (DBMT)
Emergency Control Organisation (ECO)
Section 2 - Authority and Compliance
Authority
Compliance
Section 3 - Quality Assurance
Section 4 - Definitions
View Current
This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.
(1) For the purposes of this Part, an eligible data breach means:
a. there is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, or
b. personal information held by a public sector agency is lost in circumstances where –
i. unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and ii. if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.
(2) An individual specified in subsection (1)(a) or (1)(b)(ii) is an affected individual.
(3) To avoid doubt, an eligible data breach may include the following-
a. a data breach that occurs within a public sector agency,
b. a data breach that occurs between public sector agencies,
c. a data breach that occurs by an external person or entity accessing data held by a public sector agency without authorisation.
Report suspected data breach incidents to the Senior Privacy and GIPA Officer.
Participate in data breach investigations as required.
Maintain awareness and complete all required cyber security and privacy training.
Assist in the prevention of data breaches through compliance with this Policy.
Report notifications of breaches received from third party vendors to privacy@une.edu.au including all relevant documentation.
Assist as required with all investigations managed by the Senior Privacy and GIPA Officer, IT Security Operations Team, or DBMT.
Ensure appropriate mechanisms for breach management response is included in all service agreements/contracts related to systems, applications or services that incorporate personal information.
Ensure appropriate assignment of funds to sufficiently manage risks and implement appropriate remediation measures when considering implementation of a new application or system or renewal of an existing one.
Ensure any communications with impacted parties or external bodies are first communicated to the Privacy Officer for review.
Receive reports of suspected data breaches and conduct preliminary investigation utilising the Data Breach Investigation Checklist and the Harm Identification and Action Tables and Personal Information Risk Categories.
Escalate technology based data breaches to the IT Security Operations Team.
Escalate data breaches involving fraud or misconduct to Internal Audit as required.
Assess whether an eligible data breach has occurred.
Assess containment and remediation actions of a non-technological data breach.
Remediate harm and preserve evidence.
Assess notification requirements.
Participate in security incident response as an integral member of the Security Incident Management Team.
Submit the notification report as required with the IPC and/or the OAIC.
Receive data breach reports from the Privacy Officer
Provide risk-based advice on the data breach and the potential responses required.
Provide information and reporting to the Independent Commission Against Corruption (ICAC), the Audit Office of New South Wales (AONSW) and the New South Wales Police Force (NSW Police) as required.
Liaise with the insurer as required.
Provide budget authorisation for remedial actions.
With assistance from the Information Technology and Digital Services Command Team, oversee the activities of the Security Incident Management Team.
Participate in the Data Breach Response Team.
Liaise with the Cyber Security insurance provider as required and secure cyber security forensic capabilities where necessary.
Inform Australian Signals Directorate (ASD) as required.
Lead the Data Breach Management Team.
Act as an escalation point for the Senior Privacy and GIPA Officer – assess notification requirements and prepare reports where required.
Receive information technology related data breach reports from the Senior Privacy and GIPA Officer.
Analyse, contain and investigate information technology based data breaches (breaches involving personal information stored on or in computers or digital systems within the context of UNE business operations) in alignment with the Cyber Security Incident Response Plan.
Document all actions taken during the containment of a data breach in alignment with the Data Breach Investigation Checklist.
Liaise with the system owner and third party vendor as required.
Keep the Chief Information Officer informed.
Participate in data breach investigations as required.
Conduct post incident review and provide reports to the Chief Information Officer.
Assess the impact, harm and legal implications of escalated data breaches.
Assess containment and remediation actions of data breaches.
Remediate harm and preserve evidence.
Manage and implement appropriate communications with the UNE community as required.
Keep the Emergency Control Organisation informed of the status of the data breach.
Escalate significant data breaches to the Emergency Control Organisation (categorised as Extreme on the Harm Action Table).
Receive assessment information (impact, harm and legal implications) on data breaches.
Lead and manage the data breach response in alignment with the Cyber Security Incident Response Plan.
Approve external technological support where required.
Top of Page