DATA BREACH PROCEDURE & RESPONSE PLAN
This document sets out the processes to be followed by LWC Staff in the event that LWC experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organizations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Accordingly, ACU needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.
Adherence to the Procedure and Response Plan will ensure that ACU can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.
This Procedure and Response Plan has been informed by:
The Office of the Australian Information Commissioner’s “Guide to developing a data breach response plan”
The Office of the Australian Information Commissioner’s “Data breach notification guide: a guide to handling personal information security breaches”
The Act and Australian Privacy Principals (Schedule 1 of the Act)
Process where a data breach occurs or is suspected
Where a privacy data breach is known to have occurred (or is suspected) any member of LWC staff who becomes aware of this must, within 24 hours, alert Senior Management.
The Information that should be provided (if known) at this point includes:
When the breach occurred (time and date)
Description of the breach (type of personal information involved)
Cause of the breach (if known) otherwise how it was discovered
Which system(s) if any are affected?
Which individual / department / institute is involved?
Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)
A template can be found at Annexure A to assist in documenting the required information.
3.2 Assess and determine the potential impact
Once notified of the information above, Senior Management must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Coordinator should be contacted for advice.
3.2.1 Criteria for determining whether a privacy data breach has occurred.
a) Is personal information involved?
b) Is the personal information of a sensitive nature?
Has there been unauthorized access to personal information, or unauthorized disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?
3.2.2 Criteria for determining severity
a) The type and extent of personal information involved
b) Whether multiple individuals have been affected
c) Whether the information is protected by any security measures (password protection or encryption)
d) The person or kinds of people who now have access
e) Whether there is (or could there be) a real risk of serious harm to the affected individuals
f) Whether there could be media or stakeholder attention as a result of the breach or suspect breach.
Having considered the matters in 3.2.1 and 3.2.2, Senior Management delegate to one Senior Manager within 24 hours of being alerted under 3.1.
3.3 Senior Manager to issue pre-emptive instructions
On receipt of the communication by Senior Management under 3.2, the delegated Senior Manager will take a preliminary view as to whether the breach (or suspected breach) may constitute a NDB. Accordingly, the delegated Senior Manager will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team). This will depend on the nature and severity of the breach.
3.3.1 Data breach managed at the Individual / Department / Institute level
Where Senior Management instructs that the data breach is to be managed at the local level, the relevant Senior Manager must:
Ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorized access, shutting down or isolating the affected system); and
Submit a report via the Privacy Coordinator within 48 hours of receiving instructions under 3.3. The report must contain the following:
Description of breach or suspected breach
Outcome of action
Processes that have been implemented to prevent a repeat of the situation
Recommendation that no further action is necessary
The delegated Senior Manager will be provided with a copy of the report and will sign-off that no further action is required.
The report will be logged by the General Manager.
3.3.2 Data breach managed by the Response Team
Where the delegated Senior Manager instructs that the data breach must be escalated to the Response Team, they will convene with the Response Team and notify the General Manager.
The response team will consist of:
Senior Management Team & Duty Managers.
3.4 Primary role of the Response Team
There is no single method of responding to a data breach and each incident must be dealt with on a case by case basis by assessing the circumstances and associated risks to inform the appropriate course of action.
The following steps may be undertaken by the Response Team (as appropriate):
Immediately contain the breach (if this has not already occurred). Corrective action may include: retrieval or recovery of the personal information, ceasing unauthorized access, shutting down or isolating the affected system.
Evaluate the risks associated with the breach, including collecting and documenting all available evidence of the breach having regard for the information outlined in sections 3.2.1 and 3.2.2 above.
Call upon the expertise of, or consult with, relevant staff in the particular circumstances.
Engage an independent cyber security or forensic expert as appropriate.
Assess whether serious harm is likely (with reference to section 3.2.2 above and section 26WG of the NDB Act)
Make a recommendation to the General Manager whether this breach constitutes an NDB for the purpose of mandatory reporting to the OAIC and the practicality of notifying affected individuals.
Consider developing a communication or media strategy including the timing, content and method of any announcements to members, staff or the media.
The Response Team must undertake its assessment within 48 hours of being convened.
The delegated Senior Manager will provide periodic updates to the General Manager as deemed appropriate.
Having regard to the Response team’s recommendation in 3.4 above, the General Manager will determine whether there are reasonable grounds to suspect that an NDB has occurred.
If there are reasonable grounds, the General Manager must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).
A template can be found at Annexure B.
If practicable, LWC must also notify each individual to whom the relevant personal information relates. Where impracticable, LWC must take reasonable steps to publicise the statement (including publishing on the website).
The prescribed statement will be logged by the General Manager.
LWC recognizes that notification to individuals / organisations affected by a data breach can assist in mitigating any damage for those affected individuals / organisations and reflect positively on LWC’s reputation. Notification demonstrates a commitment to open and transparent governance, consistent with LWC’s approach. The LWC adopts the approach that if the data breach creates a real risk of serious harm to the individual, the affected individuals should be notified. Prompt notification in these cases can help avoid or lessen the damage by enabling the individual/organization to take steps to protect themselves.
There are occasions where notification can be counter-productive. For example, information collected may be less sensitive and notifying individuals may cause unnecessary anxiety and de-sensitize individuals to a significant privacy breach.
Factors LWC will consider when deciding whether notification is appropriate include:
What is the risk of harm to the individual / organization?
What steps has LWC taken to date to avoid or remedy any actual or potential harm?
What is the ability of the individual / organization to take further steps to avoid or remedy harm?
Even if the individual / organization would not be able to take steps to rectify the situation, is the information that has been compromised sensitive, or likely to cause humiliation or embarrassment for the individual / organization?
Are there any applicable legislative provisions or contractual obligations that require the LWC to notify affected individuals?
The logistics of notifying affected individuals / organisations will depend in large part on the type and scale of the breach, as well as immediately practical issues such as having contact details for the affected individuals / organisations. Considerations include the following:
3.5.1 When to notify
In general, individuals/organisations affected by the breach should be notified as soon as practicable. Circumstances where it may be appropriate to delay notification include where notification would compromise an investigation into the cause of the breach or reveal a software vulnerability.
3.5.2 How to notify
Affected individuals/organisations should be notified directly - by telephone, letter, email or in person. Indirect notification – such as information posted on the LWC website, a public notice in a newspaper, or a media release – should generally only occur where the contact information of affected individuals/organisations are unknown, or where direct notification is prohibitively expensive or could cause further harm (for example, by alerting a person who stole the laptop as to the value of the information contained).
3.5.3 What to say
The notification advice will be tailored to the circumstances of the particular breach.
Content of a notification could include:
• information about the breach, including when it happened
• a description of what data has been disclosed
• assurances (as appropriate) about what data has not been disclosed
• what the agency is doing to control or reduce the harm
• what steps the person/organisation can take to further protect themselves and what LWC will do to assist people with this
• contact details for the IPC for questions or requests for information
• the right to lodge a privacy complaint with the Privacy Commissioner, the template at Annexure C will form the basis of this action.
3.6 Secondary Role of the Response Team
Once the matters referred to in 3.4 and 3.5 have been dealt with, the Response Team should turn attention to the following:
Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.
Prepare a report for submission to Senate.
Consider the option of an audit to ensure necessary outcomes are effected and effective.
Updates to this procedure
This procedure is scheduled to be reviewed every five years or more frequently if appropriate.
Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:
T: 02 6350 7777
P: PO Box 747, Lithgow NSW 2790
DATA BREACHES PROCESS FORM
A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.
This form will assist LWC Staff in documenting the process where a data breach occurs, or is suspected, as per section 3 of the Data Breach Procedure & Response Plan (the Procedure).
If you require assistance with completing this form, contact the Senior Management immediately.
T: 02 6350 7706
Section 1: Alert
LWC Staff are required to alert Senior Management within 24 hours of a data breach, or a suspected data breach, in accordance with section 3.1 of the Procedure.
Date of Breach: _____________________________________________________________________
Time of Breach:_____________________________________________________________________
Description of Breach: [Describe the type of personal information involved eg contact details, date of birth] __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Cause of breach: [If unknown, explain how the data breach was discovered] __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Which system(s), if any, are affected?
Which individual / department / institute is involved?
Has corrective action occurred to remedy or ameliorate the breach or suspected breach? If so, what?
Alert made by: ______________________________________________________________________
Section 2: Assessment and Determination of Potential Impact
Senior Management must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The General Manager should be contacted for advice.
Senior Management must notify the General Manager with their Assessment and Determination of receipt of the Alert, in accordance with section 3.2 of the Procedure.
Alert received by:
Criteria for determining whether a privacy data breach has occurred
Is personal information* involved?YesNo
Is the personal information of a sensitive* nature?YesNo
Has there been unauthorized access* to personal information, or disclosure* of personal information, or loss* of personal information in circumstances where access to the information is likely to occur?YesNo
Criteria for determining severity
Describe the type and extent of personal information involved:
Have multiple individuals been affected?Yes No
If Yes, provide further details: ______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Confirm whether the information is protected by any security measures:
If Yes, provide further details:
Provide details on the person or kinds of people who now have access:
Determine whether there is (or could be) a real risk of serious harm* to the affected individuals:
Determine whether there could be media or stakeholder attention as a result of the breach or suspected breach:
Section 3: Pre-emptive instructions by the delegated Senior Manager.
Under section 3.3 of the procedure, the designated Senior Manager will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team, depending on the nature and severity of the breach.
Notification received by:
How the data breach is to be managed:
Any further instructions issued by the delegated Senior Manager:
Date of Instruction: __________________________________________________________________
Section 4: Data breach managed at Individual / Department / Institute Level
Where the delegated Senior Manager instructs that the data breach is to be managed at the local level, Senior Management must submit a report within 48 hours of receiving instructions from the delegated Senior Manager, in accordance with Section 3.3.1 of the Procedure.
Description of breach:
Outcome of action:
Processes implemented to prevent repeat of the situation
Any other information of relevance
Recommendation to the General Manager [eg No further action is necessary]
Report submitted by: ________________________________________________________________
General Manahers determination that no further action is necessary Yes No
Notifiable Data Breach Statement
This statement must be submitted to the Office of the Australian Information Commissioner as soon as practicable after becoming aware of the notifiable data breach (and no later than 30 days), in accordance with section 3.5of the Data Breach Procedure & Response Plan.
Part 1 Refers to requirements set out in section 26WK of the Privacy Amendment (Notifiable Data Breaches) Act 2017
Organisation Name __________________________________________________________________
Contact Name ______________________________________________________________________
Contact Phone Number ______________________________________________________________
Description of the Notifiable Data Breach that ACU has reasonable grounds to believe has happened
Kind(s) of personal information involved in the data breach
Other Sensitive Information
Steps ACU recommends that individuals take to reduce the risk that they experience serious harm as a result of this data breach
Other entities affectedYesNo
Contact details: _____________________________________________________________________
Part 2 The information that ACU provides on part two of the form does not need to be included in the notification(s) to affected individuals, and ACU may request that it be held in confidence by the OAIC.
Date the breach occurred _____________________________________________________________
Date the breach was discovered ________________________________________________________
Primary cause of the data breach
Malicious or criminal attack
Description of how the data breach occurred
Number of individuals whose personal information is involved in the data breach
Description of any action ACU has taken to assist individuals whose personal information was involved in the data breach
Description of any action ACU has taken to prevent reoccurrence
How does ACU intend to notify individuals who are likely to be at risk of serious harm as a result of the data breach?
When will this occur?
List any other data protection authorities, law enforcement bodies or regulatory bodies that you have reported this data breach to:
I am writing to you with important information about a recent data breach involving your personal information / information about your organization. The Office of the Australian Information Commissioner (OAIC) became aware of this breach on [date]
The breach occurred on or about [date] and occurred as follows:
(Describe the event including as applicable the following):
A brief description of what happened.
Description of the data that was inappropriately accessed, collected, used or disclosed.
Risk(s) to the individual / organization caused by the breach.
Steps the individual / organization should take to protect themselves from potential harm from the breach.
A brief description of what LWC is doing to investigate the breach, control or mitigate harm to individuals / organisations and to protect against further breaches.
We have established a section on our LWC website www.workies.com.au/updatedinfo with updated information and links to resources that offer information about this data breach.
We take our role in safeguarding your data and using it in an appropriate manner very seriously. Please be assured that we are doing everything we can to rectify the situation.
Please note that you are entitled to register a complaint with the Office of Australian Information Commissioner with regards to this breach. Complaints may be forwarded to the following;
M: PO Box 747, Lithgow NSW 2790
Should you have any questions regarding this notice or if you would like more information, please do not hesitate to contact me.
[Insert applicable name and contact information]