DATA BREACH POLICY

DATA BREACH PROCEDURE & RESPONSE PLAN

Policy

This procedure is governed by the Lithgow and District Workmen’s Club Ltd (LWC) Privacy Policy.

Introduction

LWC is committed to managing personal information in accordance with the Privacy Act 1988 (Cth) (the Act) and the LWC Privacy Policy.

This document sets out the processes to be followed by LWC Staff in the event that LWC experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organizations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.

Accordingly, ACU needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.

Adherence to the Procedure and Response Plan will ensure that ACU can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.

This Procedure and Response Plan has been informed by:

The Office of the Australian Information Commissioner’s “Guide to developing a data breach response plan”
The Office of the Australian Information Commissioner’s “Data breach notification guide: a guide to handling personal information security breaches”
NDB Act
The Act and Australian Privacy Principals (Schedule 1 of the Act)

This document should be read in conjunction with LWC’s Privacy Policy.

Process where a data breach occurs or is suspected

3.1 Alert

Where a privacy data breach is known to have occurred (or is suspected) any member of LWC staff who becomes aware of this must, within 24 hours, alert Senior Management.

The Information that should be provided (if known) at this point includes:

When the breach occurred (time and date)
Description of the breach (type of personal information involved)
Cause of the breach (if known) otherwise how it was discovered
Which system(s) if any are affected?
Which individual / department / institute is involved?
Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)

A template can be found at Annexure A to assist in documenting the required information.

3.2 Assess and determine the potential impact

Once notified of the information above, Senior Management must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Coordinator should be contacted for advice.

3.2.1 Criteria for determining whether a privacy data breach has occurred.

a) Is personal information involved?

b) Is the personal information of a sensitive nature?

Has there been unauthorized access to personal information, or unauthorized disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?

For the purposes of this assessment the following terms are defined in section 8 of the Privacy Policy: personal information, sensitive information, unauthorized access, unauthorized disclosure and loss.

3.2.2 Criteria for determining severity

a) The type and extent of personal information involved

b) Whether multiple individuals have been affected

c) Whether the information is protected by any security measures (password protection or encryption)

d) The person or kinds of people who now have access

e) Whether there is (or could there be) a real risk of serious harm to the affected individuals

f) Whether there could be media or stakeholder attention as a result of the breach or suspect breach.

With respect to 3.2.2(e) above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation and is defined in section 8 of the Privacy Policy and section 26WG of the NDB Act.

Having considered the matters in 3.2.1 and 3.2.2, Senior Management delegate to one Senior Manager within 24 hours of being alerted under 3.1.

3.3 Senior Manager to issue pre-emptive instructions

On receipt of the communication by Senior Management under 3.2, the delegated Senior Manager will take a preliminary view as to whether the breach (or suspected breach) may constitute a NDB. Accordingly, the delegated Senior Manager will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team). This will depend on the nature and severity of the breach.

3.3.1 Data breach managed at the Individual / Department / Institute level

Where Senior Management instructs that the data breach is to be managed at the local level, the relevant Senior Manager must:

Ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorized access, shutting down or isolating the affected system); and
Submit a report via the Privacy Coordinator within 48 hours of receiving instructions under 3.3. The report must contain the following:
- Description of breach or suspected breach
- Action Taken
- Outcome of action
- Processes that have been implemented to prevent a repeat of the situation
- Recommendation that no further action is necessary

The delegated Senior Manager will be provided with a copy of the report and will sign-off that no further action is required.

The report will be logged by the General Manager.

3.3.2 Data breach managed by the Response Team

Where the delegated Senior Manager instructs that the data breach must be escalated to the Response Team, they will convene with the Response Team and notify the General Manager.

The response team will consist of:

Senior Management Team & Duty Managers.

3.4 Primary role of the Response Team

There is no single method of responding to a data breach and each incident must be dealt with on a case by case basis by assessing the circumstances and associated risks to inform the appropriate course of action.

The following steps may be undertaken by the Response Team (as appropriate):

Immediately contain the breach (if this has not already occurred). Corrective action may include: retrieval or recovery of the personal information, ceasing unauthorized access, shutting down or isolating the affected system.
Evaluate the risks associated with the breach, including collecting and documenting all available evidence of the breach having regard for the information outlined in sections 3.2.1 and 3.2.2 above.
Call upon the expertise of, or consult with, relevant staff in the particular circumstances.
Engage an independent cyber security or forensic expert as appropriate.
Assess whether serious harm is likely (with reference to section 3.2.2 above and section 26WG of the NDB Act)
Make a recommendation to the General Manager whether this breach constitutes an NDB for the purpose of mandatory reporting to the OAIC and the practicality of notifying affected individuals.
Consider developing a communication or media strategy including the timing, content and method of any announcements to members, staff or the media.

The Response Team must undertake its assessment within 48 hours of being convened.

The delegated Senior Manager will provide periodic updates to the General Manager as deemed appropriate.

3.5 Notification

Having regard to the Response team’s recommendation in 3.4 above, the General Manager will determine whether there are reasonable grounds to suspect that an NDB has occurred.

If there are reasonable grounds, the General Manager must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).

A template can be found at Annexure B.

If practicable, LWC must also notify each individual to whom the relevant personal information relates. Where impracticable, LWC must take reasonable steps to publicise the statement (including publishing on the website).

The prescribed statement will be logged by the General Manager.

LWC recognizes that notification to individuals / organisations affected by a data breach can assist in mitigating any damage for those affected individuals / organisations and reflect positively on LWC’s reputation. Notification demonstrates a commitment to open and transparent governance, consistent with LWC’s approach. The LWC adopts the approach that if the data breach creates a real risk of serious harm to the individual, the affected individuals should be notified. Prompt notification in these cases can help avoid or lessen the damage by enabling the individual/organization to take steps to protect themselves.

There are occasions where notification can be counter-productive. For example, information collected may be less sensitive and notifying individuals may cause unnecessary anxiety and de-sensitize individuals to a significant privacy breach.

Factors LWC will consider when deciding whether notification is appropriate include:

What is the risk of harm to the individual / organization?
What steps has LWC taken to date to avoid or remedy any actual or potential harm?
What is the ability of the individual / organization to take further steps to avoid or remedy harm?
Even if the individual / organization would not be able to take steps to rectify the situation, is the information that has been compromised sensitive, or likely to cause humiliation or embarrassment for the individual / organization?
Are there any applicable legislative provisions or contractual obligations that require the LWC to notify affected individuals?

The logistics of notifying affected individuals / organisations will depend in large part on the type and scale of the breach, as well as immediately practical issues such as having contact details for the affected individuals / organisations. Considerations include the following:

3.5.1 When to notify

In general, individuals/organisations affected by the breach should be notified as soon as practicable. Circumstances where it may be appropriate to delay notification include where notification would compromise an investigation into the cause of the breach or reveal a software vulnerability.

3.5.2 How to notify

Affected individuals/organisations should be notified directly - by telephone, letter, email or in person. Indirect notification – such as information posted on the LWC website, a public notice in a newspaper, or a media release – should generally only occur where the contact information of affected individuals/organisations are unknown, or where direct notification is prohibitively expensive or could cause further harm (for example, by alerting a person who stole the laptop as to the value of the information contained).

3.5.3 What to say

The notification advice will be tailored to the circumstances of the particular breach.

Content of a notification could include:

• information about the breach, including when it happened

• a description of what data has been disclosed

• assurances (as appropriate) about what data has not been disclosed

• what the agency is doing to control or reduce the harm

• what steps the person/organisation can take to further protect themselves and what LWC will do to assist people with this

• contact details for the IPC for questions or requests for information

• the right to lodge a privacy complaint with the Privacy Commissioner, the template at Annexure C will form the basis of this action.

3.6 Secondary Role of the Response Team

Once the matters referred to in 3.4 and 3.5 have been dealt with, the Response Team should turn attention to the following:

Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.
Prepare a report for submission to Senate.
Consider the option of an audit to ensure necessary outcomes are effected and effective.

Updates to this procedure

This procedure is scheduled to be reviewed every five years or more frequently if appropriate.

Contact Details

Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:

Senior Management

E: privacy@workies.com.au

W: www.workies.com.au/about/privacy_policy_and_procedure

T: 02 6350 7777

P: PO Box 747, Lithgow NSW 2790

Annexure A

DATA BREACHES PROCESS FORM

Background:

A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.

This form will assist LWC Staff in documenting the process where a data breach occurs, or is suspected, as per section 3 of the Data Breach Procedure & Response Plan (the Procedure).

If you require assistance with completing this form, contact the Senior Management immediately.

E: privacy@workies.com.au

T: 02 6350 7706

Section 1: Alert

LWC Staff are required to alert Senior Management within 24 hours of a data breach, or a suspected data breach, in accordance with section 3.1 of the Procedure.

Date of Breach: _____________________________________________________________________

Time of Breach:_____________________________________________________________________

Description of Breach: [Describe the type of personal information involved eg contact details, date of birth] __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Cause of breach: [If unknown, explain how the data breach was discovered] __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Which system(s), if any, are affected?

Which individual / department / institute is involved?

Has corrective action occurred to remedy or ameliorate the breach or suspected breach? If so, what?

Alert made by: ______________________________________________________________________

Date: _____________________________________________________________________________

Section 2: Assessment and Determination of Potential Impact

Senior Management must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The General Manager should be contacted for advice.

Senior Management must notify the General Manager with their Assessment and Determination of receipt of the Alert, in accordance with section 3.2 of the Procedure.

Alert received by:

Name: ____________________________________________________________________________

Date: _____________________________________________________________________________

Criteria for determining whether a privacy data breach has occurred

Is personal information* involved?YesNo

Is the personal information of a sensitive* nature?YesNo

Has there been unauthorized access* to personal information, or disclosure* of personal information, or loss* of personal information in circumstances where access to the information is likely to occur?YesNo

Criteria for determining severity

Describe the type and extent of personal information involved:

Have multiple individuals been affected?Yes No

If Yes, provide further details: ______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Confirm whether the information is protected by any security measures:

If Yes, provide further details:

Provide details on the person or kinds of people who now have access:

Determine whether there is (or could be) a real risk of serious harm* to the affected individuals:

Determine whether there could be media or stakeholder attention as a result of the breach or suspected breach:

*Refer to Section 8 of LWC’s Privacy Policy for definitions.

Section 3: Pre-emptive instructions by the delegated Senior Manager.

Under section 3.3 of the procedure, the designated Senior Manager will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team, depending on the nature and severity of the breach.

Notification received by:

Name: ____________________________________________________________________________

Date: _____________________________________________________________________________

Determination:

How the data breach is to be managed:

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Any further instructions issued by the delegated Senior Manager:

Date of Instruction: __________________________________________________________________

Section 4: Data breach managed at Individual / Department / Institute Level

Where the delegated Senior Manager instructs that the data breach is to be managed at the local level, Senior Management must submit a report within 48 hours of receiving instructions from the delegated Senior Manager, in accordance with Section 3.3.1 of the Procedure.

Description of breach:

Action taken:

Outcome of action:

Processes implemented to prevent repeat of the situation

Any other information of relevance

Recommendation to the General Manager [eg No further action is necessary]

Report submitted by: ________________________________________________________________

Date: _____________________________________________________________________________

General Manahers determination that no further action is necessary Yes No

Signed: ____________________________________________________________________________

Date: _____________________________________________________________________________

Annexure B

Notifiable Data Breach Statement

This statement must be submitted to the Office of the Australian Information Commissioner as soon as practicable after becoming aware of the notifiable data breach (and no later than 30 days), in accordance with section 3.5of the Data Breach Procedure & Response Plan.

Part 1 Refers to requirements set out in section 26WK of the Privacy Amendment (Notifiable Data Breaches) Act 2017

Organisation Name __________________________________________________________________

Contact Name ______________________________________________________________________

Contact Phone Number ______________________________________________________________

Address ___________________________________________________________________________

Description of the Notifiable Data Breach that ACU has reasonable grounds to believe has happened

Kind(s) of personal information involved in the data breach

Financial Details

Contact Information

Other Sensitive Information

Steps ACU recommends that individuals take to reduce the risk that they experience serious harm as a result of this data breach

Other entities affectedYesNo

Contact details: _____________________________________________________________________

Part 2 The information that ACU provides on part two of the form does not need to be included in the notification(s) to affected individuals, and ACU may request that it be held in confidence by the OAIC.

Date the breach occurred _____________________________________________________________

Date the breach was discovered ________________________________________________________

Primary cause of the data breach

Malicious or criminal attack

System Fault

Human Error

Description of how the data breach occurred

Number of individuals whose personal information is involved in the data breach

Description of any action ACU has taken to assist individuals whose personal information was involved in the data breach

Description of any action ACU has taken to prevent reoccurrence

How does ACU intend to notify individuals who are likely to be at risk of serious harm as a result of the data breach?

When will this occur?

List any other data protection authorities, law enforcement bodies or regulatory bodies that you have reported this data breach to:

Annexure C

Template Correspondence

Dear [name]

I am writing to you with important information about a recent data breach involving your personal information / information about your organization. The Office of the Australian Information Commissioner (OAIC) became aware of this breach on [date]

The breach occurred on or about [date] and occurred as follows:

(Describe the event including as applicable the following):

A brief description of what happened.
Description of the data that was inappropriately accessed, collected, used or disclosed.
Risk(s) to the individual / organization caused by the breach.
Steps the individual / organization should take to protect themselves from potential harm from the breach.
A brief description of what LWC is doing to investigate the breach, control or mitigate harm to individuals / organisations and to protect against further breaches.

We have established a section on our LWC website www.workies.com.au/updatedinfo with updated information and links to resources that offer information about this data breach.

We take our role in safeguarding your data and using it in an appropriate manner very seriously. Please be assured that we are doing everything we can to rectify the situation.

Please note that you are entitled to register a complaint with the Office of Australian Information Commissioner with regards to this breach. Complaints may be forwarded to the following;

Senior Management

E: privacy@workies.com.au

M: PO Box 747, Lithgow NSW 2790

Or via

https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint

Should you have any questions regarding this notice or if you would like more information, please do not hesitate to contact me.

Regards

[Insert applicable name and contact information]