View Current

Privacy Data Breach Response Plan

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose and Context

(1) This Plan sets out the procedures to be followed by University staff in response to suspected, actual or eligible breaches of University held data.

(2) The purpose of this Plan is to enable the University to meet its statutory obligations under the Mandatory Notification of Data Breach (MNDB) Scheme in Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) and as a Tax File Number Recipient in Part IIIC of the Privacy Act 1988 (Cth) by:

  1. identifying, containing, escalating, assessing and responding to data breaches; and notifying impacted individuals and reporting eligible data breaches, in a timely manner
  2. proactively mitigating and remediating potential harm to affected individuals
  3. documenting its processes and data breach responses
  4. identifying the staff roles and responsibilities, reporting lines and points of contact in the event of a data breach
  5. identifying the staff responsible for managing the data breach response
  6. setting out record-keeping requirements, including maintaining an internal incident register of data breaches (in accordance with 59ZE(2) of PPIPA), and a public notification register of eligible data breaches (in accordance with 59N(2) of PPIPA) and
  7. reviewing, post-breach, and considering what actions can be taken to prevent future breaches

(3) Effective breach management, including notification where warranted, assists the University to avoid or reduce possible harm to both the affected individuals and the University, and may prevent future breaches.

(4) This Plan applies to all University employees, students, contractors, affiliates, volunteers, associates and University controlled entities.

(5) This Plan should be read in conjunction with the University's Privacy Policy, Privacy Management Plan as well as the following University policy documents:

  1. Acceptable Use of Digital Services Policy
  2. Business Continuity Management Policy
  3. Compliance Policy
  4. Cyber Security Policy
  5. Digital Information Security Policy

(6) A data breach may or may not involve disclosure of information external to the University or publicly. For example, unauthorised access to personal information by a University employee, or unauthorised sharing of personal information between teams within the University, may amount to a data breach.

(7) A data breach may occur as the result of malicious action, systems failure, or human error. A data breach may also occur because of a misconception about whether a particular act or practice is permitted under Privacy Legislation.

(8) Examples of data breaches include:

  1. Human error, such as but not limited to:
    1. When a document or email is sent to the wrong recipient
    2. When system access is incorrectly granted to someone without appropriate authorisation
    3. When a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information is lost or misplaced
    4. When staff fail to implement appropriate password security, for example not securing passwords or sharing password and log in information
  2. System failure, such as but not limited to:
    1. Where a coding error allows access to a system without authentication, or results in automatically generated notices including the wrong information or being sent to incorrect recipients
    2. Where systems are not maintained through the application of known and supported patches
  3. Malicious or criminal attack, such as but not limited to:
    1. Cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting in access to, or theft of, personal information
    2. Social engineering or impersonation leading to inappropriate disclosure of personal information
    3. Insider threats from University employees or contractors using their valid credentials to access or disclose personal information outside the scope of their duties or permissions
    4. Theft of a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information
Top of Page

Section 2 - Definitions

(9) The following definitions apply for the purposes of this Plan:

  1. ‘CISO’ means the Chief Information and Security Officer
  2. ‘DBRT’ means the Data Breach Response Team
  3. ‘Data’ means University-held personal or health information
  4. A ‘data breach’ occurs when personal or health information held by the University (whether held in digital or hard copy) is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure.
  5. An ‘eligible data breach’ has the same meaning as described in clause 59D of PPIPA:
    1. there is an unauthorised access to, or unauthorised disclosure of, personal information held by the University and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, or
    2. personal information held by the University is lost in circumstances where:
      1. unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and
      2. if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates
  6. ‘Health information’ has the same meaning as in the Health Records and Information Privacy Act 2002 (NSW), as articulated in the University's Privacy Policy
  7. ‘Health Privacy Principles’ means the principles set out in Schedule 1 of the Health Records and Information Privacy Act 2002 (NSW)
  8. ‘HRIPA’ means the Health Records and Information Privacy Act 2002 (NSW)
  9. ‘Information Protection Principles’ means the principles set out in Part 2 Division I of the Privacy and Personal Information Protection Act 1998 (NSW)
  10. ‘MNDB’ refers to the Mandatory Notification of Data Breach (MNDB) Scheme in Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW)
  11. ‘Personal information’ has the same meaning as in the Privacy and Personal Information Protection Act 1998 (NSW) as articulated in the Privacy Policy
  12. ‘PPIPA’ means the Privacy and Personal Information Protection Act 1998 (NSW)
  13. ‘Privacy Management Plan’ means the University's Privacy Management Plan pursuant to s.33 of the PPIPA
  14. ‘University held’ means data held by the University and it’s contracted third parties.
Top of Page

Section 3 - Policy Statement

(10) As set out in its Privacy Policy, the University is committed to respecting the privacy of individuals, creating a privacy culture and promoting fair and compliant information handling practices in its educational, research, engagement, and administrative procedures and activities.

(11) The University will meet its statutory requirements for mandatory notifiable data breach reporting under the Privacy and Personal Information Protection Act 1998 (NSW) and the Privacy Act 1988 (Cth).

(12) All staff must comply with and implement the University's Privacy Policy, Information Protection Principles, Health Information Principles, the University's Privacy Management Plan and this Plan, and ensure staff under their supervision, or students under their direction, are made aware of their obligations under these principles and documents.

Data Breach Response Team

(13) The Vice-Chancellor and President, as head of the University (a public sector agency for the purposes of PPIPA), delegates to the Data Breach Response Team (DBRT) the exercise of the Vice-Chancellor's functions arising under Part 6A of PPIPA.

(14) Where there is a data breach and the preliminary assessment by the Privacy Officer is that serious harm is possible, the assessment of whether there is an Eligible Data Breach will be determined by the DBRT. The assessment will be carried out in accordance with the Guidelines issued by the Privacy Commissioner under Part 6A of PPIPA.

(15) The Data Breach Response Team will comprise the following staff, or their nominees:

  1. Privacy Officer (convenor)
  2. Chief Information and Security Officer
  3. Chief Information and Digital Officer
  4. University Secretary
  5. Director, Governance Services
  6. University General Counsel
  7. Director, Compliance
  8. Executive Director, Equity, Safety and Wellbeing
  9. Senior Program Lead, Business Continuity and Resilience (issue dependent)

(16) Depending on the severity of the incident, the DBRT may coopt additional members, including third parties, into the team to investigate the breach or to assist in responding to the data breach, such as:

  1. Executive Director, Employment Relations (or nominee) where the data breach involves employee information
  2. Director, Data Integrity, Quality and Operations (or nominee) where the data breach affects large numbers of students
  3. Insurance specialist (or nominee) where the data breach is potentially covered by insurance
  4. Manager, Records and Archives Management Services (or nominee) where the data breach affects University records
  5. Pro Vice-Chancellor, Research (or nominee) where the data breach affects human research data
  6. External suppliers where the data breach involved a third-party supplier or contractor

(17) All suspected or actual breaches will be dealt with expeditiously and assessments must be completed within 30 days (unless an extension is approved under section 59K of PPIPA) after the breach is first suspected.

(18) If the breach may reach the threshold of a crisis as defined in the Business Continuity and Crisis Management Framework which supports the University's Business Continuity Management Policy, the breach must be referred to the Crisis Management Team. 

Top of Page

Section 4 - Procedures

Part A - Report Suspected or Actual Data Breach

(19) Any University employee, student, contractor, affiliate, volunteer or associate who becomes aware of a suspected or actual data breach must immediately inform the University's Privacy Officer. Employees should also immediately advise their unit head and, if the data breach involves any University systems (for example, suspected or actual hacking) that person should also immediately report it to the CISO.

(20) The University's Privacy Officer will, in consultation with the relevant unit head and, where applicable, the CISO and/or the University General Counsel, decide the next steps taking into account the extent and seriousness of the suspected or actual breach.

Part B - Initial Assessment of Data Breach

(21) Upon being informed of a suspected or actual breach, the Privacy Officer will assess the situation and determine whether, or confirm that, a breach has occurred.

(22) In determining whether a breach has occurred the Privacy Officer may, as necessary, convene discussions with relevant stakeholders, and collate and review any relevant information.

Part C - Containment and Remediation of a System Breach

(23) For breaches of University systems, the CISO is responsible for taking immediate action to contain the breach and remediate harm, including by seeking assistance from the appropriate business units or third parties as necessary.

(24) The CISO must take reasonable steps to preserve and/or record evidence of a suspected or actual data breach.

Part D - Assessment, Escalation and Data Breach Response Team

Assessment

(25) The University's Privacy Officer will, in conjunction with other University staff as necessary, assess risks associated with the breach, including:

  1. cause and extent
  2. type and level of exposure (for example, risk to public health or safety, financial, reputational)
  3. risk of further exposure
  4. number and identity of individuals affected (including whether they are University staff, students, alumni or others)

No Serious Harm Likely

(26) If the Privacy Officer's investigation and preliminary findings determine that the incident is a data breach but that serious harm is unlikely then the Privacy Officer will:

  1. record the incident on the University's data breach register
  2. work with the Unit where the breach occurred, to advise the parties whose personal information was the subject of the breach, including the nature of the personal information and their rights under PPIPA
  3. undertake all other action as reasonably necessary to close-out the incident appropriately in alignment with the relevant clauses in the University's Privacy Management Plan

Serious Harm Likely

(27) If the Privacy Officer's investigation and preliminary findings determine the incident is a data breach and suspects that serious harm is possible, the Privacy Officer will convene a meeting of the DBRT as soon as possible for further assessment.

(28) The DBRT will assess the breach to determine if it is an eligible data breach under the Mandatory Notification of Data Breach (MNDB) Scheme in Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) and/or as a Tax File Number Recipient in Part IIIC of the Privacy Act 1988 (Cth).  If the breach is assessed as such, the DBRT will ensure that the University meets its legislated obligations.

(29) The DBRT, or the Privacy Officer on the DBRT’s behalf, must keep a record of all steps taken in response to the data breach and decisions made in connection with it.  This includes keeping a record of all steps taken during the preliminary investigation and subsequent assessment and ensuring that any relevant evidence of the data breach (such as computer imaging and forensic investigation) is preserved and securely stored.  Evidence and records will be sufficient to demonstrate to regulators the reasonable steps taken comply with statutory and legal obligations.

Part E - Assessing ‘Serious Harm’

(30) In assessing whether the data breach is likely to cause serious harm to affected individuals the following matters must be taken into account.

(31) Harm includes:

  1. physical, economic, financial or material harm; and/or
  2. emotional or psychological harm; reputational harm; and/or
  3. other forms of serious harm that a reasonable person in the University's position would identify as a possible outcome of the data breach

(32) This may include the possibility of any or all of the following:

  1. identify theft
  2. financial fraud
  3. misuse of health information
  4. leading to embarrassment, discrimination, or blackmail

(33) Serious harm occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect to the individual.

(34) Harms that can arise as the result of a data breach are context-specific and will vary based on:

  1. the type of personal information accessed, disclosed or lost, and whether a combination of types of personal information might lead to increased risk
  2. the level of sensitivity of the personal information accessed, disclosed or lost
  3. the amount of time the information was exposed or accessible, including the amount of time information was exposed prior to the University discovering the breach
  4. the circumstances of the individuals affected and their vulnerability or susceptibility to harm (that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm)
  5. the circumstances in which the breach occurred and
  6. actions taken by the University to reduce the risk of harm following the breach

Part F - Notification Procedures

(35) If during the initial assessment the Privacy Officer or the DBRT determines the data breach to be an eligible data breach, the University must give immediate notification to the NSW Privacy Commissioner and, except if exempted under Part 6A, Division 4 of PPIPA, all affected individuals as soon as practicable after the University becomes aware of the eligible data breach.

(36) The Privacy Officer will give the notification providing the required information as follows:

  1. NSW Information Privacy Commission using the IPC Mandatory Data Breach Reporting Form
  2. The Office of the Australian Information and Privacy Commissioner using the OAIC Notifiable Data Breach Form

(37) If there has been an eligible data breach, the DBRT is responsible for assessing the options available for notifying affected individuals of the data breach.  The notification to affected individuals must include:

  1. how and when the data breach occurred
  2. the types of personal information involved in the data breach
  3. what the University has done or will be doing to reduce or eliminate the risk of harm brought about by the data breach
  4. any assurances (if applicable) about what data has not been disclosed (that is, if a breach only affects an individual's basic identity or contact information, but not their financial information or any sensitive information)
  5. what steps the individuals can take to protect themselves and what the University will do to assist people to do this (if applicable)
  6. contact details at the University for questions or requests for information or assistance (for example, helpline numbers, e-mail addresses or websites)
  7. whether the University has notified the IPC about the data breach and
  8. how individuals can lodge a privacy complaint with the IPC

(38) The notification to affected individuals must be approved and signed by the Convenor of the DBRT prior to being sent out to the relevant persons. Once approved, the Convenor of the DBRT is responsible for sending out the notification to individuals and/or delegating the responsibility to the appropriate business unit. The DBRT must keep a record of the date, time and method of notification to each individual.

(39) The DBRT must consider whether any of the following should be notified of the suspected or actual data breach:

  1. employees, students, contractors, affiliates, volunteers, associates or University controlled entities
  2. Cyber Insurer
  3. Any third-party organisations or agencies whose data may be affected
  4. NSW Police Force
  5. NSW Department of Customer Service
  6. Cyber Security NSW
  7. The Office of the Australian Information Commissioner
  8. Australian Government Department of Education
  9. Australian Government Department of Home Affairs
  10. Australian Federal Police
  11. The Australian Taxation Office
  12. The Australian Digital Health Authority
  13. The Department of Health
  14. The Office of the Government Chief Information Security Officer
  15. The Australian Cyber Security Centre
  16. Financial services providers
  17. Professional associations, regulatory bodies or insurers
  18. Foreign regulatory agencies

(40) If the DBRT determines that additional notification is appropriate, approval from the Convenor of the DBRT must be obtained before such notification is made.

Part G - Review and Breach Report

(41) The Privacy Officer is responsible for conducting a post-breach review and assessment. In conducting the review, the Privacy Officer must:

  1. seek informal input and assistance from the CISO, members of the DBRT and other business units, as required
  2. complete any further investigations as necessary or desirable
  3. determine whether any data handling or data security practices led or contributed to the relevant data breach
  4. consider whether there are any further actions that need to be taken as a result of the relevant data breach, such as:
    1. updating security measures
    2. reviewing and updating this data breach response plan
    3. making appropriate changes to practices, systems, other processes, policies and procedures
    4. revising staff training practices
    5. reviewing external vendors' security/contract terms and ongoing engagement and
    6. considering undertaking an audit to ensure necessary outcomes are implemented
  5. then as soon as reasonably practicable prepare a written report on each notifiable breach setting out:
    1. a chronology of all relevant events
    2. a summary of all steps taken in response and
    3. findings and recommendations for further actions.

(42) The Report must be provided to the Data Breach Response Team.

(43) The Privacy Officer must update the Data Breach Register and record the report on the University's system of record.

Part H - Review of Data Breach Response

(44) This Plan and the Reports on Eligible Data Breaches will be reviewed annually by the DBRT together with:

  1. annual review and testing of the data breach response process in this Plan
  2. staff training and communications to prevent data breaches
  3. adjustments of auditing or monitoring of staff to prevent data breaches
  4. adjustments to any staff policies or procedures to prevent data breaches
    1. the introduction of new controls or restrictions on staff access to prevent data breaches
  5. applying any additional security protections to protect personal information (for example, encryption)
  6. monitoring of third-party contracts and the contractual controls for ensuring stakeholders comply with privacy and data breach requirements under PPIPA, HRIPA and the Privacy Act 1988 (Cth)
Top of Page

Section 5 - Guidelines

(45) Information about privacy issues at the University, including guidance notes on eligible data breaches can be obtained via the University's Privacy website.

  1. The Information Protection Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Information Protection Principles (IPPs) – PPIP Act.
  2. The Health Privacy Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Health Privacy Principles (HPPs) – HRIP Act.
  3. Visit the Information and Privacy Commission website for more information.