91ÌÒÉ«

Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act) sets out obligations of public sector agencies, including 91ÌÒÉ«, in relation to data breaches involving personal information.

These obligations include a requirement to prepare and publish a data breach policy and to keep a register of public notifications made to affected individuals.

The Data Breach Policy outlines the approach taken by 91ÌÒÉ« to comply with the Mandatory Notification of Data Breach (MNDB) Scheme provisions outlined in Part 6A of the PPIP Act.

Further information and resources on the MNDB Scheme are available on the website of the .

Effective from July 2024

1. Purpose

The purpose of this policy is to provide guidance to 91ÌÒÉ« personnel and others involved in managing a data breach.

This policy outlines the broad principles and requirements that 91ÌÒÉ« personnel, including employees and contractors, must comply with in responding to data breaches, as defined in this policy, including ‘eligible data breaches’ under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

91ÌÒÉ« is committed to best-practice management of the personal information it collects and holds, and to the management of data breaches in accordance with Part 6A of the PPIP Act. Data breaches can result in serious harm to the individuals whose personal information is involved, damage 91ÌÒɫ’s reputation and result in a breach of 91ÌÒɫ’s legal obligations.

91ÌÒÉ« is required to prepare and publish this data breach policy under section 59ZD of the PPIP Act.

91ÌÒɫ’s Data Breach Response Plan sets out the detailed procedure for managing and responding to data breaches and should also be referred to in the event of a data breach.

Where a data breach is also a cyber security incident, 91ÌÒɫ’s Crisis Management Policy and related procedures will also apply.

2. Scope

This policy applies to:

• employees (ongoing, temporary and casual, including those on secondment)
• contractors (including employees, agents or subcontractors engaged by a contractor)
• agency staff engaged to perform work for, or provide services on behalf of, 91ÌÒÉ«
• work experience students and volunteers
• consultants where their engagement requires adherence to the 91ÌÒɫ’s Code of Conduct
• any other authorised person accessing 91ÌÒɫ’s systems, networks and/or information

all collectively defined as ‘91ÌÒÉ« personnel’.

This policy will be reviewed and updated annually, or more frequently if required.

3. Definitions

• Assessor – a person directed by the Privacy Officer to carry out an assessment of a data breach.
• Crisis Management Team – a team consisting of 91ÌÒÉ« staff assembled to coordinate 91ÌÒɫ’s response to a cyber security and/or data breach incident (whether an eligible data breach or not).
• Cyber security incident – an occurrence or activity that may threaten the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it.
• Data breach – the unauthorised access to, unauthorised disclosure of, or a loss of, personal information held by 91ÌÒÉ«.
• Eligible data breach – a data breach likely to result in serious harm to individuals whose personal information is involved in the data breach.
• HRIP Act – the Health Records and Information Privacy Act 2002 (NSW).
• Personal information – information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. In this policy, personal information also encompasses health information within the meaning of the HRIP Act and includes information about an individual’s physical or mental health, or disability, or information connected to the provision of a health service to an individual.
• PPIP Act – the Privacy and Personal Information Protection Act 1998 (NSW).

4. Roles and responsibilities

91ÌÒÉ« personnel must:

• ensure that they have read this policy and the Data Breach Response Plan and that they understand what is expected of them
• comply with the PPIP Act and HRIP Act including protecting personal information held by 91ÌÒÉ« from unauthorised access, disclosure or loss
• immediately report a data breach or suspected data breach to the Privacy Officer
• respond to requests for information from and cooperating with the Privacy Officer and/or the Crisis Management Team
• otherwise complying with this policy and the Data Breach Response Plan.

The Privacy Officer is responsible for:

• assessing the severity of data breaches involving personal information and the likelihood that a breach will result in serious harm to an individual to whom the information involved relates, and notifying the Privacy Commissioner, affected persons and others where required
• immediately reporting all data breaches that are also cyber security incidents to the Chief Information Security Officer, if they have not already been reported.

The Chief Information Officer is responsible for:

• immediately reporting all cyber security incidents that are also data breaches to the Privacy Officer, if they have not already been reported
• implementing the Crisis Management Plan and related procedures if the data breach is also a cyber security incident.

A Crisis Management Team will be assembled for any data breach.

The Crisis Management Team will manage and provide advice to the Managing Director (or delegate) in relation to the data breach response.

People, known as assessors, may also be directed by the Privacy Officer to carry out an assessment of the data breach.

5. How 91ÌÒÉ« has prepared for a data breach

91ÌÒÉ« has implemented a range of measures to ensure that it is prepared in the event of a data breach, including the following:

• developing detailed operational plans and procedures to support this policy in the event of a data breach. Those operational plans and procedures are to be made available to relevant staff.
• scheduling annual review and updating of this policy, or more frequent review and updating if needed
• implementing a requirement for all 91ÌÒÉ« Personnel to complete annual privacy awareness training that outlines their responsibilities in relation to collecting, storing, using and disclosing personal information
• implementing a Cyber Security Awareness program
• implementing a requirement for staff to classify information in accordance with 91ÌÒɫ’s Information Classification, Labelling and Handling guidelines
• ensuring that, when entering into contracts that involve suppliers handling personal information on behalf of 91ÌÒÉ«, there are appropriate contractual provisions in place that require the supplier to handle personal information appropriately and securely and to provide assistance to 91ÌÒÉ« in dealing swiftly and effectively with a data breach impacting that personal information
• carrying out cyber security risk assessments for procurement and use of digital products, tools, and vendors
• implementing a suite of cyber security policies, standards, procedures, and guidelines
• regularly exercising its preparation in line with the Crisis Management Policy.

6. Data breaches

6.1 What is a data breach?

A data breach occurs when there is unauthorised access to, unauthorised disclosure of, or a loss of, personal information held by 91ÌÒÉ«.

A data breach does not need to be external to 91ÌÒÉ«. A data breach can occur within 91ÌÒÉ« or by an external person without authorisation accessing data held by 91ÌÒÉ«.

Personal information means information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. In this policy, personal information also comprises health information within the meaning of the HRIP Act and includes information about an individual’s physical or mental health, or disability, or information connected to the provision of a health service to an individual.

A data breach can be caused in various ways, including by malicious actions, human error or a failure in information handling or security systems.

Examples of data breaches include:

• malware infection affecting personal information
• access to user accounts gained through successful phishing
• attempts to gain unauthorised access to personal information held on 91ÌÒɫ’s IT systems
• the accidental loss or theft of a paper record, laptop, or USB stick containing personal information
• an email containing personal information sent to the wrong recipient
• an employee using work systems to look up someone else’s personal information for non-work-related reasons.

6.2 Impact of data breaches

The impact of a data breach depends on the nature and extent of the breach and the type of data that has been compromised.

A data breach can result in serious harm to an impacted individual whether the breach affects one person or several thousand.

Harm can be physical, psychological, emotional, financial or reputational.

Examples of harms include:

• identify theft
• financial loss
• blackmail
• threats to personal safety
• humiliation
• stigma
• embarrassment
• damage to reputation or relationships.

91ÌÒÉ« may also be negatively impacted by a data breach and may experience:

• reputational damage
• financial loss
• loss of public trust in 91ÌÒÉ« or the services it provides
• threats to 91ÌÒɫ’s systems.

6.3 Reporting of data breaches

All data breaches or suspected data breaches identified by 91ÌÒÉ« Personnel must be reported immediately to the Privacy Officer or the Chief Information Officer.

The requirement to report data breaches includes any breaches that have already been contained, for example, if a stolen laptop has been recovered, or lost hard copy files returned.

Members of the public can also report actual or suspected data breaches to 91ÌÒÉ«.

6.4 Eligible data breaches

A data breach that results in a likelihood of serious harm to an individual to whom the information relates is an eligible data breach.

An eligible data breach must be reported to the NSW Privacy Commissioner and in some cases also to the Office of the Australian Information Commissioner.

Impacted individuals must also be notified.

All notifications of eligible data breaches will be carried out by the Privacy Officer.

7. Data breach response process

91ÌÒÉ« personnel must respond to a data breach in accordance with the Data Breach Response Plan, and if the data breach is also a cyber security incident, in accordance with the Crisis Management Policy and related procedures.

The response to a data breach will involve:

The Crisis Management Team will coordinate 91ÌÒɫ’s response to the breach.

8. Contacts

8.1 91ÌÒÉ«

Members of the public should report data breaches involving 91ÌÒÉ« by completing an online enquiry form or by emailing privacy@uac.edu.au.

91ÌÒÉ« staff should report data breaches by emailing privacy@uac.edu.au.

8.2 External

Information and Privacy Commission
1800 472 679
ipcinfo@ipc.nsw.gov.au

Office of the Australian Information Commissioner
1300 363 992
enquiries@oaic.gov.au

The PPIP Act requires 91ÌÒÉ« to keep a register of all public notifications of eligible data breaches and to make that register available on its website.

A public notification is provided when it is not reasonably practicable to notify any or all of the individuals affected by the breach directly.

Register of all public notifications made by 91ÌÒÉ« in the previous 12 months:

Public reporting of data breaches

Members of the public can report suspected data breaches involving personal information held by 91ÌÒÉ« using the online enquiry form.