(1) Part 6A of the Privacy and Personal Information Protection Act 1998 (PPIP Act) establishes the NSW Mandatory Notification of Data Breach Scheme(MNDB) which introduces obligations and responsibilities when dealing with a data breach, including the assessment, management and notification in accordance with legislative requirements. (2) The purpose of this Policy is to set out: (3) This Policy is implemented by the Data Breach Response Plan. (4) This Policy and Data Breach Response Plan are aligned with the Privacy Policy and Privacy Management Plan, Cybersecurity Policy and Cybersecurity Incident Response Plan and critical incident management processes. (5) All staff and affiliates must comply with this Policy. (6) This Policy applies to all data that is in the possession or control of the University and/or data that is the responsibility of the University under the State Records Act 1998. (7) The MNDB Scheme applies where an eligible data breach has occurred involving personal information and/or health information. (8) This policy does not apply to related entities. Related entities have their own policies and procedures for the management of data breaches. (9) An individual who becomes aware of a suspected or known data breach at the University is to immediately notify: (10) Unauthorised access by staff or sharing of data between teams within the University without relevant authority. (11) Human error, such as: (12) System failure, such as: (13) Malicious or criminal attack, such as: (14) Where there are reasonable grounds to suspect that a data breach has occurred, the University must: (15) Where a data breach has been assessed as an eligible data breach, the University must: (16) Each data breach should be assessed on a case by case basis and a response is to be determined, depending on the circumstances associated with the data breach. (17) The University will comply with all relevant statutory guidelines issued by the NSW Information and Privacy Commission (IPC) under Part 6A of the PPIP Act. (18) The Data Breach Response Flowchart at Appendix A provides details of the steps to be undertaken in dealing with a data breach. (19) The Data Breach Escalation Matrix at Appendix B provides the reporting and escalation pathway in dealing with a data breach. (20) The Data Breach Report Form at Appendix C is to be completed for all data breaches. (21) Further information regarding the steps that the University will take to respond to a data breach are set out in the Data Breach Response Plan. (22) The Information Compliance Unit is responsible for receiving reports of a data breach, triaging and leading the response as appropriate (in accordance with the Escalation Matrix at Appendix B). Further responsibilities of the Information Compliance Unit are addressed in section 10 of this Policy. (23) Where required, the Data Breach Response Team will be convened and will include key subject matter experts, depending on the nature and impact of the data breach. Key subject matter experts may include: (24) The Data Breach Response Team will be convened in the event of a data breach, or suspected or potential eligible data breach and will coordinate the response in accordance with the Data Breach Response Plan. (25) The MNDB Scheme requires that the University notify affected individuals and the Privacy Commissioner when there has been an eligible data breach. (26) The University has 30 days from the date it becomes aware of a possible data breach to assess whether that data breach is an eligible data breach. Whilst making this assessment, all reasonable attempts must be made to mitigate any harm already done. (27) Once the University decides there has been an eligible data breach, it must, to the extent that it is reasonably practicable, take steps to notify each individual to whom the Information the subject of the breach relates or the affected individuals about that breach, taking into consideration the facts and circumstances of the breach. Limited exemptions may apply to this requirement, as detailed in Sections 59S to 59X under Part 6A of the PPIP Act. The University will comply with the applicable statutory guidelines issued by the NSW Information and Privacy Commission (IPC) as they apply to the relevant exemptions. (28) The University may also consider notifying affected individuals of a data breach as a matter of best practice, regardless of whether the breach relates to an eligible data breach. (29) The communication standards as outlined in its Crisis and Critical Incident Communication Plan (CCIP) will be applied to ensure that the objectives, goals and tasks are completed and expectations are managed with all affected individuals and stakeholders. Communications will be developed in consultation with the Advancement and Communications Division as per the requirements of the CCIP. (30) If the University is unable to directly notify the individuals as described in clause 27, it will publish a public data breach notification onto the University’s Public Notification Register (located on its website) and take all reasonable steps to publicise the notification through appropriate channels available to the University. (31) The public data breach notification will provide details of: (32) The public notification will remain on the University’s Public Notification Register for a period of at least 12 months. (33) In accordance with section 59M of the PPIP Act where an eligible data breach has taken place (regardless of any applicable exemption) the University must immediately notify the NSW Privacy Commissioner using the Data Breach Notification to the Privacy Commissioner form. (34) Where a public notification is made on the University’s Public Notification Register, the University will advise the Privacy Commissioner how to access the public notification on its website. (35) In some cases, the University may have reporting obligations under both the NSW MNDB Scheme as well as the Notifiable Data Breaches Scheme under the Privacy Act 1988. For example, a data breach involving TFN numbers, where it is likely to result in serious harm, would be reportable to both the Office of the Australian Information Commissioner and the NSW Information and Privacy Commission (IPC). (36) Depending on the circumstances of the data breach the University will ensure that its reporting obligations, either by other laws or administrative arrangements is included as part of its data breach response actions. Examples of organisations that these arrangements may assist with may include: (37) Further information regarding the steps that the University will take are set out in the Data Breach Response Plan. (38) The University will maintain appropriate records to provide evidence of the management of a data breach and to meet its recordkeeping obligations under the State Records Act 1998. (39) The Data Breach Report Form at Appendix C provides the mechanism to capture, monitor, analyse and review the severity of suspected or actual data breaches along with the effectiveness of the response methods. (40) The University will also establish and maintain an internal register of all data breaches. Where an eligible data breach has occurred, the following details will be captured, in compliance with obligations under the MNDB Scheme: (41) The University is committed to ensuring, as far as practicable, that the data it holds is secure from potential data breaches in accordance with the Privacy Policy and Privacy Management Plan. (42) The University is committed to regularly review, maintain and test its systems and procedures in accordance with the Cybersecurity Policy and other information technology data security and disaster recovery policies. (43) This Policy and the Data Breach Response Plan will be reviewed, tested and updated annually as well as after every data breach response to address any improvement opportunities that may have been identified. (44) The review schedule will be aligned with the review schedule relating to cyber security incident response and critical incident management review processes. (45) Staff training and awareness activities will be undertaken to describe: (46) The University’s MNDB Scheme webpage contains: (47) Where the University proposes to share data with a contractor, agent or consultant engaged to undertake work for/with the University (Third Party), it will take reasonable steps to ensure that the Third Party has robust practices in place to protect the data and prevent its unauthorised use or disclosure. (48) The University will take all reasonable efforts to include provisions in its contracts and agreements with the third party to promptly report data breaches to the University, take mitigating actions and assist the University in undertaking assessments. (49) The Privacy Management Plan provides further information regarding the University’s management of third party engagement. (50) The MNDB Scheme assigns various responsibilities to the head of an agency (the person responsible for the agency’s day to day management). In accordance with section 59ZJ of the PPIP Act, the head of an agency may delegate the exercise of those responsibilities to relevant staff. (51) The Vice-Chancellor and President, as the University’s head of an agency, has delegated the exercise of those responsibilities to relevant staff as outlined in this Policy, the Data Breach Response Plan and associated incident management processes. (52) The Deputy Vice-Chancellor (Strategy and Assurance) is responsible for: (53) The General Counsel is responsible for: (54) The Data Breach Response Team is responsible for the exercise of functions as outlined at Section 5 of this Policy. (55) The Senior Manager, Information Compliance is responsible for: (56) Line managers are responsible for: (57) All staff are responsible for: (58) (59) Data Breach Response Flowchart (60) Data Breach Escalation MatrixData Breach Policy
Section 1 - Purpose of Policy
Section 2 - Application and Scope
Section 3 - Reporting a Data Breach
Top of PageSection 4 - Examples of a Data Breach
Top of PageSection 5 - Responding to a Data Breach
Section 6 - Data Breach Response Team
Section 7 - Notification
Notification to individuals
Public notification
Notification to the Privacy Commissioner
Other notification considerations
Section 8 - Recordkeeping Requirements
Top of PageSection 9 - Preparation for a Data Breach
Review and update
Training and awareness
Data breach provisions in supplier contracts / other collaboration agreements
Section 10 - Roles and Responsibilities
Top of PageSection 11 - Definitions
Top of Page
Section 12 - Appendix A: Data Breach Response Flowchart
Section 13 - Appendix B: Data Breach Escalation Matrix
Section 14 - Appendix C: Data Breach Report Form
View Current
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.
Word/Term
Definition
Affiliate
Includes people holding University of Wollongong Honorary Awards as conferred by the University Council, including the awards of Emeritus Professor, Honorary Doctor and University Fellow; people appointed in accordance with the University’s Appointment of Visiting and Honorary Academics Policy; and people engaged by the University as agency staff, contractors, volunteers and work experience students.
Data Breach
Data (whether held in digital or hard copy) is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure. A data breach may occur as the result of malicious action, systems failure, or human error. Examples are outlined in section 4 of this Policy.
Data Breach Response Team
A team of subject matter experts responsible for leading UOW’s initial response to a potential or suspected Eligible data breach in accordance with UOW’s data breach Response Plan.
(This includes ensuring that immediate containment measures have been undertaken and an assessment has been conducted to determine escalation of the breach, where relevant.)
The data breach Response Team will be led by a suitably qualified SME who has sufficient authority and expertise to carry out the required response actions.
Eligible data breach
An ‘eligible data breach’ under the MNDB Scheme, requires two tests to be satisfied:
There is an unauthorised access to, or unauthorised disclosure of, Personal information or Health information held by the University or there is a loss of Personal information or Health information held by the University in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information, and
A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates
Health information
Health information, for the purpose of this policy, refers to health information defined in HRIPA (or as amended in HRIPA from time to time) as:
“(a) personal information that is information or an opinion about:
the physical or mental health or a disability (at any time) of an individual, or
(ii) an individual’s express wishes about the future provision of health services to him or her, or
(iii) a health service provided, or to be provided, to an individual, or
(b) other personal information collected to provide, or in providing, a health service, or
(c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or
(d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or
(e) healthcare identifiers”
Information
Health information and/or personal information as the context permits
Line Manager
Staff who directly or indirectly supervises another Staff member or holds a leadership capacity
Personal information
Personal information, for the purpose of this policy, refers to personal information defined in PPIPA (or as amended in PPIPA from time to time) as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
Under PPIPA, personal information does not include:
information about an individual that is readily available in a publicly available publication; and
information or an opinion about an individual’s suitability for appointment or employment as a public sector official.
Public Notification Register
A register, made available on the University’s website, that contains details of an Eligible data breach so that individuals are adequately informed about the breach, are able to determine whether they may be affected and take action to protect their Information.
Related Entities
UOW Global Enterprises and UOW Pulse
Sensitive information
A subclass of Personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
Serious Harm
Serious harm occurs where the harm arising from an ‘eligible data’ breach has, or may, result in a real or substantial detrimental effect to the individual.
Harm to an individual includes physical harm; economic, financial or material harm; emotional or psychological harm; reputational harm; and other forms of serious harm that a reasonable person would identify as a possible outcome of the data breach.
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis. For the purpose of this policy any reference to Staff is to be understood to mean both Staff and/or Affiliates.