View Current

Data Breach Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose of Policy

(1) Part 6A of the Privacy and Personal Information Protection Act 1998 (PPIP Act) establishes the NSW Mandatory Notification of Data Breach Scheme(MNDB) which introduces obligations and responsibilities when dealing with a data breach, including the assessment, management and notification in accordance with legislative requirements.

(2) The purpose of this Policy is to set out:

  1. the strategies to effectively respond to a data breach at the University to ensure best practice data breach management, reduce possible harm to individuals and organisations and prevent future breaches;
  2. the University’s commitment to complying with the NSW MNDB Scheme;
  3. the roles and responsibilities of the University, the Vice-Chancellor and President and its staff and affiliates, as delegated by the Vice-Chancellor and President.

(3) This Policy is implemented by the Data Breach Response Plan.

(4) This Policy and Data Breach Response Plan are aligned with the Privacy Policy and Privacy Management Plan, Cybersecurity Policy and Cybersecurity Incident Response Plan and critical incident management processes.

Top of Page

Section 2 - Application and Scope

(5) All staff and affiliates must comply with this Policy.

(6) This Policy applies to all data that is in the possession or control of the University and/or data that is the responsibility of the University under the State Records Act 1998.

(7) The MNDB Scheme applies where an eligible data breach has occurred involving personal information and/or health information.

(8) This policy does not apply to related entities. Related entities have their own policies and procedures for the management of data breaches.

Top of Page

Section 3 - Reporting a Data Breach

(9) An individual who becomes aware of a suspected or known data breach at the University is to immediately notify:

  1. the University’s Service Desk or at +61 2 4221 3000; 
  2. Information Compliance Unit at icu-enquiry@uow.edu.au or +61 2 4221 4368 (during office hours); and 
  3. for staff, their appropriate line manager or supervisor.
Top of Page

Section 4 - Examples of a Data Breach

(10) Unauthorised access by staff or sharing of data between teams within the University without relevant authority.

(11) Human error, such as:

  1. letter or email sent to the wrong recipient;
  2. system access is incorrectly granted to someone without appropriate authorisation;
  3. loss of a physical asset such as a paper record, laptop, USB stick or mobile phone containing data that is in the possession, control or the responsibility of the University; or
  4. failure to implement appropriate security measures such as password protection or sharing password and log in information.

(12) System failure, such as:

  1. a coding error allows access to a system without authentication, or results in automatically generated notices including incorrect information or being sent to incorrect recipients; or
  2. systems not maintained through the application of known and supported patches.

(13) Malicious or criminal attack, such as:

  1. cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting access to or theft of data;
  2. social engineering or impersonation leading into inappropriate disclosure of data;
  3. insider threats from agency employees using their valid credentials to access or disclose data outside the scope of their duties or permission; or
  4. theft of physical asset such as a paper record, laptop, USB stick or mobile phone containing data that is in the possession, control or the responsibility of the University.
Top of Page

Section 5 - Responding to a Data Breach

(14) Where there are reasonable grounds to suspect that a data breach has occurred, the University must:

  1. take immediate steps to contain the breach or suspected breach to minimise the possible damage;
  2. report the breach to the Information Compliance Unit who are authorised to receive and action a report of a suspected or known data breach;
  3. carry out an assessment of the breach to determine what has occurred and whether an eligible data breach has occurred, within 30 days;
  4. make all reasonable attempts to mitigate any harm done by the suspected breach;
  5. consider whether notification under legislation or other policies, procedures or agreements may be required. This may include notification to:
    1. affected individuals;
    2. Privacy Commissioner;
    3. other regulatory bodies;
    4. third parties with collaborative or contractual ties with the University; and
  6. carry out post incident review and preventative efforts, based on the type and seriousness of the breach.

(15) Where a data breach has been assessed as an eligible data breach, the University must:

  1. notify the Privacy Commissioner immediately, using the form approved by the Privacy Commissioner; and
  2. notify affected individuals as soon as practicable. The University may elect to notify either:
    1. all individuals regardless of their risk of harm; or
    2. only those individuals who are likely to suffer serious harm as a result of the data breach that relates to them.

(16) Each data breach should be assessed on a case by case basis and a response is to be determined, depending on the circumstances associated with the data breach.

(17) The University will comply with all relevant statutory guidelines issued by the NSW Information and Privacy Commission (IPC) under Part 6A of the PPIP Act.

(18) The Data Breach Response Flowchart at Appendix A provides details of the steps to be undertaken in dealing with a data breach.

(19) The Data Breach Escalation Matrix at Appendix B provides the reporting and escalation pathway in dealing with a data breach.

(20) The Data Breach Report Form at Appendix C is to be completed for all data breaches.

(21) Further information regarding the steps that the University will take to respond to a data breach are set out in the Data Breach Response Plan.

Top of Page

Section 6 - Data Breach Response Team

(22) The Information Compliance Unit is responsible for receiving reports of a data breach, triaging and leading the response as appropriate (in accordance with the Escalation Matrix at Appendix B). Further responsibilities of the Information Compliance Unit are addressed in section 10 of this Policy.

(23) Where required, the Data Breach Response Team will be convened and will include key subject matter experts, depending on the nature and impact of the data breach. Key subject matter experts may include:

  1. Lead coordinator: Senior Manager, Information Compliance or delegate, to lead the response and provide privacy expertise. Where a suspected  eligible data breach has occurred, the Senior Manager, Information Compliance will carry out required actions as outlined at Section 10 of this policy;
  2. General Counsel :responsible for reporting to the Senior Executive, providing legal support and supporting team members. Where a suspected eligible data breach has occurred, the General Counsel will carry out required actions as outlined at Section 10 of this policy;
  3. Records and evidence support: maintain records of all actions taken by the Data Breach Response Team and providing administrative support;
  4. Technical support: a member of IMTS to facilitate response and containment actions, assist with root cause analysis and provide forensic support;
  5. Communication support: a member of the Advancement and Communications Division to assist with communication to stakeholders and affected individuals, where relevant;
  6. Data Guardian: senior leadership with high-level knowledge, expertise and tactical decision making in data within their responsibility, where relevant;
  7. Data Specialist: business and technical subject matter experts who typically provide ongoing technical support as a part of their day-to-day role, where relevant;
  8. Other staff, depending on the context of the breach.

(24) The Data Breach Response Team will be convened in the event of a data breach, or suspected or potential eligible data breach and will coordinate the response in accordance with the Data Breach Response Plan.

Top of Page

Section 7 - Notification

(25) The MNDB Scheme requires that the University notify affected individuals and the Privacy Commissioner when there has been an eligible data breach.

(26) The University has 30 days from the date it becomes aware of a possible data breach to assess whether that data breach is an eligible data breach. Whilst making this assessment, all reasonable attempts must be made to mitigate any harm already done.

Notification to individuals

(27) Once the University decides there has been an eligible data breach, it must, to the extent that it is reasonably practicable, take steps to notify each individual to whom the Information the subject of the breach relates or the affected individuals about that breach, taking into consideration the facts and circumstances of the breach.  Limited exemptions may apply to this requirement, as detailed in Sections 59S to 59X under Part 6A of the PPIP Act. The University will comply with the applicable statutory guidelines issued by the NSW Information and Privacy Commission (IPC) as they apply to the relevant exemptions.

(28) The University may also consider notifying affected individuals of a data breach as a matter of best practice, regardless of whether the breach relates to an eligible data breach.

(29) The communication standards as outlined in its Crisis and Critical Incident Communication Plan (CCIP) will be applied to ensure that the objectives, goals and tasks are completed and expectations are managed with all affected individuals and stakeholders.  Communications will be developed in consultation with the Advancement and Communications Division as per the requirements of the CCIP.

Public notification

(30) If the University is unable to directly notify the individuals as described in clause 27, it will publish a public data breach notification onto the University’s Public Notification Register (located on its website) and take all reasonable steps to publicise the notification through appropriate channels available to the University.

(31) The public data breach notification will provide details of:

  1. the circumstances of the data breach, including a description of the breach and the type of information impacted;
  2. the actions the University has taken or plans to take to control or mitigate the harm to individuals;
  3. steps that an affected individual should consider taking in response to the data breach; and
  4. how the individual may contact the University for any additional information.

(32) The public notification will remain on the University’s Public Notification Register for a period of at least 12 months.

Notification to the Privacy Commissioner

(33) In accordance with section 59M of the PPIP Act where an eligible data breach has taken place (regardless of any applicable exemption) the University must immediately notify the NSW Privacy Commissioner using the Data Breach Notification to the Privacy Commissioner form.

(34) Where a public notification is made on the University’s Public Notification Register, the University will advise the Privacy Commissioner how to access the public notification on its website.

Other notification considerations

(35) In some cases, the University may have reporting obligations under both the NSW MNDB Scheme as well as the Notifiable Data Breaches Scheme under the Privacy Act 1988. For example, a data breach involving TFN numbers, where it is likely to result in serious harm, would be reportable to both the Office of the Australian Information Commissioner and the NSW Information and Privacy Commission (IPC).

(36) Depending on the circumstances of the data breach the University will ensure that its reporting obligations, either by other laws or administrative arrangements is included as part of its data breach response actions. Examples of organisations that these arrangements may assist with may include:

  1. Australian Cyber Security Centre (ACSC);
  2. NSW Police Force;
  3. Australian Federal Police;
  4. Department of Health;
  5. Foreign regulatory agencies;
  6. Professional associations, regulatory bodies or insurers;
  7. Financial service providers; or
  8. Any third party organisations or agencies whose data may be affected.

(37) Further information regarding the steps that the University will take are set out in the Data Breach Response Plan.

Top of Page

Section 8 - Recordkeeping Requirements

(38) The University will maintain appropriate records to provide evidence of the management of a data breach and to meet its recordkeeping obligations under the State Records Act 1998.

(39) The Data Breach Report Form at Appendix C provides the mechanism to capture, monitor, analyse and review the severity of suspected or actual data breaches along with the effectiveness of the response methods.

(40) The University will also establish and maintain an internal register of all data breaches. Where an eligible data breach has occurred, the following details will be captured, in compliance with obligations under the MNDB Scheme:

  1. who was notified of the breach;
  2. when the breach was notified;
  3. the type of breach;
  4. the steps taken by the University to mitigate harm done by the breach;
  5. the actions taken to prevent future breaches; and
  6. the estimated cost of the breach.
Top of Page

Section 9 - Preparation for a Data Breach

(41) The University is committed to ensuring, as far as practicable, that the data it holds is secure from potential data breaches in accordance with the Privacy Policy and Privacy Management Plan.

Review and update

(42) The University is committed to regularly review, maintain and test its systems and procedures in accordance with the Cybersecurity Policy and other information technology data security and disaster recovery policies.

(43) This Policy and the Data Breach Response Plan will be reviewed, tested and updated annually as well as after every data breach response to address any improvement opportunities that may have been identified.

(44) The review schedule will be aligned with the review schedule relating to cyber security incident response and critical incident management review processes.

Training and awareness

(45) Staff training and awareness activities will be undertaken to describe:

  1. how to identify a data breach,
  2. what kinds of data breaches may amount to an Eligible data breach, and
  3. how to report a data breach.

(46) The University’s MNDB Scheme webpage contains:

  1. details of the kinds of data breaches that may amount to an eligible data breach, the actions to be taken in response to a data breach and measures to be taken to prevent future data breaches;
  2. this Policy, including the Data Breach Response Flowchart found at Appendix A, the escalation process for effective management of a data breach at Appendix B and the Data Breach Report Form found at Appendix C;
  3. the Data Breach Response Plan; and
  4. links to the IPC resources relating to data breaches and the MNDB Scheme.

Data breach provisions in supplier contracts / other collaboration agreements

(47) Where the University proposes to share data with a contractor, agent or consultant engaged to undertake work for/with the University (Third Party), it will take reasonable steps to ensure that the Third Party has robust practices in place to protect the data and prevent its unauthorised use or disclosure.

(48) The University will take all reasonable efforts to include provisions in its contracts and agreements with the third party to promptly report data breaches to the University, take mitigating actions and assist the University in undertaking assessments.

(49) The Privacy Management Plan provides further information regarding the University’s management of third party engagement.

Top of Page

Section 10 - Roles and Responsibilities

(50) The MNDB Scheme assigns various responsibilities to the head of an agency (the person responsible for the agency’s day to day management). In accordance with section 59ZJ of the PPIP Act, the head of an agency may delegate the exercise of those responsibilities to relevant staff.

(51) The Vice-Chancellor and President, as the University’s head of an agency, has delegated the exercise of those responsibilities to relevant staff as outlined in this Policy, the Data Breach Response Plan and associated incident management processes.

(52) The Deputy Vice-Chancellor (Strategy and Assurance) is responsible for:

  1. deciding whether a data breach is an eligible data breach, or there are reasonable grounds to believe the data breach is an eligible data breach;
  2. escalating data breach response actions to the Critical Incident Management Team, as appropriate;
  3. making determinations regarding the application of any exemptions and approval of any extension periods, as outlined in the MNDB Scheme; and
  4. where the University is unable to notify, or it is not practicable to notify, any or all of the affected individuals, making a determination to publish a public notification via the University’s Public Notification Register.

(53) The General Counsel is responsible for:

  1. conducting an assessment of whether the data breach is, or there is reasonable grounds to believe the data breach is an eligible data breach, within 30 days after being made aware that a data breach has occurred;
  2. where an assessment confirms an eligible data breach, escalating the assessment to the Deputy Vice-Chancellor (Strategy and Assurance);
  3. notifying the Privacy Commissioner immediately in the approved form, if the data breach is an eligible data breach;
  4. notifying each individual to whom the information the subject of the breach relates, or each affected individual;
  5. providing written notice to the Privacy Commissioner regarding the application of any exemptions, any extension periods, or how to access any public notifications made by the University, as outlined in the MNDB Scheme;
  6. identifying whether other external notification is required ie law enforcement or other third parties;
  7. identifying legal obligations and providing advice, as required.

(54) The Data Breach Response Team is responsible for the exercise of functions as outlined at Section 5 of this Policy.

(55) The Senior Manager, Information Compliance is responsible for:

  1. receiving data breach notifications and confirming preliminary assessment reports;  
  2. assessing the containment and/or remediation measures already undertaken (if any) and taking further actions as required to mitigate any further compromise of the data;
  3. where a preliminary assessment confirms a suspected or known eligible data breach, escalating the preliminary assessment to General Counsel;
  4. making a determination to convene the Data Breach Response Team, in consultation with the General Counsel. Where a determination has been made to convene the Data Breach Response Team, the following actions will be conducted by the Senior Manager, Information Compliance in the capacity of lead coordinator of the team;
    1. ensuring data breach response actions are conducted in accordance with this policy and the Data Breach Response Plan;
    2. ensuring that all response actions are recorded in the Data Breach Report Form and retained in accordance with the Records Management Policy;
    3. ensuring any relevant evidence of the data breach is preserved and securely stored, as appropriate;
    4. conducting and leading the post-response assessment of the University’s response to the data breach;
  5. establishing, maintaining and recording data breaches on the University’s internal data breach register;
  6. managing any complaints received as a result of the data breach;
  7. reviewing, testing and updating this policy at least annually.

(56) Line managers are responsible for:

  1. receiving notifications of a suspected or known data breach and taking local immediate containment steps to prevent any further compromise of the data;
  2. conducting an initial assessment of the data breach, notifying the relevant data guardian and consulting with the Information Compliance Unit to determine appropriate response actions;
  3. completing the relevant sections in the Data Breach Report Form at Appendix C;
  4. where a data breach can be/is being managed appropriately locally, ensuring that the completed Data Breach Report Form is submitted to the Information Compliance Unit and retained in accordance with the Records Management Policy;
  5. participating in response actions, in accordance with this policy and associated incident management processes.

(57) All staff are responsible for:

  1. reporting any suspected or known data breaches immediately, as per section 3 of this Policy;  
  2. assisting in response actions in accordance with this Policy and the Data Breach Response Plan.
Top of Page

Section 11 - Definitions

(58)  

Word/Term
Definition
Affiliate
Includes people holding University of Wollongong Honorary Awards as conferred by the University Council, including the awards of Emeritus Professor, Honorary Doctor and University Fellow; people appointed in accordance with the University’s Appointment of Visiting and Honorary Academics Policy; and people engaged by the University as agency staff, contractors, volunteers and work experience students.
Data Breach
Data (whether held in digital or hard copy) is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure. A data breach may occur as the result of malicious action, systems failure, or human error. Examples are outlined in section 4 of this Policy.
Data Breach Response Team
A team of subject matter experts responsible for leading UOW’s initial response to a potential or suspected Eligible data breach in accordance with UOW’s data breach Response Plan.
(This includes ensuring that immediate containment measures have been undertaken and an assessment has been conducted to determine escalation of the breach, where relevant.)
The data breach Response Team will be led by a suitably qualified SME who has sufficient authority and expertise to carry out the required response actions.
Eligible data breach
An ‘eligible data breach’ under the MNDB Scheme, requires two tests to be satisfied:
  1. There is an unauthorised access to, or unauthorised disclosure of, Personal information or Health information held by the University or there is a loss of Personal information or Health information held by the University in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information, and
  2. A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates
Health information
Health information, for the purpose of this policy, refers to health information defined in HRIPA (or as amended in HRIPA from time to time) as:
“(a)   personal information that is information or an opinion about:
the physical or mental health or a disability (at any time) of an individual, or
(ii)   an individual’s express wishes about the future provision of health services to him or her, or
(iii)  a health service provided, or to be provided, to an individual, or
(b)     other personal information collected to provide, or in providing, a health service, or
(c)      other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or
(d)     other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or
(e)      healthcare identifiers”
Information
Health information and/or personal information as the context permits
Line Manager
Staff who directly or indirectly supervises another Staff member or holds a leadership capacity
Personal information
Personal information, for the purpose of this policy, refers to personal information defined in PPIPA (or as amended in PPIPA from time to time) as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
Under PPIPA, personal information does not include:
  1. information regarding an individual who has been deceased for more than 30 years;
  2. information about an individual that is readily available in a publicly available publication; and
  3. information or an opinion about an individual’s suitability for appointment or employment as a public sector official.
Public Notification Register
A register, made available on the University’s website, that contains details of an Eligible data breach so that individuals are adequately informed about the breach, are able to determine whether they may be affected and take action to protect their Information.
Related Entities
UOW Global Enterprises and UOW Pulse
Sensitive information
A subclass of Personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
Serious Harm
Serious harm occurs where the harm arising from an ‘eligible data’ breach has, or may, result in a real or substantial detrimental effect to the individual.
Harm to an individual includes physical harm; economic, financial or material harm; emotional or psychological harm; reputational harm; and other forms of serious harm that a reasonable person would identify as a possible outcome of the data breach.
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis. For the purpose of this policy any reference to Staff is to be understood to mean both Staff and/or Affiliates.
Top of Page

Section 12 -  Appendix A: Data Breach Response Flowchart

(59) Data Breach Response Flowchart

Top of Page

Section 13 - Appendix B: Data Breach Escalation Matrix

(60) Data Breach Escalation Matrix

Top of Page

Section 14 - Appendix C: Data Breach Report Form

(61) Data Breach Report Form