Department of Customer Service Data Breach Policy

The Department of Customer Service (DCS) Data Breach Policy (Policy) explains how we fulfil our obligation under NSW privacy laws to notify of a breach of personal and health information.

Female cyber security worker using her computer in an office

Effective privacy breach management underpins this obligation and assists us to prevent further incidents and avoid or reduce potential harm to affected individuals and can prevent future breaches.

 

 

 

 

About the DCS Data Breach Policy

The Policy outlines the processes to contain, assess, manage and notify an eligible data breach under the Mandatory Notification of Data Breach (MNDB) scheme established by Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). Notifying individuals affected by a privacy breach can enable them to take steps to mitigate the consequences the breach. It is also a positive step DCS can take to help rebuild trust with the affected individuals. Notifying the Privacy Commissioner improves oversight of the data breach response, from initial notification through to additional learnings that arise in notifying individuals. Notification also allows the Privacy Commissioner to provide a more comprehensive report to government and Parliament on data breaches experienced across the NSW public sector.

What is a data breach?

A data breach occurs where there is:

  • an unauthorised access to, or unauthorised disclosure of, personal or health information held by a public sector agency or,
  • a loss of personal or health information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information.

What is an eligible data breach?

The MNDB Scheme applies where an ‘eligible data breach’ has occurred.

For a data breach becomes to constitute an ‘“eligible data breach”’ under the MNDB scheme, there are two tests to be satisfied:

  1. There is an unauthorised access to, or unauthorised disclosure of, personal or health information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are  if it is likely to result in unauthorised access to, or unauthorised disclosure of, the information, and
  2. A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to any of the individuals to whom the information relates.

Whether a data breach is ‘likely to result’ in serious harm requires a determination from the perspective of a reasonable person and on the facts of the specific breach in question. Serious harm to an individual may include, but is not limited to, serious physical harm; economic, financial or material harm; emotional or psychological harm; and emotional, financial or reputational harm. 

Serious harm occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect to the individual. That is, the effect on the individual must be more than mere irritation, annoyance, or inconvenience.

Data Breach Response Procedure

DCS maintains a Data Breach Response Procedure (Procedure) document which sets out the roles and responsibilities for managing the response to a data breach. The Procedure provides guidance for how DCS will manage and respond to a data breach and includes:

  • steps DCS staff need to take to contain, assess, report and review data breaches quickly, and mitigate potential harm to affected individual(s)
  • more details on roles and responsibilities of DCS staff when responding to a data breach
  • guidance on when to notify data breaches to individual(s), as well as the NSW Privacy Commissioner.

DCS has controls in place to ensure it is prepared in the event of a data breach:

  • mandatory staff training on our obligations under privacy legislation
  • internal resources to help staff identify and report a suspected data breach 
  • a regular forum of privacy practitioners from across the Department to discuss learnings from breaches and opportunities to strengthen data breach management
  • maintaining and continually improving information security management systems that comply with ISO/IEC 27001:2022 standard
  • aligning our obligations under the Cyber Security Policy
  • adopting best practice in electronic and paper records management and complying with our obligations under the State Records Act 1998 (NSW), including keeping information for only as long as necessary
  • providing mandatory information security awareness training to DCS employees
  • provisions in contracts to require contractors and third-party providers to assist DCS in complying with our obligations under privacy legislation, notification and management of data breaches.

To support compliance with the PPIP Act, DCS staff must respond to a data breach in accordance with the DCS Data Breach Response Procedure which is updated from time to time and includes the following four stages of responding to a data breach.

  1. Report and advise 
  2. Assess and mitigate the risks associated to determine the next steps
  3. Consider notification to the Privacy Commissioner and affected individuals, where applicable
  4. Review and report on the breach

The Procedure is aligned with this Policy and the DCS Privacy Management Plan and applies to all DCS staff and covers all data breaches involving personal and/or health information held by DCS.

Roles and responsibilities

All DCS staff

All DCS staff are responsible for immediately reporting a suspected or actual data breach to their Team Leader/Manager or the DCS privacy team.

Breach Management Team

A Breach Management Team (BMT) may be stood up by the relevant Privacy Lead to respond to complex data breaches. The BMT is constituted in accordance with the Data Breach Response Procedure and can be scaled depending on the size of the data breach, the resources required to respond, and the number of agencies affected. It can be made up of DCS staff from across relevant areas such as Legal, Information Security and Communications, as well as from other agencies as required, for example law enforcement or Commonwealth agencies that may assist in responding to the breach. The BMT will act as the single point of management of the breach and coordinate with external agencies. The head of the BMT will assess the need for and provide notification to the Privacy Commissioner and individuals.

Business Team Leaders and Managers

Team leaders and Managers should review existing processes and identify how internal controls could be strengthened. This helps ensure the incident is contained and reduce the risk of it happening again in the future. They must also notify their Privacy Lead or the DCS Privacy team.

Head of Agency/Assessor

It is the Head of Agency or their delegate’s responsibility to assess whether the breach is an eligible data breach and if so, notify the Privacy Commissioner and affected individuals.

Privacy leads

Privacy Leads are a central point of contact within a business area in all matters related to privacy. In the event of a data breach, the Privacy Lead manages the relevant area’s breach response and provides advice to the Business Team Leader/Manager reporting the incident.

Record keeping requirements

Records of data breaches are stored and maintained in accordance with DCS Records Management policies and procedures. The Privacy Lead or BMT coordinates record keeping for each data breach, including maintenance of the DCS Data Breach Register.

Data breach register

DCS maintains an internal register for data breaches, including eligible data breaches. For eligible data breaches where we are unable or it is not practicable to notify individuals, DCS will publish a notification on our website.  The Data Breach Register is a requirement under the MNDB Scheme, including details of the following:

  • Who was notified of the breach
  • When the breach was notified
  • The type of breach
  • Details of steps taken by DCS to mitigate harm done by the breach
  • Details of the actions taken to prevent future breaches
  • The estimated cost of the breach.

Information about every data breach is recorded regardless of whether a BMT is formed or the breach amounts to an eligible data breach. Tracking data breaches allows DCS to monitor, analyse and review the type and severity of suspected breaches along with the effectiveness of the response methods. DCS will use this information to identify and improve weaknesses in security or processes.

Where we may not notify

We may not notify individuals in certain circumstances including:

  • where multiple agencies are involved in an eligible breach and one of those agencies has provided notification
  • where an eligible data breach would prejudice an ongoing investigation and certain proceedings
  • where DCS has taken action before the data breach results in harm or loss to individuals
  • where notification results in serious harm to an individual
  • where compliance would be inconsistent with secrecy provisions of other legislation
  • where compliance would result in serious risk of harm to health and safety
  • where compliance would worsen DCS’ cyber security or lead to further data breaches.

Post-breach review and evaluation

Following data breaches, the Privacy Lead or BMT undertakes a post breach review and drafts a report outlining the cause of the breach, identifying strategies to address any weaknesses in data handling that may have led to the breach.

The post-breach review assesses DCS’ response to the breach and should consider:

  • an investigation of the cause of the breach
  • implementing a strategy to identify and address any weaknesses in data handling that contributed to the breach
  • updating the Data Breach Response Procedure if necessary
  • making appropriate changes to policies and procedures if necessary
  • revising staff training practices if necessary
  • the option of an audit to ensure necessary outcomes are affected
  • whether the response team needs other expertise
  • the preservation of evidence to determine the cause of the breach or allowing the Privacy Commissioner to take appropriate corrective action
  • a communications or media strategy to manage public expectations and media interest.

Contact Information

If you suspect that your personal and/or health information has been breached by DCS, you can contact the DCS Privacy Team at privacy@customerservice.nsw.gov.au

Related policies and legislation

Legislative compliance

Commonwealth Legislation
Privacy Act 1988
Privacy Amendment (Notifiable Data Breaches) Act 2017

New South Wales Legislation
Privacy and Personal Information Protection Act 1998
Health Records and Information Privacy Act 2002
State Records Act 1998

Supporting documentsDCS Data Breach Response Procedure
DCS Privacy Management Plan
DCS Privacy Management Framework
DCS Data Privacy Incident Response Template
Related documentsDCS Risk Management Policy
Information Data Governance Framework
Information Security Policy
Procurement manual for DCS
DCS Code of Ethics and Conduct
DCS Crisis Management Plan
DCS Records Management Policy

 

Type: Policy
Author: NSW Department of Customer Service
Publication Date: 24 November 2023

Tagged in

Education and trainingPolicies and procedures
Print this page
Top of page