Data Breach Policy

1. Introduction

This Data Breach Policy (Policy) sets out an overview of Department of Creative Industries, Tourism, Hospitality and Sport (the Department, DCITHS, us, we or our) procedures in relation to detecting, responding to, managing notifying and reporting eligible data breaches in accordance with the Mandatory Notification of Data Breach Schedule (the MNDB Scheme) under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). 

This policy complies with section 59ZD of the PPIP Act. This Policy provides a framework for DCITHS’s compliance with MNDB Scheme.

Staff should consult internal procedures for detailed guidance on how to respond to a data breach in accordance with this Policy. 

The purpose of this Policy is to set out how DCITHS will respond to data breaches involving personal information. While not all data breaches will be eligible data breaches, DCITHS takes all data breaches seriously and will assess each data breach in accordance with this Policy.

2. Definitions

3. Scope

This Policy applies to and must be adhered to and implemented by:

• all DCITHS permanent full time, part time, volunteer, trainee and temporary employees and staff authorised to access DCITHS information systems and assets;
• any consultants and persons or organisations authorised to administer, develop, manage and support DCITHS information systems and assets; and
• third party supplier, vendors, contractors and hosted managed service providers.

All Staff have a responsibility to notify the Director Legal, Information & Privacy of any data breach immediately on becoming aware that a data breach has occurred and provide information about the data breach in accordance with procedures in our Data Breach Response Plan.

4. What is an eligible data breach?

A data breach occurs when there has been unauthorised access to, unauthorised disclosure of or loss of personal information (including health information) held by (or on behalf of) DCITHS or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) DCITHS.

A data breach may occur as the result of a malicious action, systems failure or human error. A data breach may occur also because of misconception as to whether a particular act or practice is permitted under PPIP Act.

Examples of data breaches include:

• Malicious or criminal attack
  • Cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting in access to or theft of personal information.
  • Social engineering or impersonation leading into inappropriate disclosure of personal information. Insider threats from agency employees using their valid credentials to access or disclose personal information outside the scope of their duties or permissions.
  • Theft of a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information.
• System fault
  • Where a coding error allows access to a system without authentication, or results in automatically generated notices including the wrong information or being sent to incorrect recipients.
  • Where systems are not maintained through the application of known and supported patches.
• Human error​​​​​​​
  • When a letter or email is sent to the wrong recipient.
  • When system access is incorrectly granted to someone without appropriate authorisation. When a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information is lost or misplaced.
  • When staff fail to implement appropriate password security, for example not securing passwords or sharing password and log in information.

If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is an ‘eligible data breach’.

Serious harm occurs where harm arising for the eligible data breach has or could result in a real and substantial detrimental the effect on an individual and includes serious physical, psychological, emotional, financial, or reputational harm.  Examples of harms include identity theft, financial loss or blackmail, threats to personal safety, loss of business or employment opportunities, humiliation, stigma, embarrassment, damage to reputation or relationships, discrimination, bullying, marginalisation, or other forms of disadvantage or exclusion.

Assessment of the likelihood of serious harm from a data breach is an objective test. That is ‘likely to result’ (as defined above) means the risk of serious harm to an individual is more probable than not.

5. Process for managing a data breach

DCITHS takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information. DCITHS has established a range of policies and processes for preventing and managing data breaches.

DCITHS has a Data Breach Response Plan for detailed guidance on how to respond to a data breach in accordance with this Policy.

DCITHS has in place information security policies which provide guidance to staff around the handling and storage of personal information. For example, DCITHS’s Code of Ethics and Conduct has specific provisions on privacy obligations, including in relation to the authorised access, disclosure and storage of personal information. The Code also has provisions on the handling of information, including in relation to the confidentiality, misuse and security of information, and on records management. DCITHS’s Information Security Policy has provisions on information access and security and that staff must use information on a ‘need to see basis’.

DCITHS’s security measures further include the use of restricted drives and authorised access. For example, correspondence containing personal information is stored in a DCITHS records management system with restricted access and editing privileges.

Personal information is kept for no longer than is necessary and is disposed of in a secure manner once no longer required, in accordance with government requirements.

6. Data breach response and reporting

DCITHS will consider a number of factors in assessing a data breach including the NSW Privacy Commissioner’s statutory guidelines and will engage the following steps in response to all data breaches:

Step 1: Contain the data breach and conduct a preliminary assessment

• Immediately take all realistic steps to contain the breach and limit any further access or distribution of the affected personal information.
• Conduct preliminary fact-finding about the breach.
• Make a preliminary assessment of the risk posed by the data breach.
• For high risk rated data breaches, the Director Legal, Information & Privacy will activate and escalate to the Breach Response Team to oversee the remainder of the response.

The Breach Response Team will consist of:

• The Deputy Secretary, Engagement Operations & Governance with responsibility for final approval on decisions and proposals by the Breach Response Team.
• Director Legal, Information & Privacy who will lead the assessment, mitigation and notification of the data breach.
• General Counsel who will identify and advise on any legal obligations and support the drafting of notifications and communications issued under this Policy.
• Chief Information Officer who will liaise with any related ICT partners as required to obtain and provide information into the cause and impacts of the data breach.
• Any internal or external expertise and incident response advisors the Breach Response Team determines are required to complete the assessment and mitigation of the data breach.

Step 2: Evaluate and mitigate the risks associated with the data breach

• As soon as practicable, take remedial action to prevent or lessen the likelihood that the breach will result in harm to any individual.
• Complete an assessment of the harm that may eventuate from the breach
• Consider requirements under any third party agreements and third party organisations or agencies whose data may be affected
• For high risk data breaches, the Breach Response Team should consider whether to involve any other internal or external parties such as:
  • ID Support
  • law enforcement agencies, NSW Police Force and/or Australian Federal Police
  • IDCare
  • Financial services providers
  • Professional associations, regulatory bodies
  • The Office of Australian Information Commission where data breach may involve tax file numbers or agencies under Federal jurisdiction
  • Cyber Security NSW, and/or the Australian Cyber Security Centre.

Step 3: Notify and communicate

• If the breach is assessed as eligible data breach, on the advice of the Breach Response Team, the appropriate communications messaging templates and procedures in the Data Breach Response Plan will be used to notify the Privacy Commissioner and affected individuals where required.
• Notification is required by law under the PPIP Act and may also be required under Federal Privacy Act 1988 (Cth).
• In accordance with section 59O of PPIP Act, the notification will include the following specific information, if reasonably practicable:
  • The date the data breach occurred
  • A description of the data breach
  • How the data breach occurred
  • The type of data breach that occurred
  • The personal information included in the data breach
  • The amount of time the personal information was disclosed for
  • Actions that have been taken or are planned to secure the information, or to control and mitigate the harm
  • Recommendations about the steps an individual should take in response to the data breach
  • Information about complaints and review of agency conduct
  • The name of the agencies that were subject to the data breach
  • Contact details for the agency subject to the data breach or the nominated contact person in relation to the data breach

Step 4: Prevent future data breaches

• For any high risk or medium risk breaches the Director Legal, Information & Privacy will submit a report to the Breach Response Team outlining the organisational response and mitigation plan.
• A post incident review of the process used for the data breach, after it has been handled, will be conducted, reported to the Breach Response Team and the Deputy Secretary with details of any recommendations.

Step 5: Record keeping requirements

• DCITHS will maintain an internal register of all eligible date breaches impacting DCITHS.
• DCITHS will maintain a public notification register on the DCITHS website. This will be a public notification register of eligible data breaches where DCITHS is unable to notify, or it is not reasonably practicable to notify affected individuals.

For further detailed requirements of our internal and external reporting, DCITHS staff must consult our Data Breach Response Plan.

7. DCITHS staff awareness

To ensure that DCITHS staff are and remain aware of their obligations under the MDNB Scheme, DCITHS will:

• prepare and notify staff of our Data Breach Response Plan and publish it and any additional relevant awareness material in a prominent place on the DCITHS intranet;
• provide training on this Policy and our Data Breach Response Plan to raise awareness and appreciation of these privacy obligations generally;
• provide refresher and on-the-job training as required;
• highlight and promote the Policy and our Data Breach Response Plan; and
• provide privacy briefing and awareness sessions in appropriate Senior Executive forums.

8. Further information and contacts

For further information about this Policy, an eligible data breach on the public notification register or if you have any concerns, please contact the Director Legal, Information & Privacy:

Director Legal, Information & Privacy
DCITHS
Level 9, 52 Martin Place
Sydney NSW 2001

Email:  information@dciths.nsw.gov.au  

For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:

NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000

Phone: 1800 472 679
Web:  www.ipc.nsw.gov.au 
Email:  ipcinfo@ipc.nsw.gov.au

Variation

The Department may amend this policy from time to time as appropriate.