Data Breach Policy introduction

The purpose of this policy is to provide guidance to NESA staff members on responding to data breaches of NESA-held data, in accordance with the requirements of the Privacy and Personal Information Protection Act 1998 (the 'PPIP Act'). NESA acknowledges the use of the IPC Guide to Preparing a Data Breach Policy and the IPC Data Breach Policy, in preparing this policy.

This policy sets out how NESA will respond to data breaches involving personal information and outlines NESA’s approach to complying with the MNDB Scheme. NESA treats all data breaches seriously, including those which are not deemed ‘eligible data breaches’. This policy includes detail about:

• what constitutes an eligible data breach under the PPIP Act;
• strategies for containing, mitigating and assessing data breaches;
• roles and responsibilities for reporting, assessment and management of eligible data breaches and data breaches more broadly; and
• the steps involved in responding to a data breach and reviewing systems, policies and procedures to prevent future data breaches.

Under the NSW Mandatory Notification of Data Breach (MNDB) Scheme set out in Part 6A of the PPIP Act, public sector agencies bound by the Act are required to notify the Privacy Commissioner and affected individuals of eligible data breaches. Agencies are also required to prepare and publish a data breach policy to assist in responding to breaches, as well as maintaining an internal register and public notification register of eligible data breaches.

Effective breach management, including notification, assists NESA to avoid or reduce harm to affected individuals, organisations and NESA, and can help prevent future breaches.