Request accessible format of this publication.
NESA Data breach policy
Data Breach Policy roles and responsibilities
All NESA staff and contractors are responsible for reporting any data breach at NESA within one business day of becoming aware that a data breach has occurred, including the type of breach and date and circumstances of the data breach.
Staff roles and responsibilities under this policy | |
Position title | Roles and responsibilities under the policy |
All NESA employees, contractors and contracted service providers | All NESA employees, contractors and service providers are responsible for immediately reporting a suspected data breach in accordance with this policy. |
CFO | Responsible for implementing this policy. Exercises the functions of the ‘head of the public sector agency’ with respect to NESA, under Part 6A of the PPIP Act, including those related to containment, mitigation, and assessment under Division 2, notification under Division 3 and other related actions. Acts as convener of the DBRG. |
CIDO | Responsible for investigation and actions to contain and mitigate data breaches affecting (or related to) NESA’s IT and digital systems, providing advice on relevant procedures, preparing data breach reports and proposed actions for effective containment and mitigation. Member of the DBRG. |
DCE | Responsible for all NESA public information communications issued under this policy, providing advice on communication strategy and relevant procedures, supporting the CFO in notification including notification to affected individuals, public notification, and notification to external reporting agencies. Member of the DBRG. |
ED, S&C | Overall responsibility for implementation of NESA corporate policies. Where requested by the DBRG, responsible for approving recommended action(s) and for any issues deemed significant and requiring escalation for resolution. Responsible for briefing the CEO. |
The DBRG is to provide the ED, S&C (i) regular reports on progress of data breach response and management and (ii) proposed action plans for approval, as appropriate.
The CFO, CIDO and DCE may each, in consultation with other members of the DBRG, establish or update relevant procedures, plans and templates to enable them to fulfil their responsibilities effectively under this policy and to ensure that this policy is implemented.