Request accessible format of this publication.
NESA Data breach policy
Procedures and systems for managing data breaches
This policy establishes a process for reporting, managing and responding to data breaches, including notifications to the Privacy Commissioner and affected individuals. The policy also includes steps for reviewing and developing remedies to help prevent future data breaches.
There is a range of systems, external relationships and procedures employed by NESA for preventing and managing data breaches. NESA’s IT network and related infrastructure and systems are secured and managed by its Information and Communications Technology (ICT) directorate, which has implemented a number of cyber security measures to reduce the risk of data breaches. This has included projects to update IT assets and develop staff capabilities, with a focus on cyber security.
NESA has implemented regular cyber security training for all NESA staff (including information about threat trends and data loss prevention) as well as relevant training and procedures to ensure that personal and sensitive information is adequately protected.
NESA continues to review the training needs of staff with respect to data breaches, to ensure that all staff have access to relevant training related to risks, reporting, managing and responding to data breaches under the MNDB Scheme. NESA will also take reasonable steps to ensure all third-party providers who store personal or health information on behalf of NESA, are aware of the MNDB Scheme and the obligation under this policy to report any data breaches to NESA.
The risk of a cyber security incident (which may involve a data breach) has been included within NESA’s risk register. This includes plans to mitigate this type of risk and its impact on NESA’s systems, data and stakeholders. NESA conducts an annual cyber security simulation to test responsiveness to a cyber attack on NESA’s IT systems. Cyber security and information security experts are included as participants and advisers in such exercises.
NESA also maintains an internal register of data breaches which, after review and analysis of the causes of data breaches and appropriate changes to systems and policies, can assist in preventing future data breaches.