NESA Data breach policy

Reporting and responding to a data breach

On this page

The NESA Chief Financial Officer (CFO) is to be informed of all data breaches to ensure the application of this policy, including any notifications required to the Privacy Commissioner and affected individuals for eligible data breaches.

A suspected data breach must be reported to the relevant NESA manager or supervisor immediately, so that the CFO can be informed. An initial report may also be made to the NESA Privacy Officer or the Chief Information and Digital Officer (CIDO), in which case they are to inform the CFO as soon as practicable.

The CFO will coordinate with the CIDO to address and respond to identified data breaches related to NESA IT and digital information systems, including those managed by external service providers.

There are five key steps required in responding to a data breach under this policy:

  1. Initial report of data breach and triage
  2. Contain the breach
  3. Assess and mitigate
  4. Notify
  5. Review.

Each step is set out in further detail below. The first four steps should be carried out concurrently where possible. The final step helps provide recommendations for longer-term solutions and prevention strategies.

Step 1: Initial report and triage

A NESA staff member, manager, contractor or third-party provider is to notify the CFO immediately after becoming aware that a data breach has occurred. To the extent known, the following information should be provided to the CFO:

  • the date of the breach
  • the type of data breach, as per examples given in section 4 of this policy
  • a brief description of the breach and how it occurred
  • the information that was the subject of the breach (especially any personal information)
  • the length of time for which any personal information was disclosed or accessible to unauthorised parties
  • individuals and organisations that may be affected by the breach
  • any steps taken thus far to contain the breach or mitigate its effects.

The CFO, in consultation with other members of the DBRG and the NESA Privacy Officer as required, will review the information provided to determine whether the breach is, or may be, an eligible data breach under the MNDB Scheme. The CFO is to complete (or may request from the CIDO, where appropriate in the circumstances) a brief report about the data breach with recommended actions.

Where a data breach has occurred, the CFO is to confer with other DBRG members before deciding whether to convene the DBRG to undertake steps 2-5 in the process of responding to a data breach. The CFO may also consider convening the DBRG, where a data breach involves highly sensitive information, has a high risk of harm to individuals or affects more than one individual. Members of the public are also encouraged to report any data breaches to NESA in writing by using the contact options available on the NESA website. The CFO is to include the necessary details of all eligible data breaches in the Internal Data Breach Register, in accordance with section 59ZE of the PPIP Act.

Step 2: Contain the breach

Containment of a data breach is NESA’s top priority. NESA will immediately make all reasonable efforts to contain a data breach. All necessary steps possible must be taken to contain the breach and minimise any resulting harm. For example, recover the personal information, shut down the system that has been breached, suspend the activity that led to the breach, revoke or change access codes or passwords.

If a third party is in possession of the data and declines to return it, it may be necessary for NESA to seek legal or other advice on what action can be taken to recover the data. When recovering data, NESA will make sure that copies have not been made by a third party or, if they have, that all copies are recovered, deleted, or destroyed. This can include receiving written confirmation from a third-party that the copy of the data that they received in error, has been permanently deleted. For example, where a breach has occurred by email sent to an incorrect recipient, NESA is to take all reasonable steps to ensure that the recipient has permanently deleted (from all folders) the email and all attachments, including by seeking written confirmation of deletion from the recipient.

Step 3: Assess and mitigate

To determine what other steps may be required, the CFO is to appoint one or more persons to carry out an assessment of the data breach, as provided in Division 2 of the MNDB Scheme. This will include assessing the type of data involved in the breach, the risks and potential for serious harm associated with the breach and deciding whether the breach is an eligible data breach under the MNDB Scheme.

Where appropriate (for example, where the breach has involved a cyber incident), the CIDO is to prepare a brief report on the initial steps taken to investigate and contain the breach, with recommended actions for mitigation. The CIDO is to provide the report to the CFO, who will review the proposed actions and recommendations of the report prior to the report being provided to the DBRG for consideration and approval.

Depending upon the nature or scope of a data breach, the DBRG may elect to consult with the ED, S&C, either to seek approval for recommended actions or to allow consideration of any significant issues that may require further escalation. The DBRG will be responsible for coordinating the implementation of any approved actions and recommendations, as may be appropriate in the circumstances. All data breach reports and related action plans and approvals are to be stored in NESA’s electronic records management system (TRIM).

Some types of data are more likely to cause harm if it is compromised. For example, sensitive personal information and health information will be more significant than names and email addresses on a newsletter subscription list. Given the nature of NESA’s functions and responsibilities, release of any personal information is treated very seriously.

A combination of data will typically create a greater potential for harm than a single piece of data (for example, an address, date of birth and bank account details, if combined, could be used for identity theft).

Factors to consider include:

  • Who is affected by the breach? NESA’s assessment will include reviewing:
    • whether individuals and organisations have been affected by the breach
    • how many individuals and organisations have been affected
    • whether any of the individuals have personal circumstances which may put them at particular risk of harm.
  • What was the cause of the breach? NESA’s assessment will include reviewing whether the breach occurred as part of a targeted attack or through inadvertent oversight. Questions include:
    • was it a one-off incident, has it occurred previously, or does it expose a more systemic vulnerability?
    • what steps have been taken to contain the breach?
    • has the data or personal information been recovered?
    • is the data or personal information encrypted or otherwise not readily accessible?
  • What is the foreseeable harm to the affected individuals/organisations? NESA’s assessment will include reviewing what possible use there may be for the data or personal information. This involves considering:
    • the type of data in issue (e.g. whether it is health information or personal information subject to special restrictions under s.19(1) of the PPIP Act)
    • whether it could be used for identity theft, or result in a threat to physical safety, financial loss, or damage to reputation?
    • who is in receipt of the data?
    • what is the risk of further access, use or disclosure, including via media or online?
    • does it risk embarrassment or harm to vulnerable NESA stakeholders (or others)?
    • does it risk damage to NESA’s reputation?
  • Guidance issued by the Privacy Commissioner on assessing eligible data breaches. Upon becoming aware of a possible eligible data breach, NESA will take into account all relevant guidance issued by the NSW Privacy Commissioner (e.g. under section 59I, assessors must have regard to the guidelines about the process for carrying out an assessment).

To mitigate the breach, NESA may consider measures such as:

  • implementation of additional security measures within NESA’s own systems and processes to limit the potential for misuse of compromised information;
  • limiting the dissemination of breached personal information. For example, by scanning the internet to determine whether the lost or stolen information has been published and seeking its immediate removal from public sites.
  • engaging with relevant third parties to limit the potential for breached personal information to be misused for identity theft or other purposes, or to streamline the re-issue of compromised identity documents. For example, contacting an identity issuer or financial institution to advise caution when relying on particular identity documents for particular cohorts.

Step 4: Notify

If an eligible data breach has occurred or is taken to have occurred, the notification process under Division 3 of the MNDB Scheme is triggered. There are four elements of the notification process:

1. Notify the Privacy Commissioner immediately after an eligible data breach is identified, using the approved form.

2. Determine whether an exemption applies: Where an exemption under Division 4 of the MNDB Scheme applies in relation to an eligible data breach, there may be no requirement for NESA to notify affected individuals. The following exemptions are set out in Division 4:

  • exemption for eligible data breaches of multiple public sector agencies (under section 59S of the PPIP Act)
  • exemption relating to ongoing investigations and certain proceedings (under section 59T of the Act)
  • exemption if public sector agency has taken certain action (under section 59U of the Act)
  • exemption if inconsistent with secrecy provisions (under section 59V of the Act)
  • exemption if serious risk of harm to health and safety (under section 59W of the Act)
  • exemption for compromised cyber security (under section 59X of the Act).

Note: The Privacy Commissioner has produced guidelines on the operation of certain exemptions contained within Division 4, to which agencies must have regard.

3. Notify individuals: Unless an exemption applies, notify affected individuals or their authorised representative as soon as reasonably practicable.

4. Provide further information to the Privacy Commissioner (under section 59Q of the Act).

NESA recognises that notification to individuals and organisations affected by a data breach can assist in mitigating harm to those affected individuals and organisations. Notification demonstrates a commitment to open and transparent governance, consistent with NESA’s approach.

Where a data breach is not an eligible data breach under the MNDB Scheme, NESA may still consider notifying individuals and organisations about the breach, depending upon the type of information involved, the risk of harm, repeated and/or systematic issues and the ability of an individual or organisation to take steps to avoid or remedy harm.

NESA acknowledges the requirement to mitigate the harm done by a suspected breach under section 59F of the PPIP Act and recognises that prompt notification may assist individuals to mitigate such harm while an assessment of the breach is ongoing. Once approved, notification should be undertaken promptly to help avoid or reduce harm by enabling individuals and organisations to take steps to protect themselves.

The method of notifying affected individuals/organisations will depend in large part on the type and scale of the breach, as well as practical issues such as timely access to contact details for affected individuals/organisations.

Notification may be provided following approval given by the CFO or the DBRG (where deemed appropriate in the circumstances). The MNDB Scheme also requires an agency to take reasonable steps to notify affected individuals in the event of an eligible data breach as soon as practicable.

When to notify

Individuals affected by an eligible data breach are to be notified as soon as practicable, following approval given by the CFO (or the DBRG, where deemed appropriate). While this policy sets a target for NESA to notify affected individuals within five business days, practical factors are also recognised. Where NESA is unable to notify any or all individuals affected by an eligible data breach or where it is not reasonably practicable to do so, NESA will publish a notification on its website, under section 59P of the PPIP Act.

How to notify

Affected individuals should be notified directly – by telephone, letter, email or in person. Indirect notification – such as information posted on NESA’s website, a public notice in a newspaper, or a media release – should generally occur only when the contact information of affected individuals is unknown, or where direct notification is prohibitively expensive or may cause further harm (for example, by alerting a person who stole a laptop computer about the value of the information contained within it). Any public notification of an eligible data breach is to be published on the public notification register on NESA’s website, in accordance with section 59P(3) of the PPIP Act.

What to say

Section 59O of the PPIP Act sets out specific information that must, if reasonably practicable, be included in a notification in relation to each eligible data breach:

  1. the date the breach occurred;
  2. a description of the breach;
  3. how the breach occurred;
  4. the type of breach that occurred;
  5. the personal information involved in the breach;
  6. the length of time for which the personal information was disclosed or accessible;
  7. actions that have been taken or are planned to secure the personal information, or to control and mitigate the harm to the individual;
  8. recommendations about the steps the individual should take in response to the breach;
  9. information about making privacy-related complaints and about internal reviews of agency conduct;
  10. the name of the agency the subject of the breach;
  11. if more than one agency was the subject of the breach, the names of any other agencies involved; and
  12. contact details for: (i) the agency the subject of the breach or (ii) for a person nominated by the agency for an individual to contact about the breach.

Other obligations including external engagement or reporting

NESA will also have regard to whether notification is required under other laws or administrative arrangements, or by contract, to take specific steps in response to a data breach. These may include taking specific containment or remediation steps or notifying or engaging with external stakeholders (in addition to the Privacy Commissioner), where a data breach occurs.

Depending on the circumstances of the data breach this may include:

  • NSW Police Force and/or Australian Federal Police, where NESA suspects a data breach is a result of criminal activity;
  • Cyber Security NSW, the Office of the Government Chief Information Security Officer and the Australian Cyber Security Centre, where a data breach is a result of a cyber security incident;
  • the Office of the Australian Information Commissioner (OAIC), where a data breach may involve agencies, or data related to agencies, under Commonwealth jurisdiction (e.g. tax file numbers);
  • NSW Department of Customer Service, where a data breach has the potential to affect the operation of the NESA website or related data holdings;
  • any third-party organisations or agencies whose data may be affected;
  • financial services providers, where a data breach includes an individual’s financial information;
  • professional associations, regulatory bodies or insurers, where a data breach may have an impact on these organisations, their functions or their clients/members; and
  • the Australian Cyber Security Centre where a data breach involves malicious activity from a person or organisation based outside Australia.

Step 5: review

 NESA will further investigate the circumstances of the breach to determine all relevant causes and consider what short or long-term measures may be taken to prevent a data breach recurring. Depending on the nature of the breach, this step may be completed as part of the assessment of the first four steps and mitigation of the breach as detailed in step three above.

Preventative actions could include a:

  • ‘root cause’ analysis of the breach and then removing or mitigating the effects of those
  • review of NESA’s IT and digital systems and remedial actions to prevent future data breaches
  • security audit of both physical and technical security controls
  • review of relevant policies and procedures
  • review of relevant staff/contractor training requirements
  • review of contractual obligations with contracted service providers.

Any recommendations to implement preventative actions are to be approved by the appropriate executive authority within NESA. Consideration may also be given to referring relevant matters to NESA’s Audit and Risk Committee.

Print this page

Request accessible format of this publication.

Previous
Procedures and systems for managing data breaches
Page 7 of 10
Next
Data Breach Policy roles and responsibilities
Top of page