NESA Data breach policy

What is an eligible data breach?

A data breach occurs when personal information held by an agency (whether held in digital or hard copy) is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure.

This may or may not involve disclosure of personal information external to the agency, or publicly. For example, unauthorised access to personal information by an agency employee, or unauthorised sharing of personal information between teams within an agency may amount to a data breach.

A data breach may occur as the result of malicious action, systems failure, or human error. A data breach may also occur because of a misconception about whether a particular act or practice is permitted under the Information Protection Principles (IPPs) or Health Privacy Principles (HPPs).

Examples of data breaches can include:

  • Human error

    • When a letter or email is sent to the wrong recipient.
    • When system access is incorrectly granted to someone without appropriate authorisation.
    • When a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information is lost or misplaced.
    • When staff fail to implement appropriate password security, for example not securing passwords or sharing a password or other log-in information.

  • Systems failure

    • Where a coding error allows access to a system without authentication, or results in automatically generated notices including the wrong information or being sent to incorrect recipients.
    • Where systems are not maintained through the application of known and supported patches.

  • Malicious or criminal attack

    • Cyber incidents such as ransomware, malware, hacking, phishing, or brute force access attempts resulting in access to or theft of personal information.
    • Social engineering or impersonation leading to inappropriate disclosure of personal information.
    • Insider threats from agency employees using their valid credentials to access or disclose personal information outside the scope of their duties or permissions.
    • Theft of a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information.

The MNDB Scheme applies where an eligible data breach has occurred. For a data breach to constitute an eligible data breach under the MNDB Scheme, there are two tests to be satisfied:

  1. There is an unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information; and
  2. a reasonable person would conclude that the access to, or disclosure of, the information would be likely to result in serious harm to an individual to whom the information relates.

The definition of personal information under the MNDB Scheme includes both ‘personal information’ as defined in section 4 of the PPIP Act and ‘health information’, as defined in section 6 of the HRIP Act. This means that for the purposes of the MNDB Scheme, 'personal information' means 'information or an opinion ... about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion' and this includes information about an individual’s physical or mental health, disability, and information connected to the provision of a health service.

The term ‘serious harm’ is not defined in the PPIP Act. Harm that can arise as the result of a data breach is context-specific and will vary based on:

  • the type of personal information accessed, disclosed or lost, and whether a combination of types of personal information might lead to increased risk;
  • the level of sensitivity of the personal information accessed, disclosed or lost;
  • the amount of time the information was exposed or accessible, including the amount of time information was exposed prior to the agency discovering the breach;
  • the circumstances of the individuals affected and their vulnerability or susceptibility to harm (that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm);
  • the circumstances in which the breach occurred; and
  • actions taken by the agency following the breach, to reduce the risk of harm.

Serious harm occurs where the harm arising from an eligible data breach results, or may result, in a real and substantial detrimental effect on the individual. The effect on the individual must be more than mere irritation, annoyance, or inconvenience.

Harm to an individual includes physical harm, economic, financial or material harm, emotional or psychological harm, reputational harm, and other forms of serious harm that a reasonable person in the agency’s position would identify as a possible outcome of the data breach.

Print this page

Request accessible format of this publication.

Previous
Scope
Page 5 of 10
Next
Procedures and systems for managing data breaches
Top of page