Data Breach Policy

Purpose and Scope

Our office is committed to protecting the personal information it holds and ensuring compliance with the Information Privacy Act 2009 (IP Act) and the Mandatory Notification of Data Breaches scheme. This Data Breach Policy outlines the steps our office will take to respond to a data breach, including suspected or confirmed eligible data breaches. This policy applies to all employees, contractors, and volunteers of our office in relation to their work, related dealings with each other, customers, clients, and other stakeholders. It complements our internal privacy, cybersecurity, and recordkeeping policies. This policy incorporates our response plan to provide a structured and practical approach to managing data breaches within our office.

Definitions

Data breach

An event where personal information is accessed, disclosed, or lost in a way that is unauthorised or unintended.

Eligible data breach

  • A data breach that is likely to result in serious harm to any individual whose information is involved, as defined under the IP Act.
  • Mandatory notification of data breaches scheme This is established under the IP Act.

Personal Information

Information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:
  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not (for example, whether or not it is in a written form, image, video, audio).

Personal information also includes sensitive information. Sensitive information is about racial or ethnic origin, political opinions, religious beliefs, health, and more (as defined in Schedule 5 of the Information Privacy Act 2009).

Serious harm

Encompasses significant detrimental effects that could result from a data breach, including but not limited to:

  • identity theft
  • significant financial loss
  • threats to physical safety
  • serious psychological harm (e.g., humiliation, severe distress)
  • serious harm* to an individual's reputation.

*The assessment of serious harm considers various factors, including the sensitivity of the information, the security measures in place, and the nature of the individuals affected.

Policy statement

We will respond promptly and effectively to any data breach to minimise harm, comply with legal obligations, and improve its systems and processes. We will maintain a register of eligible data breaches and ensure all staff are aware of their responsibilities under this policy.

Roles and responsibilities

Executive Director

  • Oversees the implementation of this policy, coordinates responses to data breaches, and ensures compliance with the IP Act

Manager, Corporate Services

  • Reports any data breach that is also a cybersecurity incident and implements the Cybersecurity Management Plan if required. Coordinates the Data Breach response, conducts risk assessments, and escalates incidents to the Data Breach Response Team.

Data Breach Response Team

  • A multidisciplinary team convened to manage significant data breaches. Members may include representatives from leadership, complaints, policy and communications teams.

All staff

  • Required to report suspected breaches immediately to the Manager, Corporate Services and their own manager.

Responding to a data breach

We will follow a 6-stage process to respond to data breaches:

  1. Preparation
    • Maintain up-to-date policies, procedures, and training to ensure readiness to respond to data breaches.
    • Ensure all staff understand their responsibilities under this policy.
    • Establish clear reporting lines and escalation points, including the activation of the DBRT.
  2. Identification
    • Detect and identify potential data breaches through established monitoring and reporting mechanisms.
    • Escalate suspected breaches to the Manager – Corporate Services for assessment.
    • If necessary, the Manager – Corporate Services will escalate the matter to the DBRT for further action.
  3. Containment and Mitigation
    • The DBRT will take immediate steps to contain the breach and prevent further unauthorised access or disclosure. Examples of containment actions include disabling compromised systems, revoking access credentials, or isolating affected networks.
    • Mitigate potential harm to affected individuals and systems by recovering lost data, securing physical records, or implementing additional security measures.
  4. Assessment
    • Assess the nature and scope of the breach, including whether it meets the threshold for an Eligible Data Breach under the IP Act. This will include considering: the type and sensitivity of the information involved, the potential harm to affected individuals and the likelihood of the breach resulting in serious harm.
    • Categorise the breach as low, medium, or high risk based on the agency’s risk management framework.
    • Document the findings and decision-making process.
  5. Notification
    • If a breach is deemed an Eligible Data Breach, notify affected individuals, the Office of the Information Commissioner (OIC), and other relevant parties if the breach is determined to be an Eligible Data Breach.
    • Ensure notifications are clear, timely, and include all required information under the IP Act. Notifications will include:
      • a description of the breach
      • the type of information involved
      • steps individuals can take to protect themselves
      • contact details for further assistance.
  6. Post-breach review and remediation
    • Conduct a review to identify lessons learned and implement improvements to prevent future breaches.
    • Update systems, processes, and this policy as necessary.
    • Implement recommendations from the review and ensure they are documented in the Eligible Data Breach Register.

Recordkeeping

We will maintain a register of eligible data breaches in accordance with section 72 of the IP Act. This register will include details of each breach, the response, and any notifications made. All records will be managed in compliance with the Public Records Act 2002 (Qld).

Training and awareness

We will provide regular training to staff on this policy and their responsibilities in relation to data breaches. This will include guidance on identifying and reporting breaches and understanding the MNDB scheme.

Review and maintenance

This policy will be reviewed annually or following a significant data breach to ensure it remains effective and compliant with legislative requirements. The Manager – Corporate Services is responsible for maintaining and updating this policy.

Related legislation and policies

  • Information Privacy Act 2009 (Qld)
  • Privacy Act 1988 (Cth)
  • Crime and Corruption Act 2001
  • Victims’ Commissioner and Sexual Violence Review Board Act 2024

Contact information

For questions or further information about this policy, please contact our Manager, Corporate Services at privacy@victimscommissioner.qld.gov.au.

External contact

Office of the Information Commissioner: Phone: 07 3234 7373 | Email: enquiries@oic.qld.gov.au